Feds Seized 2 Cyber Domains of Hackers/SolarWinds

DOJ:

Domain Names Were in Part Used to Control a Cobalt Strike Software Tool that the Actors Implanted on Victim Networks

WASHINGTON – On May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID). This malicious activity was the subject of a May 27 Microsoft security alert, titled “New sophisticated email-based attack from Nobelium,” and a May 28 FBI and Cybersecurity and Infrastructure Security Agency joint cybersecurity advisory.

The Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims. However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures.

“Last week’s action is a continued demonstration of the Department’s commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division. “Law enforcement remains an integral part of the U.S. government’s broader disruption efforts against malicious cyber-enabled activities, even prior to arrest, and we will continue to evaluate all possible opportunities to use our unique authorities to act against such threats.”

“Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting U.S. Attorney Raj Parekh for the Eastern District of Virginia. “As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats.”

“Friday’s court-authorized domain seizures reflect the FBI Washington Field Office’s continued commitment to cyber victims in our region,” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office. “These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging our unique authorities to disrupt our cyber adversaries.”

“The FBI remains committed to disrupting this type of malicious cyber activity targeting our federal agencies and the American public,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats.”

On or about May 25, malicious actors commenced a wide-scale spear-phishing campaign leveraging a compromised USAID account at an identified mass email marketing company. Specifically, the compromised account was used to send spear-phishing emails, purporting to be from USAID email accounts and containing a “special alert,” to thousands of email accounts at over one hundred entities. More here.

Solarwinds Management Tools - Full Control Networks source

More details on the backstory of SolarWinds

“This release includes bug fixes, increased stability and performance improvements.”

The routine software update may be one of the most familiar and least understood parts of our digital lives. A pop-up window announces its arrival and all that is required of us is to plug everything in before bed. The next morning, rather like the shoemaker and the elves, our software is magically transformed.

Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare — bug fixes, performance enhancements — to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers.

The routine update, it turns out, is no longer so routine.

Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.

“Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,” Sudhakar Ramakrishna, SolarWinds president and CEO, told NPR. “If you then take 18,000 and start sifting through it, the actual number of impacted customers is far less. We don’t know the exact numbers. We are still conducting the investigation.”

On Thursday, the Biden administration announced a roster of tough sanctions against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach.

NPR’s months-long examination of that landmark attack — based on interviews with dozens of players from company officials to victims to cyber forensics experts who investigated, and intelligence officials who are in the process of calibrating the Biden administration’s response — reveals a hack unlike any other, launched by a sophisticated adversary who took aim at a soft underbelly of digital life: the routine software update.

By design, the hack appeared to work only under very specific circumstances. Its victims had to download the tainted update and then actually deploy it. That was the first condition. The second was that their compromised networks needed to be connected to the Internet, so the hackers could communicate with their servers.

For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. The companies included Microsoft, Intel and Cisco; the list of federal agencies so far includes the Treasury, Justice and Energy departments and the Pentagon.

Hunter’s Baby Mama was Actually on the Payroll

Until Hunter took her off the payroll and canceled her health insurance after the baby was born….

The former stripper who bore Hunter Biden’s out-of-wedlock child — and who he claims that he has no memory of meeting — was on his consulting firm’s payroll during her pregnancy, text messages retrieved from his laptop reveal.

And the first son made sure she was booted off the company insurance plan months after she gave birth, according to the texts.

The messages, which are contained on Hunter Biden’s abandoned laptop, shed new light on the relationship between him and Lunden Roberts, who gave birth to their daughter Navy Joan Roberts in August of 2018, the Daily Mail reported Wednesday.

Roberts messaged Biden on July 24 of that year to let him know that their child’s due date was Sept. 8. (“Amoeba DD Sep 8, 2018 All Good,” she wrote.), the Mail reported. The message received no response from Hunter.

Fifteen days later, on Aug. 8, Roberts messaged him again.

