26. Are You Sure It's Handled?


Episode Artwork
1.0x
0% played 00:00 00:00
Jun 21 2021 37 mins  

UPDATE to last week's Headlines:
Darkside Ransomware breach on Colonial Pipeline – discuss what happened and the repercussions after our tech tip

This Week's Security Tip:
While most businesses understand the importance of backing up their server and files, many forget to back up their website!

Most sites are hosted on a third-party platform like HostGator or WordPress. However, these hosts have limits on what they back up, and the Terms and Conditions you agreed to most likely waive their responsibility to preserve and back up your files and data.

Therefore, if you’re posting a lot of new content, you should be backing up your site weekly if not daily. Hackers can (and do!) corrupt websites all the time. If you don’t want to have the cost of a down website and the cost of rebuilding it, back up your website!

Today's Headlines:
Darkside Ransomware breach on Colonial Pipeline


The first DarkSide ransomware attacks were all owner-operated, but after a few successful months, the owners began to expand their operations. On November 10, DarkSide operators announced on Russian-language forums XSS and Exploit the formation of their new DarkSide affiliate program providing partners with a modified form of their DarkSide ransomware to make use in their own operations.

It’s worth noting that DarkSide actors have pledged in the past to not attack organizations in the medical, education, nonprofit, or government sectors. At one point, they also advertised that they donate a portion of their profit to charities. However, neither claim has been verified and should be met with a heightened degree of scrutiny; these DarkSide operators would be far from the first cybercriminals to make such claims and not follow through.

DarkSide Operators Likely Former “REvil” Affiliates

Flashpoint assesses with moderate confidence that the threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the “REvil” RaaS group. Several facts support this attribution:

  • Spelling mistakes in the ransom note and grammatical constructs of the sentences suggest that the writers are not native English speakers.
  • The malware checks the default language of the system to avoid infecting systems based in the countries of the former Soviet Union.
  • The design of the ransom note, wallpaper, file encryption extension and details, and inner workings bear similarities to “REvil” ransomware, which is of Russian origin and has an extensive affiliate program. This shows the evolution path of this ransomware and ties it to other Russian-origin ransomware families.
  • The affiliate program is offered on Russian-language forums XSS and Exploit.

Timeline: