The Colonial Pipeline Hackers Are One Of The Savviest Criminal Startups In A $370 Million Ransomware Game


When Colonial Pipeline took its gasoline lines down following a successful cyberattack last week, it became the most high-profile victim of a hacking group called DarkSide.

But DarkSide isn’t a single entity. It’s a media-savvy, semiprofessional startup and software supplier for an illicit market of hackers looking for a quick easy way to breach and extort large businesses. In a ransomware game that, according to data from cryptocurrency tracker Chainalysis, has seen $370 million 2020 revenue for the criminals in the form of ransom payments, DarkSide and its partners represent a dangerous new breed of underground businesses that are working together to menace legitimate organizations, across public and private sectors.

The security industry calls DarkSide’s business model “ransomware-as-a-service,” as it mimics the software-as-a-service model. First, provide financially motivated cybercriminals with the best software for stealing data and encrypting victims’ files over the internet via an easily accessible dark website. Second, provide the services around that software, such as tools that allow digital extortionists to communicate directly with their victims or get IT support. Third, share the rewards if a target pays the ransom.

DarkSide takes most of the cut. According to FireEye, the security company whose Mandiant division is helping the Colonial Pipeline recover, DarkSide takes 25% of ransom fees less than $500,000 and 10% of ransom fees above $5 million. Though that’s a sizable cut of the proceeds, the DarkSide operators make ransomware attacks so simple, customers keep coming. “It’s a great way of making quick money,” says Peter Kruse, founder and CEO of CSIS Security Group, which says it has seen various cybercrime actors using the DarkSide ransomware service. In the case of the Colonial Pipeline, DarkSide says a client using its software mounted the attack that shut the pipeline down.

To stand out from the crowd, DarkSide has promised the best encryption speeds to lock up computers faster than anyone else. It also supports attacks on both Microsoft Windows and Linux operating systems. Its marketing is working. Since emerging in August 2020, it’s leaked the data of more than 80 organizations. The identities of those who paid may never be known, notes ransomware tracker Brett Callow. “They’ve hit at least 114 organizations and they’ve published data from 83, so these didn’t pay (the ransom).

Which means at least 31 did,” Callow says. Given DarkSide users’ ransom demands range between $200,000 to $2 million, according to security startup CyberReason, it’s possible they’ve collectively made more than $30 million in just half a year. And, with KrebsOnSecurity reporting that the group negotiated an $11 million ransom with one victim company, it’s likely higher than that estimate. (A message to the DarkSide crew didn’t receive a response.)

Lax security may be helping the hackers. Before DarkSide’s malware can be deployed, its customers first need to have broken into a network, and DarkSide doesn’t provide that service. Kruse says DarkSide’s partners look for vulnerable devices that can be found by scanning the web. Once those systems are found, they can be exploited and leverage gained on a target’s network. They then need to take control of other connected computers and install the DarkSide software, which wraps the victims’ data and locks it with keys targets must pay ransom to use.

Colonial Pipeline hasn’t yet revealed exactly how it was breached, though analyses of the company’s servers from security experts discovered a few avenues hackers could have used to poke holes in its defenses. There were, for instance, a large number of surveillance cameras attached to the company’s IT infrastructure, according to Derek Abdine from security company Censys.

And Bob Maley, a former PayPal security lead and now chief security officer at cyber defense startup Black Kite, says he saw open remote management and file sharing servers, which, if the hackers had somehow acquired logins, could have provided a path onto Colonial’s network.

“If I was going to hack that… I’d simply use a publicly available tool to connect to that port, run a little script and try all the credentials that I have, plus some of the common … default usernames and passwords,” Maley added. That “credential stuffing” attack could then provide enough network access to start finding a way to plant the ransomware.

There’s long been concern that critical infrastructure businesses aren’t well-prepared for the kinds of attack described by Maley, even if they’re far from the most sophisticated attacks the internet sees every day. “Legacy industrial control systems and other similar infrastructures were primarily designed to keep information in and execute their control tasks dependably and consistently.  Unfortunately, there were little or no provisions built in to adequately secure the systems and keep people out,” says Chris Piehota, a former FBI technology director.

Personnel is another issue. Kruse and Maley noted that Colonial didn’t appear to have anyone in charge of cybersecurity. Colonial said its chief information officer, hired in 2017, led cybersecurity efforts, undertaking a review of its defenses and increasing total spending on IT, including cybersecurity, by more than 50% in the past four years.

A spokesperson told Forbes it had “robust protocols and software in place to detect and address threats proactively and reactively,” and that its third-party incident response team determined it was following “best practices” before the breach. Any speculation about the root cause of the incident would be premature and not informed by the facts, they added. They declined to comment on whether or not a ransom had been paid, and wouldn’t say how much the hackers had demanded.