“Reached out a few times, it’s clear you don’t want to be reached,” she wrote. “Need to talk to you. If you feel the need to reach out, my line is always open. Hope all is well.”

Again, Biden did not respond. Screenshots taken by the Mail showed that message appeared four times, though it’s not clear whether Roberts actually sent the message four times.

That December, Hunter Biden messaged assistant Katie Dodge asking for information about his firm, Rosemont Seneca.

“And just for clarification who is pay roll paid to now and for past nine months?” he asked, adding in subsequent messages, “So when you took what’s her name off and re directed her income did it also End my insurance.”

“Past nine months has been you, me, Lunden, Hallie, Liz & Erin,” Dodge responded. “But currently only you me & Erin.”

Dodge later reassured Hunter: “No, Lunden’s removal doesn’t jeopardize insurance.”

Roberts slapped Hunter Biden with a paternity suit in May 2019. The suit was settled in March of last year with Biden agreeing to pay an undisclosed monthly sum in child support and health insurance premiums. More here from the NY Post

*** Hunter Biden subpoena seeks info on Burisma, other entities source

Related reading: Dem Lobbyists Under Investigation over Work for Hunter Biden Linked Ukrainian Energy Firm

There is more actually and this deals with Hunter’s salary. It was cut in half because dad was no longer Vice President…..

President Joe Biden’s son Hunter had his salary cut by the Ukrainian energy company that put him on their board while Joe served as President Barack Obama’s vice president — just two months after the end of the Obama administration.

A new book from New York Post columnist Miranda Devine includes an email sent to Hunter on March 19, 2017 — two months after President Donald Trump was inaugurated — that asked the younger Biden to sign a new director’s agreement. The email, sent by Burisma executive Vadym Pozharskyi, stated that “the only thing that was amended is the compensation rate.”

“We are very much interested in working closely together, and the remuneration is still the highest in the company and higher than the standard director’s monthly fees. I am sure you will find it both fair and reasonable,” the email said.

Prior to the email, while Joe Biden was vice president, Hunter was paid $83,333 a month to sit on Burisma’s board. After the new agreement was signed, his compensation was slashed by half, to $41,500. To be sure, still an exorbitant monthly sum for someone with no qualifications to sit on the board, but far less than the $1 million-a-year salary he was commanding.

The email, published by the Post, contains no documented reason for the pay cut. As Devine wrote, the “only change in circumstance appears to be that Hunter’s father was no longer in office.” Hat tip to The Daily Wire.

Hunter resigned from the board in April 2019 when his continued employment caused headaches for Joe’s presidential campaign.

Devine added that this email, as well as invoices and other emails, were included on the damaged laptop obtained by the Post ahead of the 2020 election. The Post reported on the contents of the laptop, but the story was suppressed by social media platforms and the mainstream media.

Fauci Lands Book Deal, What about Wuhan?

Dr. Anthony Fauci landed a book deal and will be the subject of a documentary featuring his work during the COVID-19 pandemic despite his constant flip-flopping on virus-related topics such as prolonged lockdowns, school reopenings, and the origins of the coronavirus.

“Expect the Unexpected: Ten Lessons on Truth, Service, and the Way Forward,” the National Institute of Allergy and Infectious Diseases (NIAID) director’s book, will be published by National Geographic Books and available to the public by as early as November 2.

“In his own words, world-renowned infectious disease specialist Anthony Fauci shares the lessons that have shaped his life philosophy, offering an intimate view of one of the world’s greatest medical minds as well as universal advice to live by,” the book description on Amazon reads. More book details here.

Dr. Fauci is the highest paid government employee and frankly should be prosecuted that is before he is fired.

*** Fauci said he tested negative for coronavirus Saturday ...

Related reading:

In a newly resurfaced paper from 2012, Dr. Anthony Fauci argued that the benefits of gain-of-function research are worth the increased risk of a potential pandemic-causing lab accident.

