Angrybk Posted May 14, 2021 Posted May 14, 2021 https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/
rmgill Posted May 15, 2021 Posted May 15, 2021 8 hours ago, Stuart Galbraith said: From what I've been hearing, this organization has never launched an attack on Russia. It's worth considering the reasons why that is. Maybe because they will do what the west USED to do to bad actors who stepped too far out of line. The British used to put drills through IRA knees when the situation seemed warranted. Now they can barely defend Jersey Island from French Fishermen. Biden isn't going to do anything solid behind the scenes. He can barely remember who brought him his applesauce and if he's supposed to answer questions or not. Organizations can also have a rule because they are sympathetic but not actually part of that organization.
Angrybk Posted May 15, 2021 Posted May 15, 2021 1 hour ago, rmgill said: Maybe because they will do what the west USED to do to bad actors who stepped too far out of line. The British used to put drills through IRA knees when the situation seemed warranted. Now they can barely defend Jersey Island from French Fishermen. Biden isn't going to do anything solid behind the scenes. He can barely remember who brought him his applesauce and if he's supposed to answer questions or not. Organizations can also have a rule because they are sympathetic but not actually part of that organization. Maybe you should read the link I posted above, these guys got shut down pretty immediately.
rmgill Posted May 15, 2021 Posted May 15, 2021 1 hour ago, Angrybk said: Maybe you should read the link I posted above, these guys got shut down pretty immediately. “However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” Intel 471 wrote. “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to ‘wash’ the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the service reported they were unable to access BitMix in the last week.”
WRW Posted May 17, 2021 Posted May 17, 2021 On 5/15/2021 at 5:47 AM, rmgill said: Maybe because they will do what the west USED to do to bad actors who stepped too far out of line. The British used to put drills through IRA knees when the situation seemed warranted. Now they can barely defend Jersey Island from French Fishermen. Biden isn't going to do anything solid behind the scenes. He can barely remember who brought him his applesauce and if he's supposed to answer questions or not. Organizations can also have a rule because they are sympathetic but not actually part of that organization. I dont understand the reference to the Brits putting drilss through IRA kneecaps?
rmgill Posted May 17, 2021 Posted May 17, 2021 Supposedly during the 70s or 80s the SAS were detailed to go after specific IRA actors. One of the ways they'd interrogate was using a power drill through a knee as the point of persuasion. Whether it happened or not, I have no idea and would probably be the source of some rather contentious arguments. Either way, the sentiment is that you have folks willing to set off bombs to kill civilians and otherwise fuck with your economy, from dealing with Pirates to terrorists to criminals. I expect the Biden admin will be super soft on all except political opponents they can dig up dirt on.
glenn239 Posted May 17, 2021 Posted May 17, 2021 Brings new meaning to, 'relax, it's just a drill'. Quote Either way, the sentiment is that you have folks willing to set off bombs to kill civilians and otherwise fuck with your economy, from dealing with Pirates to terrorists to criminals. I expect the Biden admin will be super soft on all except political opponents they can dig up dirt on. What specifically do you think Biden should do about the pipeline hack, keeping in mind that the US economy is 5 times bigger than the Russian economy, and therefore, that any tit for tat cyber stuff is an automatic loss for the US?
WRW Posted May 17, 2021 Posted May 17, 2021 40 minutes ago, rmgill said: Supposedly during the 70s or 80s the SAS were detailed to go after specific IRA actors. One of the ways they'd interrogate was using a power drill through a knee as the point of persuasion. Whether it happened or not, I have no idea and would probably be the source of some rather contentious arguments. Either way, the sentiment is that you have folks willing to set off bombs to kill civilians and otherwise fuck with your economy, from dealing with Pirates to terrorists to criminals. I expect the Biden admin will be super soft on all except political opponents they can dig up dirt on. Am very aware of such SAS hunts. Have never heard even a suggestion of such happening. I undertsnd some loyalists were keen on Black And Deckers. Pira were more traditional although alledgedly used sledge hammers to deliver 6 packs. Knees elbows and ankles
Stuart Galbraith Posted May 17, 2021 Posted May 17, 2021 2 hours ago, rmgill said: Supposedly during the 70s or 80s the SAS were detailed to go after specific IRA actors. One of the ways they'd interrogate was using a power drill through a knee as the point of persuasion. Whether it happened or not, I have no idea and would probably be the source of some rather contentious arguments. Either way, the sentiment is that you have folks willing to set off bombs to kill civilians and otherwise fuck with your economy, from dealing with Pirates to terrorists to criminals. I expect the Biden admin will be super soft on all except political opponents they can dig up dirt on. I can pretty much guarantee that at no point did the SAS do that. It wasn't their job for one thing. Sounds more like a UVF thing, if it's not a Walt masturbatory fantasy. You know, I've been hearing this narrative time and again we aren't as hard as we used to be, nobody respects us. So tell me, what happened to Osama Bin Laden? Gaddafi? Saddam? Soleimani? Did any of these things deter the Russian Government going too far? Not remotely. Russia is doing these things because they assume we won't fuck with a nuclear power. Which will work brilliantly, right up to the point when it doesnt. The question in my mind is not whether it's going to happen, but whether you will ignore the reality of it as you have every other time they behave like mafia thugs.