The hack itself is just the first part of a modern-day ransomware swindle. DarkSide and similar groups have realized that they need to control the story, play the press and apply as much pressure to victims as possible to extract a ransom.

The added threat on top of all that data loss is public shaming. DarkSide and other groups’ dark websites aren’t just spaces for them to expose victims’ data. They’re places where they can attract media attention to amplify successes and, possibly, increase the ransoms as companies pay up to avoid reputational damage. The first of this new breed of publicity-friendly ransomware extortionist came in late 2019, with the emergence of Maze, which became infamous for attacks on U.S. schools. According to Callow, from security company Emsisoft, there are now about 30 doing much the same.

Another group, Babuk, has shown in the past month how devastating public shaming can be, after it hacked into the Washington, D.C., Metropolitan Police Department. When the police didn’t pay the $4 million ransom, Babuk started releasing the personal information of officers. In a new batch of data on 22 police officers released this week, the leaked information included psychological assessments, social security numbers, financial data and marriage histories. Babuk even posted conversations between itself and the department, in which the latter apparently tried to lowball the crew with a $100,000 ransom offer. Babuk rejected the offer. The police department has previously acknowledged the attack but hadn’t responded to requests for comment at the time of publication.

DarkSide has used a different tactic to try to improve its public image, presenting itself as a kind of Robinhood hacking organization, giving a small portion of stolen funds to charity, offering short-sellers advance information so they can bet on a victim’s stock tanking, and promising not to attack certain industries: hospitals, funeral services, schools, universities, nonprofits and government organizations. It even claims to only permit attacks on companies it knows can afford to pay, saying, “We do not want to kill your business.”

As the group wrote on its dark web “press center” earlier this week: “Our goal is to make money, and not creating [sic] problems for society.” One victim, Dalton, Georgia-based carpet manufacturer Dixie Group Inc., disclosed a ransomware attempt affecting “portions of its information technology systems” earlier this year.

With the Colonial Pipeline, DarkSide apparently realized too late that one of its partners had targeted an industry that served a huge number of consumers with gasoline and subsequently promised to “introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” Now the world has its eyes on the hacking group. In a “flash notice” to the cybersecurity industry and government agencies this week, the FBI said it has been investigating DarkSide since October, just two months after it emerged.

Its investigators and global partners have had increasing success against malware operators in recent months, the most significant in January, in which the U.S. Justice Department said it had participated in a multinational operation to disrupt and take down infrastructure of the malware and botnet known as Emotet. Described by experts as the most dangerous malware in the world, Emotet offered criminals access to personal and company computers. As with DarkSide, many criminals paid Emotet’s operators to install ransomware. Authorities made arrests of alleged administrators, who face charges in Ukraine, though they’ve yet to go on trial.

Despite that case and the blueprint it laid down for future cyber investigations, the only authorities DarkSide appears to fear are Russian-speaking: Its malware won’t work if it detects its victim is Russian. This has led to accusations that the Kremlin either supports or harbors criminals that target Western businesses, something Putin’s government has staunchly denied.

Dmitri Alperovitch, cofounder of cybersecurity company CrowdStrike and now executive chairman at the Silverado Policy Accelerator nonprofit, says there’s no evidence DarkSide has obvious links to Russian intelligence, adding, “Given their long past history of willful harboring of cybercrime, I don’t think it matters.”

Follow me on Twitter. Check out my website. Send me a secure tip.

I’m associate editor for Forbes, covering security, surveillance and privacy. I’m also the editor of The Wiretap newsletter, which has exclusive stories on real-world surveillance and all the biggest cybersecurity stories of the week. It goes out every Monday and you can sign up here:

I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice, Wired and the BBC, amongst many others.

Tip me on Signal / WhatsApp / whatever you like to use at +447782376697. If you use Threema, you can reach me at my ID: S2XY9B9U.

If you want to tip me with something sensitive? Get in contact on Signal or Threema, and we can use OnionShare. It’s a great way to share documents privately. See here:

Source: The Colonial Pipeline Hackers Are One Of The Savviest Criminal Startups In A $370 Million Ransomware Game



Bomey, Nathan. “Colonial Pipeline looking to ‘substantially restore operations by end of week”. USA TODAY. Archived from the original on May 10, 2021. Retrieved May 10, 2021.

Cyber Attackers Leaked Covid-19 Vaccine Data After EU Hack

The European Medicines Agency (EMA) has reported that some of the data on the Pfizer/BioNTech COVID-19 vaccine that was stolen during a cyber-attack in early December 2020 was released online illegally shortly after the attack. 

The leak was discovered during an investigation that was launched into the attack by the EMA and law enforcement. It is claimed that evidence of the stolen data was found on various hacking forums as early as 31 December. The EMA stated yesterday (13 January) that action is being taken by authorities.