The Weekend Australian unearthed a paper Fauci wrote for the American Society for Microbiology in October 2012 in which he argued in support of gain-of-function research. Such research involves making viruses more infectious and/or deadly. Experts have raised the possibility that the COVID-19 pandemic could have originated from a potential lab leak at the Wuhan Institute of Virology in Wuhan, China, where gain-of-function experiments on bat coronaviruses have been conducted.

***

Here is a tip sheet for the gigantic number of questions that still need to be asked about the China virus.

Since we don’t trust U.S. media sources and rightly so, it is prudent to go elsewhere in the world and learn what other experts know. Additionally, it is important to add in other U.S. agencies that have a conduit to all things China virus.

Consider the following below:

  1. How about USAID?

    PREDICT is enabling global surveillance for pathogens that can spillover from animal hosts to people by building capacities to detect and discover viruses of pandemic potential. The project is part of USAID’s Emerging Pandemic Threats program and is led by the UC Davis One Health Intitute.

    PREDICT was initiated in 2009 to strengthen global capacity for detection and discovery of viruses with pandemic potential that can move between animals and people. Those include coronaviruses, the family to which SARS and MERS belong; paramyxoviruses, like Nipah virus; influenza viruses; and filoviruses, like the ebolavirus.

    Working with partners in over 30 countries, the project is investigating the behaviors, practices and ecological and biological factors driving disease emergence, transmission and spread using the One Health approach.

    Through these efforts, PREDICT has improved global disease recognition and has developed strategies and policy recommendations to minimize pandemic risk. Read more here.

  2. From a media source in India in part:This research paper has been published by a newspaper in Australia. It has been said that the discussion of using the coronavirus as a biological weapon started in China in 2015 itself. At that time, scientists of China’s People’s Liberation Army (PLA) and senior health officials in China had prepared a research paper, titled “The Unnatural Origin of SARS and New Species of Man-Made Viruses as Genetic Bio-weapons”.

    This means that in the year 2019, when the first case of coronavirus came to light in the city of Wuhan, China, a research paper was already prepared 4 years before that and it was prepared by the Chinese army scientists and senior health officers. More details here.

  3. How about a media source from Taiwan?TAIPEI (Taiwan News) — Amid concerns about the safety and efficacy of Sinopharm’s COVID-19 vaccine, the history of the company’s lab in Wuhan has raised suspicions among biowarfare experts, the U.S. government, and the Taiwanese military over whether it continues to serve as a dual-use biological warfare (BW) facility for the People’s Liberation Army (PLA).

    In 1993 and again in 1995, China declared the Wuhan Institute of Biological Products (WIBP), the hub of Sinopharm’s COVID-19 vaccine development, to be one of eight dual-use BW research facilities under its “national defensive biological warfare R&D program.” Although China has denied having an “offensive” biological warfare program since signing the Biological and Toxin Weapons Convention (BTWC), also known as the Biological Weapons Convention (BWC), in 1984, the U.S. State Department in 2005 alleged that “China maintains some elements of an offensive [biological weapon] capability in violation of its BTWC obligations” and repeated the same charges in 2010, 2012, and 2014. The .pdf summary is found here –> https://idsa.in/system/files/jds/jds_9_2_2015_DanyShoham.pdf

  4. How about British Intelligence?The former head of Britain’s Secret Intelligence Service (MI6), Sir Richard Dearlove, said that the question of a lab leak has become an “intelligence issue” in which British spies may need to “incentivise” defectors within the communist country to come forward and reveal the truth of the origin of the Wuhan virus.

    A senior Whitehall security source told the Daily Telegraph — a newspaper with close ties to the ruling Conservative government — that British intelligence investigators are working alongside their American counterparts to uncover the real origin of the pandemic.

    “We are contributing what intelligence we have on Wuhan, as well as offering to help the American to corroborate and analyse any intelligence they have that we can assist with,” said the source.

    “What is required to establish the truth behind the coronavirus outbreak is well-sourced intelligence rather than informed analysis, and that is difficult to come by.”

