Many of the world’s largest cybercrime gangs are still active in hacking and extorting victims, unfazed by the international spotlight cast on one of their peers for hacking a U.S. fuel pipeline.
DarkSide, a Russian-affiliated hacker gang, vanished last week after compromising the Colonial Pipeline, which supplies fuel to much of the United States’ East Coast. This prompted the company to suspend operations for five days, resulting in gas shortages in the United States and President Joe Biden’s condemnation. DarkSide, which had collected around $5 million in ransom from the company, claimed to be “apolitical” on its main website, which was quickly deleted.
However, DarkSide is only one player in a thriving scene of cybercrime organizations. According to evidence of their exploits, more notorious gangs are still active after the Colonial attack, which many such groups post to blogs that they maintain on the dark web.
The groups are still posting information from victims they have hacked and actively extorting US organizations. Such gangs, like DarkSide, make money by infecting organizations with ransomware, which encrypts and steals files. They demand money to make their files usable and threaten to publish private files if they are not paid promptly.
A successful ransomware attack can result in millions of dollars for the hackers. Although some gangs, such as DarkSide, code their hacking programs to avoid targeting Russian victims, many ransomware groups have little concern about who they target as long as they can potentially profit.
A gang with a history of hacking hospitals during the coronavirus pandemic has recently devastated a Navajo Nation hospital and published sensitive patient files from other U.S. hospitals that did not promptly pay up. It also hacked Ireland’s national health care system, the Health Service Executive, or HSE, last week, according to a text message from a spokesperson. Because of the attack, the service’s email server is still down.
The attack, which was announced by the HSE on Friday, has resulted in a number of appointment cancellations in six Irish hospitals. Ossian Smyth, Ireland’s minister for public procurement and e-government, called it “possibly the most significant cybercrime attack on the Irish state.”
Extortion attempts have been made by the gang on its website. As punishment for not paying, it has published files from Bee County, Texas, a Utah farming equipment manufacturer, an Australian butcher chain, and an Indian travel technology company since May 13.
Another prolific group is best known for recently hacking a Taiwanese company that manufactures Apple computers and leaking previously private specifications. It has posted evidence of at least four new victims to a dark web blog it maintains since Saturday: a California sensor manufacturer, a Texas home construction company, a Florida law firm, and an international customer experience consulting firm.
A third gang last week published a massive cache of documents stolen from the Metropolitan Police Department in Washington, D.C., after police were said to have offered only $100,000 to keep them private. It exposed data from two more victims on Friday: a New Jersey LED light manufacturer and the U.S. arm of a Swiss automation firm.
Over the weekend, the websites of two smaller ransomware gangs went down, prompting some to speculate that DarkSide’s disappearance signaled the beginning of cybercriminals facing consequences for their sprees. However, the reality is likely to be more mundane, according to Allan Liska, a ransomware analyst at cybersecurity firm Recorded Future.
“The most likely scenario is that DarkSide, rightfully, feared they had attracted too much attention, so they decided to shut down operations and drain their accounts,” Liska said. The other groups “were second-tier players — they won’t be missed.”