The EMA is a decentralized agency responsible for evaluating, monitoring and supervising new medicines introduced to the EU. As such, it is accountable for approving any COVID-19 vaccines. On 9 December 2020, the EMA released a statement alerting that it had been subject to the cyber-attack. 

Pfizer and BioNTech then released a joint statement outlining the nature of the breach: “Today, we were informed by the European Medicines Agency (EMA) that the agency has been subject to a cyber-attack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed.”

At the time, it was concluded that only a small number of documents had been accessed, limited to a single IT application as the hackers targeted data relating specifically to the Pfizer/BioNTech COVID-19 vaccine. Nevertheless, according to sources on technology and cybersecurity website BleepingComputer, the threat actors accessed Word documents, PDFs, email screenshots, PowerPoint presentations and EMA peer review comments.

The EMA assured that, despite the breach, its regulatory network is fully operational and that the evaluation and approval of COVID-19 medicines have not been affected by the incident.


The breach of the EMA server is not the only cyber-attack related to COVID-19 vaccines. There has been increasing concern about the safe deployment of the vaccine as cybercriminals attack the vaccine “cold chain”, launching what has been called a “global phishing campaign” against organizations responsible for the transport and sub-zero storage of the vaccine, supposedly in an attempt to gain unauthorized access to private credentials and sensitive information regarding the vaccine’s distribution.

Experian also released a report at the end of 2020 warning of the potential security risks that accompany the technological diversification in healthcare affected by COVID-19. It highlighted the potential risks of overlooking cybersecurity and the increased possibility of misinformation, particularly regarding the COVID-19 vaccine, while Dr Saif Abed also outlined the challenges of cybersecurity during the global mass rollout of the vaccine in a blog for Healthcare IT News.


Responding to the announcement, chief security officer at Cybereason, Sam Curry, called security breaches surrounding the COVID-19 vaccine “diabolical”.

He continued: “Hackers today still see COVID-19 as a strategically valuable asset and it’s likely they will for the foreseeable future. Kudos to the pharma and research companies for working with law enforcement agencies to face these threats head on with advanced cyber tools and improved security hygiene. These companies face a new reality each and every day that motivated hackers will be successful every time they attempt to hack a company because they are well funded and are looking to reap both financial and political fame.

As the protection surface expands to mobile, the cloud and other potential attack vectors, those companies that can detect a breach quickly and understand as much as possible about the hacking operation itself, will be able to stop the threat and minimize or eliminate the risk all together.”

By Sophie Porter


More Contents:


Bloomberg Quicktake: Now

Hackers posted confidential documents regarding Covid-19 medicines and vaccines on the internet after a data breach late last year at the European Medicines Agency. Timelines related to evaluating and approving Covid medicines and vaccines haven’t been affected, the EMA said in a statement on Tuesday. The agency said it remains fully functional and that law enforcement authorities are taking action on the breach. Caught up in the hack were some documents submitted by Pfizer Inc. and BioNTech SE during regulatory review of their vaccine, approved last month.

The EMA said it would notify any additional entities and individuals whose documents and personal data may have been subject to unauthorized access. Pfizer shares fell 2.2% in New York, with BioNTech’s American depositary receipts down 5.1%. Subscribe to our YouTube channel: Bloomberg Quicktake brings you live global news and original shows spanning business, technology, politics and culture. Make sense of the stories changing your business and your world. To watch complete coverage on Bloomberg Quicktake 24/7, visit, or watch on Apple TV, Roku, Samsung Smart TV, Fire TV and Android TV on the Bloomberg app. Have a story to tell? Fill out this survey for a chance to have it featured on Bloomberg Quicktake: Connect with us on… YouTube: Breaking News on YouTube:… Twitter: Facebook: Instagram:


Coronavirus Fighting Supercomputers Cryptojacked to Mine Privacy Coin Monero (XMR)


An array of supercomputers hosted at universities across Europe have been hijacked (or “cryptojacked”) in order to mine the privacy coin Monero (XMR).

Even worse, some of these computers had been dedicated to crunching numbers for research on COVID-19.

The intrusions occured on supercomputer clusters in the UK, Germany, Switzerland, and probably Spain, according to a report by ZDnet.

Some of the compromised universities include Stuttgart, Ulm, Karlsruhe Institute of Technology, Tübingen University, the Bavarian Academy of Sciences, the Technical University of Dresden, the Ludwig-Maximilians University of Munich, and the Swiss Center of Scientific Computations.

The attackers likely gained access from compromised SSH login credentials given out to other universities in Canada, China and Poland, in order to access the supercomputing arrays. There is some evidence that the attacks were all carried out by the same group, although it is not conclusive.

A look at the recent hashrate on the Monero network shows a healthy pair of spikes in May to about 1.4 gigahashes/second, although this jump does not seem outside the realm of normalcy.

