Security Spotlight: Ransomware Woes Continue Even As DarkSide Shuts Down After Claiming Multiple Victims
This blog was originally published by Bitglass here
Written by Jeff Birnbaum, Bitglass
Here are the top security stories from recent weeks.
- DarkSide Ransomware Operations Shut Down
- Colonial Pipeline Pays $5 Million Ransomware Demand After DarkSide Ransomware Attack
- Chemical Distributor Brenntag Pays $4.4 Million Ransom Following DarkSide Attack
- Conti Ransomware Attack Shuts Down Ireland Health Service IT Systems
- Echelon API Allows Anyone to Access Account Information
DarkSide ransomware operators announced they were shutting down after losing access to servers and cryptocurrency was transferred out of their account. The ransomware-as-a-service (RaaS) threat actors were responsible for several successful and high-profile ransomware attacks. Victims include Colonial Pipeline, Brenntag, (both noted below) and a Toshiba unit. There is some speculation that their hasty shut-down is part of an exit scam so they can blame law enforcement operations instead of paying out affiliates.
Colonial Pipeline, the largest U.S. pipeline and supplier of 45% of all fuel consumed on the East Coast, reportedly paid nearly $5 million to DarkSide ransomware group operators for a decryptor after the cyberattack forced the company to close operations. The attack also prompted the Federal Motor Carrier Safety Administration (FMCSA) to issue a regional emergency declaration. The pipeline resumed operations on May 12 after shutting down for six days.
Brenntag, the second largest chemical distributor in North America, paid a $4.4 million ransomware demand in exchange for a decryptor and to prevent DarkSide ransomware actors from leaking unencrypted stolen data. The ransomware attack targeted Brenntag’s North America division, successfully encrypting network devices and stealing 150GB of data. The attackers claimed to have gained access after purchasing stolen credentials.
Ireland’s Health Service Executive (HSE), which is responsible for health services across all of the country, shut down all IT systems as a precaution following a ransomware attack. Some outpatient appointments and COVID-19 test results have been affected. The attack has been attributed to the Conti ransomware operation, which uses “double extortion” and threatens to release stolen data if ransoms are not paid. The Conti group claims to have stolen 700 GB of files and has reportedly demanded a $20 million ransom. The HSE has said it will not pay the ransom.
Pen Test Partners’ security researcher Jan Masters has discovered fitness technology company Echelon’s API allows access to a workout member’s account information. Accessible information includes name, city, age, gender, phone number, weight, birthday, workout statistics, and equipment. Multiple bugs, including not needing authorization tokens to request data and weak access controls, contributed to these unauthorized access risks. Echelon claims to have fixed the vulnerabilities after Pen Test Partners disclosed them, but Pen Test Partners disputes the claim, reporting some vulnerability could still be exploited as of last week.