    Sir Richard Dearlove, who has been a vocal proponent of the idea that the virus emanated from the Wuhan laboratory, said that many scientists refrained from backing the idea out of fear of appearing to side with former President Donald Trump. source

  5. How about Ft. Detrick? That is the location for the National Biodefense Analysis and Countermeasures Center, which by the way is under the supervision of DHS…  NBACC’s 160,000 square-foot facility and 51,927 square feet of lab space includes two centers: the National Bioforensic Analysis Center (NBFAC), which conducts technical analyses in support of federal law enforcement investigations, and the National Biological Threat Characterization Center, which conducts experiments and studies to better understand biological vulnerabilities and hazards. NBACC is committed to maintaining a culture of safety. Its fully accredited, state-of-the-art lab facilities are at the biosafety levels (BSL) 2, 3, and 4, providing the highest standards of safety and experimental capability available. Its BSL-4 accreditation allows NBACC to perform R&D on pathogens for which no vaccine or treatment exists and makes it one of seven such facilities in the United States. NBACC is a partner in the National Interagency Confederation for Biological Research at Fort Detrick. This consortium includes the Centers for Disease Control and Prevention, Food and Drug Administration; National Cancer Institute; National Institute of Allergy and Infectious Diseases Integrated Research Facility; Naval Medical Research Center Biological Defense Research Directorate; U.S. Army Installation Management Command; U.S. Army Medical Research and Materiel Command; U.S. Army Medical Research Institute of Infectious Diseases; and U.S. Department of Agriculture Foreign Disease-Weed Science Research Unit. As an interagency partner, NBACC coordinates a range of scientific, technical, operational, and infrastructure-related activities that enhance scientific collaboration and productivity. The fact sheet is here.
  6. We have forgotten the Chinese scientists and other operatives working at U.S. universities or other American agencies. Harvard University Professor and Two Chinese Nationals Charged in Three Separate China Related Cases
  7. Anyone asking questions of the Rocky Mountain Laboratories in Montana? NIAID’s Rocky Mountain Laboratories (RML) in Hamilton, Montana, produced images of the novel coronavirus (SARS-CoV-2, previously known as 2019-nCoV) on its scanning and transmission electron microscopes on Tuesday, Feb. 11, 2020. SARS-CoV-2 causes COVID-19 disease, which has grown to be a global public health emergency since cases were first detected in Wuhan, China, in December 2019. RML investigator Emmie de Wit, Ph.D., provided the virus samples as part of her studies, microscopist Elizabeth Fischer produced the images, and the RML visual medical arts office digitally colorized the images.
  8. There is the University of Texas, the University of Alabama and last but not least the University of California at Irvine.

There are likely around thousands that know more but they remain silent. Why?

 

SolarWinds Strikes Again and Again

Primer: The House Oversight and Government Reform Committee, chaired by Carolyn Maloney (D-NY) only held one meeting on SolarWinds and none related to the  DarkSide both of which have caused major interruptions in the supply chain and national security. It was last February that the committee hosted a session via WebEx with a few witnesses of which nothing was determined or solved.

The cyberattackers responsible for the SolarWinds hack targeted U.S. organizations again last week, Microsoft said.

The Russian hackers that U.S. intelligence says are behind the SolarWinds breach that previously compromised government networks went last week after government agencies, think tanks, consultants, and non-governmental organizations, said Microsoft Corporate Vice President Tom Burt.

“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations,” Mr. Burt wrote on Microsoft’s blog. “While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian and human rights work.” More here.

***

Solarwinds Management Tools - Full Control Networks source details

New details are emerging from a cyberattack that hit about 3,000 email accounts and 150 government agencies and think tanks spanning 24 countries, including the U.S., this week.

Microsoft on Thursday evening announced that Nobelium, a Russian group of threat actors that targetted software company SolarWinds in 2020 as part of a months-long hacking campaign, recently attacked more U.S. and foreign government agencies using an email marketing account of the U.S. Agency for International Development (USAID).

