The CyberWire Daily Podcast 5.14.21
Ep 1333 | 5.14.21

Ransomware hoods and their enablers may be feeling some heat. Supply chain compromise and third-party risk. Colonial Pipeline resumes deliveries (but paid ransom to no avail).


Dave Bittner: DarkSide says it's feeling the heat and is going out of business, but some of its affiliates are still out and active - for now, at least. A popular hackers' forum says it will no longer accept ransomware ads. The Bash Loader supply chain compromise afflicts another known victim. Colonial Pipeline resumes delivery of fuel. Irresponsible disclosure of vulnerabilities hands attackers a big advantage. Carole Theriault looks at NFTs. Joe Carrigan wonders about the return on your ransomware payment investment. And there's a lot of Amazon-themed vishing going on.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 14, 2021. 

Dave Bittner: The Wall Street Journal late this morning broke the story, which they sourced to security firm FireEye, a company whom Colonial Pipeline has brought in to deal with the ransomware attack it sustained, that the DarkSide ransomware-as-a-service gang has told its affiliates that it intends to shutter its operations. The criminals said they'd lost access to their infrastructure and that they were under pressure from U.S. law enforcement. 

Dave Bittner: Flashpoint researchers, who've been reading DarkSide stuff on the dark web, say the gang complained that it had lost its blog, its payment servers and its DOS servers. They also said that funds in their payment servers, both theirs and their customers', had been extracted and sent to parts unknown. So it seemed a good time to call it quits. 

Dave Bittner: How seriously this exit should be taken remains to be seen. Other ransomware gangs have disbanded under pressure before only to reconstitute themselves later, perhaps under a different name. 

Dave Bittner: Whatever DarkSide's actual plans may be, and even as the Colonial Pipeline resumes deliveries interrupted by ransomware - and we'll hear more on that shortly - DarkSide affiliates continue to inflict their ransomware on other targets. The Colonial Pipeline incident is merely the highest-profile disruptive attack. Kyodo reports that the group has claimed the exfiltration of some 740 gigabytes of sensitive information from Toshiba's operations in France. Toshiba has acknowledged that a European subsidiary was hit by a cyberattack. 

Dave Bittner: And BleepingComputer has confirmed that DarkSide also claims to have hit Essen-headquartered chemical distributor Brenntag. The gang says Brenntag paid them the equivalent of $4.4 million in cryptocurrency two days ago, an amount negotiated down from DarkSide's original demand of 7.7 million. 

Dave Bittner: As ransomware-as-a-service offerings play a more prominent role in the criminal underground economy, The Record reports that one popular hacking forum, XSS, formerly known as DaMaGeLab, has announced it will no longer accept advertising for ransomware services. The site's admin posted a note yesterday to the effect that lockers, ransomware have accumulated a critical mass of nonsense, BS, hype, noise. 

Dave Bittner: As has been the case with other fora in the past, XSS' firm resolution to sin no more may have been prompted by a kind of near-death or at least near-prosecution experience. As The Record puts it, quote, "however, even before those talks could take place, the message appears to have registered loud and clear. In a message today, the XSS admin team decided to avoid unwanted scrutiny, claiming that their forum's main purpose was always knowledge and not to serve as a marketplace for criminal gangs. Their decision might have been hastened by the fact that the DarkSide ransomware gang ran an ad for its affiliate program on the XSS forum together with all the major ransomware operations, such as REvil, Netwalker, GandCrab, Avaddon and many others," end quote. 

Dave Bittner: So, hey, it's a quest for knowledge, not the aiding and abetting of criminal enterprises. That's the ticket. And good for XSS. 

Dave Bittner: Researchers at security firm Flashpoint have taken a closer look at XSS. The forum's proprietors appear to have felt that Moscow was getting ready to hang them out to dry. Forcepoint provides this translation from the admin's posts. Peskov - that is, Russian President Putin's press secretary - is forced to make excuses in front of our overseas friends, which would be you, Mr. and Mrs. United States, adding, this is a bit too much. The admin linked to an article in Kommersant, a Russian news site, that ran under the title "Russia Has Nothing To Do With Hacking Attacks on the Pipeline in the United States." 

