Press "Enter" to skip to content

A weekend full of ransomware activity

Ransomware continues to be the tech headlines – let’s get a recap of what’s happened in the past few days.

The DarkSide ransomware group has reportedly shutdown, after the threat actors lost access to their servers and their cryptocurrency was transferred to an unknown wallet.    The group Elliptic reports the group collected $17.5 million dollars since March.     This news shared by competing group REvil – on the Exploit forums.     The group themselves also announced there are shutting down due to pressure from the US.      Competing REvil has also announced new restrictions on who can be attacked.    Two other groups, AKO and Everest, became unreachable over the weekend, and experts believe it was a conscious choice to go dark.   

Of course, that’s not before the chemical distribution company Brenntag paid $4.4 million in ransom last week to DarkSide.     Hit too was Toshiba, although the company indicated the amount of work lost was small.    Also hit by DarkSide was a technology services reseller in Illinois.    Colonial Pipeline, which brought attention to this, is back to being fully operational.  

The Irish health system was hit by a ransomware attack on Friday – and are refusing to pay.    The system was forced to fully shutdown all its IT systems.

QNAP is warning of an active zero day-bug and ransomware attacks on their NAS devices, and have offered specific instructions on mitigation.

Branches of insurance company AXA, who just announced they were not paying ransoms in France, were attached across Asia by ransomware attacks.    The Avaddon ransomware group claims to have stolen 3 terabytes of data, and the company has been under Distributed Denial of Service attack.  

The team behind Exploit, that same ransomware forum mentioned before which is used to hire affiliates and advertise their Ransomware-as-a-Service offerings, has announced they are banning and removing ransomware ads.  Why?   Ransomware groups attacking targets indiscriminately attracts “a lot of attention.”    The Russian speaking hacker forum XSS has banned all topics promoting ransomware… for the same reason, to prevent unwanted attention.

Insurance company Swiss Re’s CEO has offered that he is “not too surprised at all” about the attacks – but more importantly, notes that the private insurance market is simply not large enough to offer full cyber protection to vulnerable organizations. 

And, there’s a new group out there.  The Lorenz ransomware operation began operating last month, targeting organizations with customized attacks.    

Why do we care?

Story form.    Ransomware went big this past week, and those criminal groups are savvy enough to know they don’t want to be that much on the radar.   

DarkSide was taken down – either being done or being taken out by law enforcement – and their colleagues (competitors?) know to not draw that much attention. They’re spooked now.

They’re also sending a clear signal to those insurance companies… who can’t alone bear the cost of this.      But it’s good business for the criminals, with seemingly willing to pay targets, so until it isn’t, there is more to come.       This is just a temporary quiet.