USAID is aware of the attack, and a “forensic investigation into this security incident is ongoing,” USAID acting spokesperson Pooja Jhunjhunwala said in a statement to FOX Business. “USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA),” Jhunjhunwala said.

***

Source: The revelation caused a stir, highlighting as it did Russia’s ongoing and inveterate digital espionage campaigns. But it should be no shock at all that Russia, in general, and the SolarWinds hackers in particular, have continued to spy even after the US imposed retaliatory sanctions in April. And relative to SolarWinds, a phishing campaign seems downright ordinary.

“I don’t think it’s an escalation; I think it’s business as usual,” says John Hultquist, vice president of intelligence analysis at the security firm FireEye, which first discovered the SolarWinds intrusions. “I don’t think they’re deterred, and I don’t think they’re likely to be deterred.”

Russia’s latest campaign is certainly worth calling out. Nobelium compromised legitimate accounts from the bulk email service Constant Contact, including that of the United States Agency for International Development. From there the hackers, reportedly members of Russia’s SVR foreign intelligence agency, could send out specially crafted spearphishing emails that genuinely came from the email accounts of the organization they were impersonating. The emails included legitimate links that then redirected to malicious Nobelium infrastructure and installed malware to take control of target devices.

While the number of targets seems large, and USAID works with plenty of people in sensitive positions, the actual impact may not be quite as severe as it first sounds. While Microsoft acknowledges that some messages may have gotten through, the company says that automated spam systems blocked many of the phishing messages. Microsoft’s corporate vice president for customer security and trust, Tom Burt, wrote in a blog post on Thursday that the company views the activity as “sophisticated” and that Nobelium evolved and refined its strategy for the campaign for months leading up to this week’s targeting.

“It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents,” Burt wrote. In other words, this could be a pivot after their SolarWinds cover was blown.

But the tactics in this latest phishing campaign also reflect Nobelium’s general practice of establishing access on one system or account and then using it to gain access to others and leapfrog to numerous targets. It’s a spy agency; this is what it does as a matter of course.

“If this happened pre-SolarWinds we wouldn’t have thought anything about it. It’s only the context of SolarWinds that makes us see it differently,” says Jason Healey, a former Bush White House staffer and current cyberconflict researcher at Columbia University. “Let’s say this incident happens in 2019 or 2020, I don’t think anyone is going to blink an eye at this.”

As Microsoft points out, there’s also nothing unexpected about Russian spies, and Nobelium in particular, targeting government agencies, USAID in particular, NGOs, think tanks, research groups, or military and IT service contractors.

“NGOs and DC think tanks have been high-value soft targets for decades,” says one former Department of Homeland Security cybersecurity consultant. “And it’s an open secret in the incident response world that USAID and the State Department are a mess of unaccountable, subcontracted IT networks and infrastructure. In the past, some of those systems were compromised for years.

Especially compared to the scope and sophistication of the SolarWinds breach, a widespread phishing campaign feels almost like a downshift. It’s also important to remember that the impacts of SolarWinds remain ongoing; even after months of publicity about the incident, it’s likely that Nobelium still haunts at least some of the systems it compromised during that effort.

“I’m sure that they’ve still got accesses in some places from the SolarWinds campaign,” FireEye’s Hultquist says. “The main thrust of the activity has been diminished, but they’re very likely lingering on in several places.”

Which is just the reality of digital espionage. It doesn’t stop and start based on public shaming. Nobelium’s activity is certainly unwelcome, but it doesn’t in itself portend some great escalation.

 

The Finer Details of the DarkSide, Hackers of the Colonial Pipeline

Primer: Five months before DarkSide attacked the Colonial pipeline, two researchers discovered a way to rescue its ransomware victims. Then an antivirus company’s announcement alerted the hackers.

Colonial Pipeline hack is latest example of cybersecurity ...