17thfabn Posted May 17, 2021 Posted May 17, 2021 Some news sources claim the pipeline was shut down because they could not bill for the fuel distributed to customers. https://www.mediaite.com/news/colonial-pipeline-shut-down-distribution-because-it-couldnt-bill-customers-report/
Colin Posted May 17, 2021 Posted May 17, 2021 On 5/10/2021 at 2:20 AM, DB said: Critical infrastructure should not have a connection to the internet. If the wage slaves want Netflix or porn when working, they can use their phones. If it's connected to the internet for reasons of cheap remote management, then they ignored the security requirements in favour of cost (say it ain't so). It's a pipeline. if you can't hang dedicated fibre along it for your own command and control, you're an idiot. On the other hand, it will be interesting to see if the Feds can throw enough money and skill at the problem to get the criminals caught. There would be no way to effectively service that fiberoptic cable, plus a lot of crossings are done by HDD, meaning the fiberoptic would have to be strung across as a aerial crossing. I used to review pipelines the places they go are interesting and often not that accessible. Most of the support infrastructure is monitored wirelessly, fairly easy to physically attack as well, the actual pipeline except for small bits is generally 2-3m underground.
DB Posted May 18, 2021 Posted May 18, 2021 The pipelines themselves need maintenance and apparently that can be managed - there's no particular reason why this should be easier than doing the same for a fibre data connection, and given that fibre cables sit on the seabed without significant maintenance for years, it's not beyond the wit of man to make far more easily accessible cables manageable.. Regardless, the primary point still holds - a critical infrastructure network should not be connected to the internet where anybody with a few skills and a rootkit can get in. The other thing is locking down things like USB ports, so the supervisor has to use his phone for his music, not the company PC.
Colin Posted May 18, 2021 Posted May 18, 2021 The majority of the maintenance on a pipeline is from inside with pigs. The major failure points of pipelines was stream crossings where the bank erodes and exposes the pipe. HDD solves a lot of this and better construction and site selection mean much fewer failures. Even if the fibre optic is buried it will be an obstacle when a pipeline needs a outside repair, replacement piece. If by chance you have a pipeline explosion, then your likley to lose communications as well. I agree on the other methods of securing the network.
rmgill Posted May 18, 2021 Posted May 18, 2021 (edited) 14 hours ago, glenn239 said: Brings new meaning to, 'relax, it's just a drill'. What specifically do you think Biden should do about the pipeline hack, keeping in mind that the US economy is 5 times bigger than the Russian economy, and therefore, that any tit for tat cyber stuff is an automatic loss for the US? Depends on who's actually doing the cyber work and where/how. Lots of ways into systems to screw with people, or just black list their entire IP region. Kicking down doors is another thing to do. The Treasury Department was ALL about the kicking down doors and sticking guns in kids who were screwing around like David Lightman (Only without the WOPR and an angry General Berringer) for decades. Now that they're doing more than downloading free crap after war-dialing up poorly secured modem lines, what? Look at the crap the Feds pulled on Steve Jackson Games. http://www.sjgames.com/SS/ We have this giant NSA agency that's supposed to be working on electronic security for the country. Edited May 18, 2021 by rmgill
Stuart Galbraith Posted May 18, 2021 Posted May 18, 2021 https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/ In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick. The Twitter thread came up in a discussion on the ransomware attack against Colonial Pipeline, which earlier this month shut down 5,500 miles of fuel pipe for nearly a week, causing fuel station supply shortages throughout the country and driving up prices. The FBI said the attack was the work of DarkSide, a new-ish ransomware-as-a-service offering that says it targets only large corporations. DarkSide and other Russian-language affiliate moneymaking programs have long barred their criminal associates from installing malicious software on computers in a host of Eastern European countries, including Ukraine and Russia. This prohibition dates back to the earliest days of organized cybercrime, and it is intended to minimize scrutiny and interference from local authorities. In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country’s borders files an official complaint as a victim. Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies. Possibly feeling the heat from being referenced in President Biden’s Executive Order on cybersecurity this past week, the DarkSide group sought to distance itself from their attack against Colonial Pipeline. In a message posted to its victim shaming blog, DarkSide tried to say it was “apolitical” and that it didn’t wish to participate in geopolitics. “Our goal is to make money, and not creating problems for society,” the DarkSide criminals wrote last week. “From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” But here’s the thing: Digital extortion gangs like DarkSide take great care to make their entire platforms geopolitical, because their malware is engineered to work only in certain parts of the world. DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) — former Soviet satellites that all currently have favorable relations with the Kremlin, including Azerbaijan, Belarus, Georgia, Romania, Turkmenistan, Ukraine and Uzbekistan. The full exclusion list in DarkSide (published by Cybereason) is below:
bojan Posted May 18, 2021 Posted May 18, 2021 (edited) 3 hours ago, Stuart Galbraith said: DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) — former Soviet satellites that all currently have favorable relations with the Kremlin, including Azerbaijan, Belarus, Georgia, Romania, Turkmenistan, Ukraine and Uzbekistan. The full exclusion list in DarkSide (published by Cybereason) is below: Did you even read this gem before posting it? It is basically a "list of countries too poor to pay". Edited May 18, 2021 by bojan
Ssnake Posted May 18, 2021 Posted May 18, 2021 There's at least 50 more countries that are even poorer, and not on that list.
