Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom

[Dark Sorrow]

Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.

The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment.

Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.

A representative from Colonial declined to comment. Colonial said it began to resume fuel shipments around 5 p.m. Eastern time Wednesday.

When Bloomberg News asked President Joe Biden if he was briefed on the company’s ransom payment, the president paused, then said: “I have no comment on that.”

The hackers, which the FBI said are linked to a group called DarkSide, specialize in digital extortion and are believed to be located in Russia or Eastern Europe.

On Wednesday, media outlets including the Washington Post and Reuters, also based on anonymous sources, reported that the company had no immediate intention of paying the ransom.

Ransomware is a type of malware that locks up a victim’s files, which the attackers promise to unlock for a payment. More recently, some ransomware groups have also stolen victims’ data and threatened to release it unless paid -- a kind of double extortion.

The FBI discourages organizations from paying ransom to hackers, saying there is no guarantee they will follow through on promises to unlock files. It also provides incentive to other would-be hackers, the agency says.

However, Anne Neuberger, the White House’s top cybersecurity official, pointedly declined to say whether companies should pay cyber ransoms at a briefing earlier this week. “We recognize, though, that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data,” she told reporters Monday.

Such guidance provides a quandary for victims who have to weigh the risks of not paying with the costs of lost or exposed records. The reality is that many choose to pay, in part because the costs may be covered if they have cyber-insurance policies.

“They had to pay,” said Ondrej Krehel, chief executive officer and founder of digital forensics firm LIFARS and a former cyber expert at Loews Corp., which owns Boardwalk Pipeline. “This is a cyber cancer. You want to die or you want to live? It’s not a situation where you can wait.”

Krehel said a $5 million ransom for a pipeline was “very low.” “Ransom is usually around $25 million to $35 million for such a company. I think the threat actor realized they stepped on the wrong company and triggered a massive government response,” he said.

A report released last month by a ransomware task force said the amount paid by victims increased by 311% in 2020, reaching about $350 million in cryptocurrency. The average ransom paid by organizations in 2020 was $312,493, according to report.

Colonial, which operates the largest fuel pipeline in the U.S., became aware of the hack around May 7 and shut down its operations, which led to fuel shortages and lines at gas stations along the East Coast.

Link

 

[Dark Sorrow]

Colonial Pipeline paid 75 Bitcoin, or roughly $5 million, to hackers.

Colonial Pipeline paid its extortionists roughly 75 Bitcoin, or nearly $5 million, to recover its stolen data, according to five people briefed on the transaction.
The payment came after hackers last week held up Colonial Pipeline’s business networks with ransomware, a form of malware that encrypts data until the victim pays, and threatened to release it online. Colonial Pipeline pre-emptively shut down its pipeline operations to keep the ransomware from spreading and because it had no way to bill customers with its business and accounting networks offline.
The shutdown of the company’s network, which includes 5,500 miles of pipeline that supplies nearly half the gas, diesel and jet fuel to the East Coast, triggered a cascading crisis that led to emergency meetings at the White House, a jump in gas prices, panic buying at the gas pumps, and forced some airlines to make fuel stops on long-haul flights.
The ransom payment was first reported by Bloomberg. A spokeswoman for Colonial declined to confirm or deny that the company had paid a ransom.

President Biden also declined to answer whether Colonial Pipeline had paid its extortionists in a press briefing on Thursday. He did not rule out the possibility that the administration would target the hackers, a ransomware outfit called DarkSide, with a retaliatory strike. He said the United States would pursue “a measure to disrupt their ability to operate.”
Jen Psaki, the White House press secretary, said in a separate briefing, “It’s the recommendation of the F.B.I. to not pay ransom in these cases,” because it can incentivize hackers to conduct more attacks. She added that “private sector entities or companies are going to make their own decisions.”


DarkSide has tried to distance itself from politics. In a statement on its website, the group said it tried to avoid being political — an effort perhaps to thwart a pre-emptive strike by the United States, which took a major ransomware conduit offline last year to head off an attack on the 2020 election.
On Thursday, eight websites associated with DarkSide were pulled offline. It was not immediately clear why. The United States Cyber Command referred questions to the National Security Council, which declined to comment.
It has taken several days for Colonial to begin bringing its pipeline back online, a process that officials said would take time. Mr. Biden encouraged Americans not to panic-buy gas and warned gas companies to refrain from price gouging.


“This is not like flicking on a light switch,” he said, noting that Colonial’s pipeline had never before been shut down.
Colonial has not shared many details about the incident, or why it was necessary to shut down the pipeline, which other operators sequester from their business operations for safety. Cybersecurity experts have said the attack and its fallout demonstrated a lack of cyber resilience and planning.
Kim Zetter, a cybersecurity journalist, first reported that Colonial had shut down its pipeline partly because its billing systems were taken offline and it had no way to charge customers.
Many organizations across the United States, including police departments, have opted to pay their ransomware extortionists rather than suffer the loss of critical data or incur the costs of rebuilding computer systems from scratch.
In a separate ransomware attack on the Washington, D.C., Metropolitan Police Department, hackers said the price the police offered to pay was “too small” and dumped 250 gigabytes of the department’s data online this week, including databases that track gang members and social media preservation requests.
“This is an indicator of why we should pay,” the hackers, called Babuk, said in a post online. “The police also wanted to pay us, but the amount turned out to be too small. Look at this wall of shame,” they wrote, “you have every chance of not getting there. Just pay us!”

