Server shut down
Who is behind the ransom hackers Darkside?
A pipeline operator in the US and the Irish health authority were probably attacked within a week with malware from the same mysterious hacker group: Darkside. Apparently, the server has now been shut down.
A week after the cyber-attack on a U.S. Pipeline, the Irish health authority has become the target of a similar attack. “There is a significant ransomware attack on the IT systems,” the agency said on Twitter. According to initial findings, both hacker attacks are blamed on international criminals. This is known about the group Darkside:
- A relatively new grouping
According to experts, Darkside first appeared in August 2020. It is one of an increasing number of groups that do not actively attack themselves, but rather provide extortion software for other criminals-and then collect a share of the ransom.
Darkside specializes in so – called ransomware, the name goes back to the English word “ransom” – meaning ransom: hackers try to use malicious programs to lock or encrypt computer systems, and extort money from users for the release of the data.
The US Federal Police (FBI) firmly believes that Darkside software was behind the attack on the largest pipeline in the US a week ago. And in the cyber attack on the Irish health authority on Friday, according to initial findings, ransomware similar to the hacker attack on the US pipeline operator Colonial was used.
Experts assume that the team behind Darkside consists of very experienced hackers. The software is significantly further developed than previous versions of extortion Trojans. “Darkside software uses the double blackmail strategy: the attackers do not only encrypt the user’s data. Rather, they withdraw all information beforehand and threaten to publish it if the ransom is not paid, ” say analysts at Cybereason, a company that seeks to protect companies against such attacks.
Double strategy leverages precautions
According to Cybereason, this double strategy undermines the precaution that many companies have taken so far, which keeps their data back in a backup for fear of encryption or blocking by hackers in another location. By stripping Darkside software of the data prior to encryption, the attackers could not only demand money for unlocking the data, but also threaten to publish or sell the information to competitors.
“The amount of Darkside ransom is between 200,000 and two million dollars,” estimated the National Cybersecurity Agency in France (Ansii) in February. But it was probably still too low: According to Bloomberg, Colonial paid around five million dollars (€4.1 million) ransom to stop the attack on its Pipeline that brought the fuel supply in the United States to the brink of collapse.
- Connections to Russia?
In a statement published on Darknet – the part of the Internet that is not accessible to ordinary users – Darkside stresses that it has “no political agenda” and no ties to governments. The only goal is to make money.
In doing so, the criminals apparently want to give themselves a humane touch: it is not a matter of creating social problems through attacks, they stress: therefore, only companies that are guaranteed to raise the ransom would be attacked.
US investigators suspect that Darkside is based in Russia. Experts point out, among other things, that so far only Western companies have apparently been attacked with Darkside software and no Russian ones.
“Responsible ‘actors’ in Russia”
US President Joe Biden recently stated that there was no evidence that the Russian government was responsible for the attack on Colonial Pipeline. However, there are indications that the responsible “actors” are in Russia and that the malware comes from there.
Moscow, for its part, rejected all allegations of involvement or backing for the attack. Russia does not carry out” malicious ” activities on the internet, the Russian embassy in the USA said.
- Darkside-Server probably switched off
The server used by the supposedly responsible hacker group has apparently been shut down by unknown parties. The US security firm Recorded Future stated that the operator of the Darkside blackmail trojan had stated in a post that he had lost access to the servers. Among others, the blog of the group and the payment server are affected. Also, cryptocurrency captured by extortion was lost.