Dave Bittner: So the forum isn't feeling the love right now. Sometimes guilty knowledge comes with a wink, and sometimes not. XSS is not seeing a wink. 

Dave Bittner: The Codecov Bash Loader supply chain compromise has affected another victim. Rapid7 disclosed yesterday that a small subset of their source code repositories for internal tooling for their MDR service was accessed by an unauthorized party outside of Rapid7. The company emphasizes that the incident has now been contained and that in any case, they haven't used Codecov on any CI server employed for product code. 

Dave Bittner: Colonial Pipeline reported yesterday afternoon that it had resumed delivering product through its lines to all the markets it serves. That said, it's expected to be several days until service returns to normal, and some customers may experience intermittent disruption while Colonial brings its service back. 

Dave Bittner: More outlets, including the Wall Street Journal, are reporting that Colonial Pipeline paid almost $5 million in ransom within hours of being contacted by the DarkSide criminals. That, however, may have done little good, as the decryption tools are said to have proven inadequate to their promised task of restoration, and the company seems to have worked from its own backups to resume deliveries. 

Dave Bittner: That's bad news in some sense for everyone. Colonial is about 5 million bucks. Other organizations, The New York Times notes, are chagrined by the fuel the payment poured into the bandit economy. And, as Joseph Cox tweets, the hoods themselves will find it difficult to make their case for payment in future attacks. If the decryptors are less than fully successful, why throw good money after bad? 

Dave Bittner: The Voice of America reports that U.S. Homeland Security Secretary Mayorkas promised Congress a whole-of-government response to the incident. 

Dave Bittner: DarkSide is generally believed to operate from Russia. So was the Russian government behind the ransomware attack? According to an AFP report published in SecurityWeek, when he was asked during a media availability whether President Putin or his government were aware of the attack, U.S. President Biden said, quote, "I am confident that I read the report of the FBI accurately, and they say they were not, he was not, the government was not. We do not believe - I emphasize - that the Russian government was involved in this attack. But we do have strong reason to believe that the criminals who did the attack are living in Russia. That's where it came from," end quote. President Biden did say that he thought the issue of Russian control over criminal groups operating from its territory would probably come up during this summer's Russo-American summit talks. 

Dave Bittner: An official disavowal of belief of direct Kremlin involvement may be motivated by the way the incident looks like deniable sabotage. The Russian government has used fronts, cut-outs and contractors before. And one of the responsibilities of sovereignty is preventing attacks on other nations by people operating from one's territory. And if there were mark and reprisal in cyberspace, it might well look a lot like a ransomware attack. The government sees its adversaries disrupted, and the cyber privateers get, in this case, about $5 million in alt-coin. CNBC offers an example of this kind of speculation, which we emphasize is exactly that - speculation, but plausible speculation. 

Dave Bittner: The Global Times, a Chinese government-aligned media outlet founded in 2009 to counter the designed provocation that is common in Western medias's China reportage, frames the ransomware attack on Colonial Pipeline as blowback for American aggression in cyberspace. That's one way of looking at it - speculation, but tendentious speculation. 

Dave Bittner: Attention, vulnerability researchers. Here's a reason for responsible disclosure. A study by Kenna Security finds that white hats who publish exploits before patches are available are handing a big advantage to attackers, one that amounts to a 90-day head start over the defenders. 

Dave Bittner: And finally, has a robocall recently told you it was from Amazon and asked you to press one to resolve suspicious activity in your account? You know, the kind of call that gives you that suspicious bloop sound when the robot hands you over to the crooked human operator? You're not alone. YouMail warns that this particular phishing scam is hitting U.S. phones at a clip of between 100 million and 150 million a month. So don't press one, friends. And class dismissed. 