Link

 

[Dark Sorrow]

How the Colonial Pipeline hack is part of a growing ransomware trend in the US

The wider American public was afforded an unwanted glimpse into the wild west world of ransomware this week, after a cyber-attack crippled Colonial Pipeline, causing fuel shortages across the eastern seaboard and states of emergency to be declared in four states.

But experts warn that ransomware attacks – which are part-ransom, part-blackmail, part-invocation of squatters’ rights – are becoming more frequent, while the mostly Russia-based hackers are growing more sophisticated with their methods.



They have hit solar power firms, federal and local government agencies, water treatment plants and even police departments across the US. As the nation’s eyes were focused on the pipeline attack this week, another hacker group was busy targeting Washington DC police – striking at law enforcement in the American capital.

But it was the pipeline attack that had the most impact, emerging from the dark web and sending tens of thousands of Americans to panic-buy gas for their cars. The 5,500 mile-long pipeline, which carries 45% of the east coast’s fuel supplies, announced on Saturday that it had been forced to shut down after attackers used the internet to seize control of the fuel-pumping operation.

On Wednesday, Colonial Pipeline said it had “initiated the restart” of operations, reportedly after paying a $5m ransom fee. But that didn’t stop hours-long lines continuing to form at gas stations in the south-east US, as fuel began to dry up and the price of gas hit its highest point in years.

A group of cybercriminals called Darkside has taken responsibility for the ransomware attack, which works by hacking into a company, or government’s, network, and scrambling the data. The hacker then posts a note in the system demanding payment. If the organization pays up, the hacker hands back control.

“The analogy would be I break into your house, and once I get access to your house, I change all of the locks, and lock you out of your own house,” said Eric Cole, author of the book Cyber Crisis and founder of the Secure Anchor cybersecurity company.

“And then I say: ‘Hey, unless you give me money, I’m not going to give you the keys to your house.’”

The Colonial Pipeline debacle is merely the latest in a spate of ransomware attacks, which include the targeting of a water treatment plant in Florida, and the Texas-based SolarWinds IT company.


US police forces have also been a focus. The Babuk group, another Russian cyber gang, is currently holding up the Washington DC police department, threatening to release stolen data unless law enforcement cough up an unspecified amount of money.

The Presque Isle police department was attacked in April, police in Azusa were hit in March, while the city of Baltimore suffered a costly attack in 2019.

As the number of attacks rise, Darkside has become one of the more prominent groups, and Cole said it has managed to “commercialize cybercrime”.

“They’ve been in operation for over three years, they started around 2018, and they typically focus on lower end ransoms,” he said. “The average Darkside attack would ask for anywhere from $80,000 to $100,000 ransom, and they would typically do eight to 10 of these attacks a month, so they were bringing in about $12m a year.

“But we’ve noticed in the last couple of months they started targeting and going after bigger organizations. Colonial really shows their change in business model – where now instead of going after 12 small entities they go after one big one.”

The Washington Post reported that 26 government agencies have been hit by ransomware since the beginning of the year. The number of private companies targeted is difficult to calculate, given no company wants to reveal to the world, and to other would-be attackers, that they will pay up if compromised, but it’s likely the number of reported attacks are just the “tip of the iceberg”, one expert said.

In most cases, organizations have little option but to pay the ransom. After the city of Baltimore was attacked in May 2019, it decided not to pay the ransom of 13 bitcoins, which at the time came to roughly $91,000. It was a noble move, but not a financially successful one – Baltimore ended up spending more than $18m on recovery.

The FBI and other security experts say Darkside is made up of a group of criminals based in Russia, but little is known beyond that.

Joe Biden said there is “no evidence” that the Russian government is behind the attack, despite the ransomware that targeted Colonial Pipeline being based in Russia, and Darkside itself reinforced the idea that they are motivated by profits rather than geopolitics, when the group issued a statement this week, describing itself as “apolitical”, and saying: “Our goal is to make money.”
With the Colonial Pipeline attack, Darkside took advantage of the pandemic, Cole said.

Before the coronavirus outbreak, the pipeline was managed on a closed system by workers onsite. The need to social distance to prevent the spread of the disease led to Colonial Pipeline staff working remotely, using the internet – which ultimately enabled attackers to gain access to computer systems. Colonial Pipeline did not reply to a request for comment.

Mark Stamford, CEO of the OccamSec cybersecurity company, said “the criminal business model around ransomware has changed”, and groups like Darkside are becoming more sophisticated.

“The way ransomware used to work, you’d get a message that pops up on screen, saying: ‘All your data has been encrypted, send me, for example, 20 Bitcoins, and I’ll send you the encryption key,’” Stamford said.

“Now we’ve gone from ransom attacks to sort of extortion. What happens now is that I will get the ransomware into your environment and encrypt your data, but what I’ll also do is exfiltrate the data out of your network.

“So now it’s encrypted in your network, so you have to pay me a ransom, but I’ve also got a copy of your data that I can then use to extort cash out of you.”

But groups like Darkside don’t just profit from their attacks. Frequently they will also sell ransomware software to would-be cyber-attackers on the dark web, meaning the number of attacks is likely to increase.

“You’ve got this bad guy marketplace,” Stamford said.

“Where I can go and buy a piece of ransomware – and what’s even more impressive is there’s tech support around this ransomware, so I can call someone and say: ‘I used your ransomware, it didn’t work, can you give me some tips to make it work?’”

As Colonial Pipeline scrambles to regain control of its systems, and as the name Darkside reverberates around the US, Stamford said one theory among cybersecurity watchers is that this could even be a promotional effort by the cybercriminal group.

“This is a good bit of marketing for them,” Stamford said.

“If you’re in the business of selling ransomware this is a really good way to go to the world and say: ‘Look, our stuff’s cool, and it works.’”

Link

 

[Srinivas_K]

Mean while oil companies are getting profits on increased oil prices. In short they are trying to gain the margins lost during lockdown.

 

[Dark Sorrow]

Toshiba unit in Europe hacked, blames DarkSide group from U.S. pipeline attack

A Toshiba Corp unit said it was hacked by the DarkSide ransomware group, overshadowing an announcement of a strategic review for the Japanese conglomerate under pressure from activist shareholders to seek out suitors.

Toshiba Tec Corp, which makes products such as bar code printers and is valued at $2.3 billion, was hacked by DarkSide — the group widely believed to be behind the recent Colonial Pipeline attack, its French subsidiary said.

It added, however, that only a minimal amount of work data had been lost.

“There are around 30 groups within DarkSide that are attempting to hack companies all the time, and they succeeded this time with Toshiba,” said Takashi Yoshikawa, a senior malware analyst at Mitsui Bussan Secure Directions.

Employees accessing company computer systems from home during pandemic lockdowns have made firms more vulnerable to cyber attacks, he added.

Screenshots of DarkSide’s post provided by the cybersecurity firm said more than 740 gigabytes of information was compromised and included passports and other personal information.

Reuters could not access DarkSide’s public-facing website on Friday. Security researchers said DarkSide’s multiple websites had stopped being accessible.

Ransomware attacks have increased in number and amount of demands, with hackers encrypting data and seeking payment in cryptocurrency to unlock it. They increasingly release stolen data as well, or threaten to unless they are paid more.

Ireland’s health service said on Friday it had shut down its IT systems after what it described as a “significant” ransomware attack.

Investigators in the U.S’s Colonial case say the attack software was distributed by DarkSide, which includes Russian speakers and avoids hacking targets in the former Soviet Union. DarkSide lets “affiliates” hack into targets elsewhere, then handles the ransom negotiation and data release.

Amid calls from shareholders to explicitly seek offers from potential suitors after dismissing a $20 billion take-private bid from CVC Capital this year, Toshiba said it was setting up a strategic review committee and had appointed UBS as financial adviser.

The review will be conducted by independent directors and is designed to help the board consider a new business plan to be put forward by management by October.

The CVC offer faced strong opposition within the company. Its plan to retain management was perceived by some as aimed at shielding former CEO Nobuaki Kurumatani from activist shareholders.

At a briefing by the company on Friday, 3D Investment Partners and Farallon Capital Management, its No. 2 and No. 3 shareholders respectively, both criticized Toshiba for appearing reluctant to consider offers to go private.

Chief Executive Satoshi Tsunakawa responded that the company has “no reluctance to consider various proposals to increase corporate value, including going private.”

Sources have said other private equity investors such as KKR & Co Inc and Bain Capital are interested in Toshiba.

However, the Asahi newspaper reported on Friday that Bain Capital is not considering buying Toshiba, citing an interview with Yuji Sugimoto, the head of Bain Capital’s Japan operations.

Battered by accounting scandals, massive writedowns for its U.S. nuclear business as well as the sale of its chip unit, Toshiba is a shadow of its former self.

But it remains one of Japan’s few manufacturers of nuclear power reactors and makes defense equipment, meaning any sale of would require government approval.

Toshiba on Friday forecast a 63% rise in annual operating profit to 170 billion yen ($1.6 billion), rebounding from pandemic-induced pain in the last year and as restructuring measures bear fruit. That follows a 20% slide in profit last year.

Toshiba also nominated four new board members after Kurumatani resigned last month. Kurumatani had been under fire due to allegations that investors were pressured before a shareholder meeting last year to support desired board nominations.

Shareholders in March successfully voted for an independent investigation into those allegations, marking a watershed victory for corporate governance in Japan. The probe is due to conclude before this year’s annual general meeting on June 25.

The board nominations announced on Friday included George Olcott, a former UBS banker who is also an independent board member at Japanese beer maker Kirin Holdings.

Link