Related reading

On January 11, antivirus company Bitdefender said it was “happy to announce” a startling breakthrough. It had found a flaw in the ransomware that a gang known as DarkSide was using to freeze computer networks of dozens of businesses in the US and Europe. Companies facing demands from DarkSide could download a free tool from Bitdefender and avoid paying millions of dollars in ransom to the hackers.

But Bitdefender wasn’t the first to identify this flaw. Two other researchers, Fabian Wosar and Michael Gillespie, had noticed it the month before and had begun discreetly looking for victims to help. By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims. The next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for.”

“Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.”

DarkSide soon proved it wasn’t bluffing, unleashing a string of attacks. This month, it paralyzed the Colonial Pipeline Co., prompting a shutdown of the 5,500-mile pipeline that carries 45% of the fuel used on the East Coast—quickly followed by a rise in gasoline prices, panic buying of gas across the Southeast, and closures of thousands of gas stations. Absent Bitdefender’s announcement, it’s possible that the crisis might have been contained, and that Colonial might have quietly restored its system with Wosar and Gillespie’s decryption tool.

Instead, Colonial paid DarkSide $4.4 million in Bitcoin for a key to unlock its files. “I will admit that I wasn’t comfortable seeing money go out the door to people like this,” CEO Joseph Blount told the Wall Street Journal.

The missed opportunity was part of a broader pattern of botched or half-hearted responses to the growing menace of ransomware, which during the pandemic has disabled businesses, schools, hospitals, and government agencies across the country. The incident also shows how antivirus companies eager to make a name for themselves sometimes violate one of the cardinal rules of the cat-and-mouse game of cyberwarfare: Don’t let your opponents know what you’ve figured out. During World War II, when the British secret service learned from decrypted communications that the Gestapo was planning to abduct and murder a valuable double agent, Johnny Jebsen, his handler wasn’t allowed to warn him for fear of cluing in the enemy that its cipher had been cracked. Today, ransomware hunters like Wosar and Gillespie try to prolong the attackers’ ignorance, even at the cost of contacting fewer victims. Sooner or later, as payments drop off, the cybercriminals realize that something has gone wrong.

Whether to tout a decryption tool is a “calculated decision,” said Rob McLeod, senior director of the threat response unit for cybersecurity firm eSentire. From the marketing perspective, “You are singing that song from the rooftops about how you have come up with a security solution that will decrypt a victim’s data. And then the security researcher angle says, ‘Don’t disclose any information here. Keep the ransomware bugs that we’ve found that allow us to decode the data secret, so as not to notify the threat actors.’”

In a post on the dark web, DarkSide thanked Bitdefender for identifying a flaw in the gang’s ransomware. (Highlight added by ProPublica.)

Wosar said that publicly releasing tools, as Bitdefender did, has become riskier as ransoms have soared and the gangs have grown wealthier and more technically adept. In the early days of ransomware, when hackers froze home computers for a few hundred dollars, they often couldn’t determine how their code was broken unless the flaw was specifically pointed out to them.

Today, the creators of ransomware “have access to reverse engineers and penetration testers who are very very capable,” he said. “That’s how they gain entrance to these oftentimes highly secured networks in the first place. They download the decryptor, they disassemble it, they reverse-engineer it, and they figure out exactly why we were able to decrypt their files. And 24 hours later, the whole thing is fixed. Bitdefender should have known better.”

It wasn’t the first time Bitdefender trumpeted a solution that Wosar or Gillespie had beaten it to. Gillespie had broken the code of a ransomware strain called GoGoogle, and was helping victims without any fanfare, when Bitdefender released a decryption tool in May 2020. Other companies have also announced breakthroughs publicly, Wosar and Gillespie said.

“People are desperate for a news mention, and big security companies don’t care about victims,” Wosar said.

Bogdan Botezatu, director of threat research at Bucharest, Romania–based Bitdefender, said the company wasn’t aware of the earlier success in unlocking files infected by DarkSide.

Regardless, he said, Bitdefender decided to publish its tool “because most victims who fall for ransomware do not have the right connection with ransomware support groups and won’t know where to ask for help unless they can learn about the existence of tools from media reports or with a simple search.”