Dave Bittner: I have personally been trying to keep NFTs at arm's length. Honestly, I've got a certain amount of block chain fatigue. And the whole thing reminds me a bit of tulip madness. My own hesitation, however, in no way represents the unencumbered enthusiasm others are feeling for NFTs. So what the heck are they, and why should you care? Our CyberWire U.K. correspondent Carole Theriault shares this commentary. 

Carole Theriault: So NFTs - what the heck are they? I'm going to tell you what they are. I'm going to tell you why people are talking about them. And I'm going to tell you what to look out for. So NFT is an acronym, and it stands for non-fungible token. That's right, fungible. Now, fungible refers to something that can be interchanged like rice or dollars or a Bitcoin. Trade one for another, and you're no better or worse off. So non-fungible refers to something original and unique, but there's no item exactly like it anywhere else. This can exist in the physical world or the digital world, so like a digital painting or a physical sculpture. 

Carole Theriault: Now, a non-fungible token, or an NFT, is an identification of authenticity of something original in the digital or physical realm. Now, most NFTs are part of the Ethereum blockchain. For those who don't know, Ethereum is a cryptocurrency like Bitcoin, but its blockchain also supports these NFTs, these non-fungible tokens. Whoever has the NFT certificate in their digital possession is considered to be the rightful owner of the item. And because it is on a blockchain, it can't be altered, effectively creating a kind of irreversible history. 

Carole Theriault: So NFTs are bought and sold, much like you would buy and sell stuff on eBay - auctions style, right? You go to a platform to buy or sell an item with an NFT certificate. So platforms like OpenSea, Mintable and Rarible. And then you can bid on items, as you would on other internet auction apps. Some items will have a set fee. And some prices can hike to dizzying heights. Now, currently, there is a lot of buzz around NFTs in the creative digital space, such as original pieces of music, a painting, a cool software experiment. This crypto art movement was kicked off by CryptoPunks, which is a 24x24 pixel art image generated algorithmically. The brains behind this is Larva Labs. They have 10,000 unique collectible characters. They are all NFTs. They have currently raised at the time of recording $500 million, for the top one having gone for 7.5 million USD at the time of recording. 

Carole Theriault: Before you get too excited about this, a few things you need to be aware of. NFTs can be stolen. If the platform where you store your NFT account gets hacked, you can say sayonara to your ownership. And if someone gets a hold of your password and your username, well - so make sure you lock it down with multifactor authentication, unique, complex passwords. Put every security component you can to make sure you keep it safe. And like any blockchain, they take their toll on old Mother Nature. The carbon output required to do all the calculations is mind boggling. There was even an article that said Ethereum calculations required to run the blockchain consumes as much electricity as much as all of Ireland. I mean, think of that. But despite that, I don't think NFTs are going anywhere soon, so keep your eyes peeled and your accounts safe. 

Dave Bittner: That's the CyberWire's Carole Theriault. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story from the folks over at Sophos, or Osophos (ph) depending on what side of the pond that you're on. 

Joe Carrigan: Right. 

Dave Bittner: They recently put out their ransomware report. And there's some interesting stats in here, I guess some things that surprised me in the way that they break down. Can you share what they found here? 

Joe Carrigan: Yeah, this is - there are some interesting statistics in here. One is that only 8% of ransomware victims get all of their data back after paying a ransom. So we've been hearing that a lot of times, when you pay the ransom, many times you do get your data back. 

Dave Bittner: Right. 

Joe Carrigan: But this research from Sophos says, well, only 8% of people get all of their data back, which implies to me that there is some mechanism in place here that these guys are encrypting data and they're not able to recover all of it. And that makes sense to me because these are criminal organizations. They don't care about your data. If it's destructive and you lose some of it, so what? In fact, the average amount that people got back after they did recover - after they did pay the ransom, the average amount recovered was 65% of your data, right? Twenty-nine percent said they recovered less than half their data. That's shocking. 

