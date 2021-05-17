Researchers have cautioned that the group probably isn't gone for good, however. Instead, it could be regrouping to come back under a new name, making it more difficult for law enforcement to track.
“The simplest explanation is the operators think that things have gotten a little hot and have exited that brand name,” said Michael Daniel, president and chief executive of Cyber Threat Alliance, an information-sharing nonprofit group, told The Post. “And they’ll reconstitute themselves under some other name.”
Firms that reported the announcement were also unable to verify all of DarkSide's claims.
“We have not independently validated these claims and there is some speculation by other actors that this could be an exit scam,” said Kimberly Goody, senior manager, financial crime analysis at Mandiant Threat Intelligence.
Researchers at Intel 471 also expressed skepticism.
“It's likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” the firm wrote in a blog. “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants.”
Before allegedly disappearing, the bitcoin wallets used by DarkSide to collect ransom payments were emptied, according to the cryptocurrency monitoring firm Elliptic. That included the $5 million worth of digital currency reportedly paid by Colonial as ransom.
The Colonial Pipeline attack attracted a swift response from U.S. officials after it sparked soaring gas prices and hoarding in the United States. While just one of numerous ransomware attacks against U.S. businesses in recent months, the attack's implications for critical infrastructure highlighted the importance of deterring and defending against the growing cyberthreat.
DarkSide isn't the only ransomware operation claiming to be shutting down or dialing back in light of a new laser-focused spotlight on cybercriminal activity by U.S. aw enforcement.
Babuk, the ransomware group that recently leaked 250 gigabytes of the D.C. police department's data, said it was handing over its source code for the malware to an affiliated group. Two other sites run by ransomware groups AKO and Everest also appeared to have become inoperable over the weekend, Allan Liska, a researcher with cybersecurity firm Recorded Future, told Reuters.
The possibility that DarkSide and other groups that recently went inactive may resurface under new names poses a challenge for authorities.
The Treasury Department sanctions transactions with groups or individuals flagged by it, including ransomware groups, according to an October notice issued by the agency.
But keeping that list up to date isn't easy, Ellen Nakashima and Rachel Lerman report. Ransomware operations often involve a complex network of entities with nebulous ties to the groups from whom they contract ransomware infrastructure. Cybercriminals mask their activity through the dark web and are hard to track. Changing their branding is another way groups can obfuscate themselves.
“Ransomware attackers are by definition liars, thieves, extortionists and members of a global criminal enterprise, and they take extreme technological measures to conceal any trace of their identity and location,” John Reed Stark, a cybersecurity consultant and a former chief of the Securities and Exchange Commission Office of Internet Enforcement, told my colleagues. “Determining the bona fides of a ransomware attacker is like trying to confirm the height and weight of a poltergeist. Yet that is exactly what the government expects the company to do.”
One factor in determining the likelihood of DarkSide's resurgence is if its infrastructure actually was taken offline.
Officials have declined to answer questions about potential U.S. involvement in taking down the infrastructure. President Biden said last week that the United States would “pursue a measure to disrupt [the cybercriminals'] ability to operate.”
Efforts by international law enforcement in the past against other cybercriminal groups have shown that coordinated takedowns can have a meaningful impact on criminal activity, at least in the short term.
Lawmakers say they’re writing legislation to force critical infrastructure companies to disclose cyber incidents.
Democrats and Republicans said they’re working on legislation requiring critical infrastructure companies, such as Colonial Pipeline, to report cyberattacks, Politico’s Eric Geller and Martin Matishak report. Colonial did not provide the U.S. government with technical details about the hack until days after it had been publicly reported, acting Cybersecurity and Infrastructure Security Agency director Brandon Wales said last week.
Colonial spokeswoman Meredith Griffanti said the company “called the FBI as soon as we learned we were facing an attack” and worked with the FBI to begin “alerting other relevant federal agencies.” The legislation being drafted also aims to cover major IT companies that do business with the U.S. government. The Biden administration’s newest cybersecurity executive order requires government agencies to develop rules for contractors to report breaches.
An insurer that said it would stop refunding ransom payments was hit by ransomware.
The Asia operations of French insurer AXA were targeted before the insurer decided to stop writing policies that allowed clients to get reimbursed for ransom payments, a person familiar with the matter told the Financial Times’s Hannah Murphy, Ian Smith and John Reed. AXA Partners, an international arm of the insurer, confirmed on Sunday its Asia operations were “recently the victim of a targeted ransomware attack which impacted its operations in Thailand, Malaysia, Hong Kong, and the Philippines.”
The confirmation came a day after a hacking group using Avaddon ransomware said it stole three terabytes of data, including personal information and medical records, from the company.
AXA Partners said a Thai company was compromised in the hack, and that “there is no evidence that any further data was accessed.” The company added that a “dedicated task force” is investigating the incident, and that regulators had been informed.
Ireland’s health-care system has been hit by multiple cyberattacks.
Much of the IT infrastructure belonging to the country’s health department was shut off over the weekend after it was targeted in a hack similar to one last week that hit Ireland’s public health-care system, the Irish Times’s Conor Lally and Jack Horgan-Jones report.
Sources within Ireland’s national police say they strongly suspect the same group of cybercriminals of being behind both attacks. They also said the attack appeared to be financially motivated.
“I think we’re very clear we will not be paying any ransom,” Ireland’s taoiseach, or prime minister, Micheál Martin, said on Friday. In the meantime, some hospitals have had to revert to paper records. Some medical services, such as cancer radiology, have been affected by the attack on the public health-care system.
