If the heads of cybersecurity agencies, in France and abroad, recommend that victims of ransomware not give in to blackmail, it is not always easy to follow this advice in practice.
Proof of this is the bitter feedback from the American oil pipeline operator Colonial Pipeline. He said yesterday Wednesday that he had paid a ransom of $ 4.4 million to hackers. These pirates had paralyzed the pipeline from May 7.
This forced the operator, whose network includes more than 8,800 kilometers of pipelines transporting fuel, to suspend all of its operations, which had never happened before. Last Saturday, Colonial Pipeline announced a return to normalcy of its operations.
“I admit that I was not comfortable with seeing money evaporate and go to such people”
“I know it was a very controversial decision (…) I admit that I was not comfortable with the fact of seeing money evaporate and go to such people”, declared the head of the company, Joseph Blount. “But it was the right thing to do for the country,” he told the WSJ.
Until then Colonial Pipeline had not confirmed this information, already mentioned in the press. The head of Colonial Pipeline, who has headed the company since 2017, believes this was the most effective way to restart operations.
Colonial Pipeline transports nearly half of America’s petroleum products from the Gulf of Mexico to the east coast of the United States.
DarkSide is a ransomware-as-a-service (RaaS) company
According to the FBI, the DarkSide ransomware group is responsible for this attack: “The FBI confirms that the Darkside group is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation ”.
DarkSide is a ransomware-as-a-service (RaaS) company, which provides ransomware to affiliates in its network in exchange for a share of the profits made by extortion from victim organizations.
DarkSide affiliates use a double-extortion tactic: the organization victim of the cyberattack first receives a ransom note, in exchange for a decryption key to unlock systems infected with the ransomware. But, if it refuses, the cyberattackers then threaten to make public confidential data stolen during the cyberattack on a “leak site”.
And the group’s tools are still widely used. Toshiba Tec Corp announced last Friday that it had been hit by a cyberattack that affected parts of Europe. The cyberattack would also be the work of the DarkSide group. The French subsidiary of the company seems among other things to have been targeted.