Joe Carrigan: Another interesting statistic is that the price of recovering from a - one of these attacks has more than doubled. It's gone from 761,000 on average last year to $1.85 million to recover from a ransomware attack now. 

Dave Bittner: Wow. 

Joe Carrigan: And they're saying that's because these are more sophisticated attacks and that they are actually becoming less frequent. So they're - it's like these ransomware gangs are focusing more on the jobs that they're doing and not trying to - they're going for quality over quantity. 

Joe Carrigan: Right. Yeah. 

Joe Carrigan: So their ransoms - we've - we actually had a guest on "Hacking Humans" who was talking about how these ransomware attackers actually do the math on your company's net revenue every year. And based on your company revenue, that's - they - that's how they determine what they're going to charge for the ransom. 

Dave Bittner: Right. Right. Right (laughter). 

Joe Carrigan: So they're maximizing their profit with research. 

Dave Bittner: Right. They have teams of accountants in the back room... 

Joe Carrigan: Right. Exactly (laughter). 

Dave Bittner: who are trying to decide how much they should demand from you. Yeah. Yeah. So what is this - what's the take home here in terms of, you know, preparing yourself for the possibility of a ransomware attack, given this data? 

Joe Carrigan: Right. I think this data lends a lot of credence to the argument don't pay the ransom. Don't pay the ransom, because even if you pay the ransom, you're still not getting all your data back. There's an 8% chance you'll get everything back. 

Dave Bittner: Right. 

Joe Carrigan: That's a really low chance. 

Dave Bittner: Yeah. 

Joe Carrigan: And if you have good backups and you can get all your data back without paying the ransom, you're golden. I mean, yes, you're going to lose time. And that - there's still going to be a cost impact. That is going to happen. And that's unfortunate. 

Dave Bittner: Yeah. 

Joe Carrigan: But if people didn't pay the ransom, these attacks wouldn't happen, by and large. 

Dave Bittner: Yeah. It also - I mean, it strikes me, if you just look at the raw numbers here, that, you know, how much of an investment would it take to greatly lessen your chances of being hit by ransomware? And when you look at these numbers, it seems to me like you can make a good case that that's money well spent. 

Joe Carrigan: Right? I agree 100%. 

Dave Bittner: Yeah. 

Joe Carrigan: There's something that's not really mentioned in this data, and that is we're seeing that - or in this report, rather - we're seeing that these ransomware attacks are also turning into data breaches. And in order to incentivize people to pay the ransom, these criminal organizations are saying not only have we encrypted your data, but we've stolen it. 

Dave Bittner: Right. 

Joe Carrigan: You pay us the ransom, we don't release it. You should absolutely not let that be part of your calculus. You - what has happened is you've suffered a data breach, period. That all. You have to act accordingly and do whatever mitigation you have and notify whoever you - whoever - whomever data has been breached. You have to take care of that. And you should not let that influence you, because even if you pay the ransom, studies have shown that they are still going to sell the data or release the data. It doesn't do you any good. And that data is still out there in the hands of criminals. And you also open yourself up to repeat business from these guys. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: You paid us the ransom to keep the data quiet, now we need that sum amount of money on an annual basis in order to continue to keep it quiet. 

Dave Bittner: So once that data's out the door... 

Dave Bittner: It's out the door. 

Dave Bittner: ...Assume the reputational loss that's going to follow because you have - you cannot do business in good faith with criminals. 

Joe Carrigan: Yes, absolutely. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: That's an excellent way to put it. 

Dave Bittner: (Laughter) All right. All right. Interesting stuff for sure. Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Be sure to check out this week's "Research Saturday" show and my conversation with Lieutenant Colonel Erica Mitchell from the Army Cyber Institute. We're going to be discussing their infrastructure resiliency research. It's a project called Jack Voltaic. Be sure to check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the start-up Studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Eliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.