Not much change(source:

CryptoGlobe recently reported that the hashrate on the Monero network had been mostly static even as the network’s transaction rate was on the rise.

Featured Image Credit: Photo via

By Colin Muller



Cryptojacking has shaken up the cyber security landscape over the last two years. Here, we take an in-depth look at this cyber-crime trend. Download this report for more information on cryptojacking:…

Hackers Threatening to Release ‘Dirty Laundry’ of Celebrities If Ransom Not Paid


Hackers have doubled their original ransom demand in exchange for the data belonging to U.S. entertainment law firm Grubman Shire Meiselas & Sacks, which represents many celebrities, such as Lady Gaga, Lizzo, and Madonna.

According to a report by Fox News, the hacking group REvil ( updated their ransom demand to $42 million in exchange for the stolen files containing personal information on high-profile celebrities such as Lady Gaga, U2 and President Donald Trump. The files belonged to attorney Allen Grubman.

The hackers claim to have stolen 756GB of data that includes the firm’s contracts, personal emails, and correspondence with clients.

The hackers also deleted or encrypted the firm’s backup files and are demanding a ransom for the decryption key.

Grubman has refused to negotiate with the hacking group. The report cites an anonymous source close to the matter saying,

“His view is, if he paid, the hackers might release the documents anyway. Plus the FBI has stated this hack is considered an act of international terrorism, and we don’t negotiate with terrorists.”

The hacking group released a statement on Thursday threatening to release to the “dirty laundry” of President Donald Trump if the ransom was not paid.

Well, acording to a report published in Mail Online on Sunday (May 17), the hackers have “released a trove of emails mentioning President Donald Trump, and claim that they will publish much more damaging material if they aren’t paid a ransom of $42 million.”

By Michael LaVere

Featured Image Credit: Photo via



“The US Secret Service and the FBI are continuing to probe hacking group REvil, who attacked the server of attorney Allen Grubman’s NYC firm and stole 756 gigabytes of confidential documents relating to his firm’s clients including Lady Gaga, Madonna, Mariah Carey, Priyanka Chopra and Bette Midler. On Thursday the hackers upped the ante by doubling their ransom demands and threatening to publish “a ton of dirty laundry” on President Donald Trump — who is not a client of the NYC law firm Grubman, Shire, Meiselas and Sacks — next week if the law firm did not pay in full. It remains unclear if the hackers claims to have dirt on Trump are true.

Hackers Sell Data of 129 Million Russian Car Owners for Bitcoin


A database of 129 million Russian car drivers is being exposed on the darknet for just 0.3 Bitcoin or about $2,900.

The major cryptocurrency, Bitcoin (BTC), continues to be actively used for illicit activity. Anonymous hackers have taken the data of over 129 million Russian car owners to expose it on the darknet in exchange for cryptocurrency.

The leaked information includes the full names, addresses, passport numbers and other data belonging to millions of Russian car drivers, Russian news agency RBC reported May 15.

The stolen data is claimed to be leaked from the registry of Russia’s patrol jurisdiction, the General Administration for Traffic Safety of the Ministry of Internal Affairs of Russia. The authenticity of data has reportedly been confirmed by an employee of a local car sharing company.

The leaked data is being sold for cryptocurrency, RBC said, citing an original report by local publication Vedomosti. As such, the full version of the database costs 0.3 BTC, which amounts to about $2,900 as of press time. The hackers also offered to buy some “exclusive” data for 1.5 BTC ($14,400), the report notes.

Cryptocurrencies are being increasingly used for illicit activity on darknet markets. According to Chainalysis — a New York-based blockchain analytics firm — the volume of darknet markets’ crypto flows doubled in 2019 for the first time in four years.

Cybercriminals often sell stolen data on the darknet for almost nothing or even give it away for free. In mid-April 2020, hackers were selling over 500,000 accounts of popular video conferencing platform Zoom for less than a penny each.

In March, cryptocurrency fund Trident Crypto Fund suffered a major security breach, resulting in the theft of 266,000 usernames and passwords.




Hello World’s host Ashlee Vance traveled to Moscow and got a rare glimpse into the heart of Russia’s hacker underworld and the latest techniques in investigating cybercrime. #BloombergHelloWorld Watch the full episode of ‘Hello World: Russia’:… Read more about FindFace on Like this video? Subscribe to Bloomberg on YouTube:… And subscribe to Bloomberg Politics for the latest political news:… Bloomberg is the First Word in business news, delivering breaking news & analysis, up-to-the-minute market data, features, profiles and more: Connect with us on… Twitter: Facebook:… Instagram:… Bloomberg Television brings you coverage of the biggest business stories and exclusive interviews with newsmakers, 24 hours a day: Connect with us on… Twitter: Facebook:… Instagram:
%d bloggers like this: