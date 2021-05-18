WASHINGTON, May 18 (Reuters) - Digital extortion attempts
are returning to their pre-Colonial Pipeline levels, according
to data and interviews with some incident responders, suggesting
that the upheaval around the hack that paralyzed a major U.S.
fuel conduit has yet to curb cybercriminals' appetite for
ransoms.
Ransomware incidents are usually shrouded in secrecy, with
victim companies and criminals alike eager to prevent the
eye-watering extortion payments from becoming public. But
indirect data suggests that the global publicity around the hack
of Colonial Pipeline, which paralyzed the company for
nearly a week and led to fuel shortages on the U.S. East Coast,
did little or nothing to puncture the thriving industry.
There was a dip in the number of companies whose data was
uploaded to ransomware operators' name-and-shame sites in the
days following the Colonial intrusion, said Allan Liska, a
researcher with cybersecurity firm Recorded Future.
But the sites, which the hackers use to pressure their
victims into paying up by leaking reams of sensitive data, are
now "back to normal," he said, with 10-15 victims posted daily.
Data privately tracked by ID Ransomware https://id-ransomware.malwarehunterteam.com
- a ransomware identification site run by Emsisoft researcher
Michael Gillespie - shows that submissions of extortion software
dropped sharply in the days following news of the Colonial hack,
only to rise higher than before.
Gillespie's colleague Brett Callow said that one possible
explanation for the dip is that some hackers put their
operations on pause amid the pipeline chaos and are now clearing
the backlog.
"I think the groups got back to business as usual," Callow
said.
Another possible explanation is that there was a period of
confusion as underground forums banned the advertisement of
ransomware partnerships, said David Nides of consultancy KPMG.
"The threat actors quickly adjusted," he said.
Other analysts saw no change whatsoever.
"We didn't really notice any uptick or downtick," said Mark
Manglicmot of cybersecurity firm Arctic Wolf.
Some ransomware operators, including DarkSide, the group
blamed for the intrusion at Colonial, have either disappeared
from the web or announced new restrictions, statements that have
been met with skepticism from experts.
Manglicmot said he too doubted the disappearances had any
real impact.
"There's a big enough market for it that if one provider
goes down there are others they can go to pretty quickly," he
said. "The attackers remain undeterred by the publicity."
That may in part be due to the extraordinary amounts of
money involved. In a blog post published https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin
on Tuesday, digital currency-tracking firm Elliptic said that
DarkSide had extracted $90 million worth of bitcoin in ransoms
from 47 victims.
Whether Colonial itself paid a ransom has not yet been
publicly disclosed. Last week Reuters and other media reported
that Colonial was not planning to pay a ransom. But Bloomberg
and some other news outlets later reported it had paid nearly $5
million. The reporting was corroborated by Elliptic, which said
it had identified the payment itself on the publicly visible
ledger of bitcoin transactions.
Repeated attempts by Reuters to reach the hackers have been
unsuccessful and Colonial itself has declined comment on whether
it paid.
U.S. Representatives Carolyn Maloney and Bennie Thompson,
the chairs of the House Committees on Oversight and Reform and
Homeland Security respectively, said on Tuesday they were
disappointed by Colonial's refusal to discuss the reported
ransom.
"In order for Congress to legislate effectively on
ransomware, we need this information," the pair said in a joint
statement https://homeland.house.gov/news/press-releases/maloney-thompson-statement-on-staff-briefing-with-colonial-pipeline.
