You may have heard that the ransomware group that took down the Colonial Pipeline were, themselves, hacked. Although that sounds like poetic justice, I wouldn’t begin partying just yet. True, the DarkSide ransomware group announced, on a deep web forum, that they lost control of their servers and lost all of their money. Well, maybe. But until I hear this confirmed by the U.S. government, I’m going to be skeptical. It could just as well be an exit scam performed by the administrators of the group to take the money and run. I suggested in a previous post that DarkSide probably got in over their heads on the D.C. police hack and were likely surprised when Colonial Pipeline paid the $5 million ransom almost immediately. That much money alone could make them consider an early retirement.
You may have also heard that other ransomware groups were now in panic. Threatpost announced that “the DarkSide takedown sent shockwaves through other underground forums, many of which deleted all ransomware topics” and that “REvil Sweats Bullets.” Well, if that’s so, they are low caliber bullets as the group just posted information on more attacks that they had performed. In fact, I just checked the deep web and many top ransomware sites are still up and running. It was claimed that some had announced they would no longer attack government or infrastructure targets. Again, maybe they will and maybe they won’t. Colonial Pipeline paid the ransom with apparently little negotiation. That’s the kind of target these groups look for. In other words, it is just as likely that this payment could encourage other groups to target high profile infrastructure targets. Thanks Colonial.
But the Babuk Locker ransomware group, the group that hacked and released information on the Washington D.C. Metropolitan Police, announced a new model that could be just as scary. Here is their announcement.
So, if I interpret this correctly, Babuk will post ransomware notices for smaller hacking groups that may not want to set up their own extortion sites. I guess this means that if a startup ransomware group succeeds in breaching a company and encrypting its data, Babuk will allow them to leak the company’s information if they don’t pay. My other guess is that Babuk will get a percent of the profits.
I’m not sure why the group is announcing “another loud leak” except that they must be currently negotiating with some major company or organization that doesn’t seem to be cooperating. I’ll let you know if anything turns up. Until then, protect your company and organization from these criminal gangs by employing the highest grade endpoint protection, because that’s often how they get in.