Bitdefender has provided free technical support to more than a dozen DarkSide victims, and “we believe many others have successfully used the tool without our intervention,” Botezatu said. Over the years, Bitdefender has helped individuals and businesses avoid paying more than $100 million in ransom, he said.

Bitdefender recognized that DarkSide might correct the flaw, Botezatu said: “We are well aware that attackers are agile and adapt to our decryptors.” But DarkSide might have “spotted the issue” anyway. “We don’t believe in ransomware decryptors made silently available. Attackers will learn about their existence by impersonating home users or companies in need, while the vast majority of victims will have no idea that they can get their data back for free.”


The attack on Colonial Pipeline, and the ensuing chaos at the gas pumps throughout the Southeast, appears to have spurred the federal government to be more vigilant. President Joe Biden issued an executive order to improve cybersecurity and create a blueprint for a federal response to cyberattacks. DarkSide said it was shutting down under US pressure, although ransomware crews have often disbanded to avoid scrutiny and then re-formed under new names, or their members have launched or joined other groups.

“As sophisticated as they are, these guys will pop up again, and they’ll be that much smarter,” said Aaron Tantleff, a Chicago cybersecurity attorney who has consulted with 10 companies attacked by DarkSide. “They’ll come back with a vengeance.”

At least until now, private researchers and companies have often been more effective than the government in fighting ransomware. Last October, Microsoft disrupted the infrastructure of Trickbot, a network of more than 1 million infected computers that disseminated the notorious Ryuk strain of ransomware, by disabling its servers and communications. That month, ProtonMail, the Swiss-based email service, shut down 20,000 Ryuk-related accounts.

Wosar and Gillespie, who belong to a worldwide volunteer group called the Ransomware Hunting Team, have cracked more than 300 major ransomware strains and variants, saving an estimated 4 million victims from paying billions of dollars.

By contrast, the FBI rarely decrypts ransomware or arrests the attackers, who are typically based in countries like Russia or Iran that lack extradition agreements with the US. DarkSide, for instance, is believed to operate out of Russia. Far more victims seek help from the Hunting Team, through websites maintained by its members, than from the FBI.

The US Secret Service also investigates ransomware, which falls under its purview of combating financial crimes. But, especially in election years, it sometimes rotates agents off cyber assignments to carry out its better-known mission of protecting presidents, vice presidents, major-party candidates, and their families. European law enforcement, especially the Dutch National Police, has been more successful than the US in arresting attackers and seizing servers.

Similarly, the US government has made only modest headway in pushing private industry, including pipeline companies, to strengthen cybersecurity defenses. Cybersecurity oversight is divided among an alphabet soup of agencies, hampering coordination. The Department of Homeland Security conducts “vulnerability assessments” for critical infrastructure, which includes pipelines.

It reviewed Colonial Pipeline in around 2013 as part of a study of places where a cyberattack might cause a catastrophe. The pipeline was deemed resilient, meaning that it could recover quickly, according to a former DHS official. The department did not respond to questions about any subsequent reviews.

Five years later, DHS created a pipeline cybersecurity initiative to identify weaknesses in pipeline computer systems and recommend strategies to address them. Participation is voluntary, and a person familiar with the initiative said that it is more useful for smaller companies with limited in-house IT expertise than for big ones like Colonial. The National Risk Management Center, which oversees the initiative, also grapples with other thorny issues such as election security.


Ransomware has skyrocketed since 2012, when the advent of Bitcoin made it hard to track or block payments. The criminals’ tactics have evolved from indiscriminate “spray and pray” campaigns seeking a few hundred dollars apiece to targeting specific businesses, government agencies and nonprofit groups with multimillion-dollar demands.

Attacks on energy businesses in particular have increased during the pandemic—not just in the US but in Canada, Latin America, and Europe. As the companies allowed employees to work from home, they relaxed some security controls, McLeod said.

Continue reading here.