bojan Posted May 18, 2021 Posted May 18, 2021 (edited) They are that hopeless. Whole explanation is nonsense - how came Romania is "close to Russia"? Or Georgia? Or Ukraine? Edited May 18, 2021 by bojan
Stuart Galbraith Posted May 18, 2021 Posted May 18, 2021 (edited) 1 hour ago, Ssnake said: There's at least 50 more countries that are even poorer, and not on that list. Exactly. Give that man a cigar. Venezuela or Zimbabwe to name but two. Besides, the point everyone is missing, even if you pay, you dont get your computer unlocked. Colonial Pipeline found that out for themselves by paying up, and getting nothing in return. They had to get the US Guvmint to help them So, how long is it going to be before the message going to drop that there is no point paying? And if there is no point paying, then how can money be the primary motivation? People who kidnap generally hand the victims over unharmed if they are paid, or sooner or later, nobody pays. The thing that links all those countries, they are either in the Russian Orbit, or the Russian Government aspires for them to be in their orbit. One can argue about what the significance of that is, and im sure many will. Edited May 18, 2021 by Stuart Galbraith
rmgill Posted May 18, 2021 Posted May 18, 2021 Note, if they are worried about local/state authorities, it somewhat seems that they are not state actor. Though it could also be a matter of not causing a blue on blue event. If other factors place behavior on fear of state police, then it seems more likely that they are not state sanctioned.
Ivanhoe Posted May 18, 2021 Posted May 18, 2021 2 hours ago, rmgill said: Note, if they are worried about local/state authorities, it somewhat seems that they are not state actor. Though it could also be a matter of not causing a blue on blue event. If other factors place behavior on fear of state police, then it seems more likely that they are not state sanctioned. It could be that they are state-sanctioned, as in performing computer crime at the behest of a authoritarian/totalitarian state. Not hard to imagine the Russians ordering APT29 etc. to perform certain hacks, or else. "Or elses" from Russia, China, etc. are to be taken seriously. Thinking a bit about the pipeline attack, to whose benefit? It occurred to me that someone with the money/power to intimidate a hacking group into performing a targeted attack might be doing so for financial benefit. Play some commodities futures in advance of the attack, rake in capital gains when the European spot price for crude or CNG goes up 2%. The equities and commodities exchanges should be scouring their transaction data looking for that. No mention in the press, which I interpret as indicating no such data scouring (given that the Biden admin announced that they would be performing clandestine responses to APT29, somebody would have held a presser talking about an investigation).
WRW Posted May 18, 2021 Posted May 18, 2021 20 hours ago, DB said: The pipelines themselves need maintenance and apparently that can be managed - there's no particular reason why this should be easier than doing the same for a fibre data connection, and given that fibre cables sit on the seabed without significant maintenance for years, it's not beyond the wit of man to make far more easily accessible cables manageable.. Regardless, the primary point still holds - a critical infrastructure network should not be connected to the internet where anybody with a few skills and a rootkit can get in. The other thing is locking down things like USB ports, so the supervisor has to use his phone for his music, not the company PC. I have had this argument with IT people a number of times..they do not seem to understand..blah blah we have good security...
bojan Posted May 18, 2021 Posted May 18, 2021 How local branch of big worldwide marketing company dealt with ransomware... - IT nuked system and restored backups. Work was done overnight, not really paid as overtime. - Lost work hours were substituted by people working overtime, again w/o (or with very little) overtime bonuses. That is how it works in whole eastern Europe, no company large or small GaF about ransomware, since it is cheaper to get your already underpaid workers to put some extra back into it (or else...) and mitigate consequences. None really targets anyone here, or in Romania, Bulgaria, Ukraine, Albania, Bosnia etc, etc, by ransomware other than by the accident. It is simply not worth it, since targets will only rarely pay. I know of 5-6 attacks... None paid. When workforce is so cheap (and replaceable if they complain about exploitation by the companies) you don't GaF if they will have to work twice, you won't even have to pay them extra.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now