Many of the world’s largest cybercrime gangs are still actively hacking and extorting victims, undeterred by the international spotlight after one of their peers hacked a U.S. fuel pipeline.
A Russian-affiliated hacker gang, DarkSide, disappeared last week after it hacked Colonial Pipeline, which provides fuel for much of the U.S. East Coast. That prompted the company to shut down operations for five days, leading to gas shortages in the U.S. and condemnation from President Joe Biden. Seemingly spooked, DarkSide, which had collected around $5 million in ransom from the company, claimed that it was “apolitical” on its main website, which soon was deleted.
But DarkSide is only one player in a thriving scene of cybercrime groups. More notorious gangs are still active after the Colonial attack, according to evidence of their exploits, which many such groups post to blogs that they maintain on the dark web.
The groups continue to post information from victims they have hacked and are actively extorting U.S. organizations. Like DarkSide, such gangs make money by infecting organizations with ransomware, meaning they hack them to encrypt and steal files. They demand money to make their files usable, threatening to publish private files if they’re not promptly paid.
An effective ransomware attack can net the hackers millions of dollars. Although some gangs, like DarkSide, code their hacking programs not to attack Russian victims, many ransomware groups have few qualms about whom they hit, as long as they can potentially turn a profit.
A gang with a track record of hacking hospitals during the coronavirus pandemic has in recent months devastated a hospital that serves the Navajo Nation and published sensitive patient files from other U.S. hospitals that didn’t promptly pay up. Last week, it also hacked Ireland’s national health care system, the Health Service Executive, or HSE, a spokesperson confirmed by text message. The service’s email server is still offline because of the attack.
The attack, which the HSE announced Friday, has led to a number of appointment cancellations across six Irish hospitals. Ireland’s minister for public procurement and e-government, Ossian Smyth, said it was “possibly the most significant cybercrime attack on the Irish state.”
The gang has been active with extortion attempts on its website. Since May 13, it has published files from Bee County, Texas, a Utah farming equipment manufacturer, an Australian butcher chain and an Indian travel technology company, all as punishment for not paying.
Another prolific group is most recently known for hacking a Taiwanese company that manufactures Apple computers and leaking previously private specs. Since Saturday, it has posted proof of at least four new victims to a dark web blog it maintains: a California sensor manufacturer, a Texas home construction company, a Florida law firm and an international customer experience consulting company.
A third gang last week published a vast trove of documents stolen from Washington, D.C.’s Metropolitan Police Department after police were reported to have offered only $100,000 to keep them private. It leaked files from two more victims Friday: a New Jersey LED light manufacturer and the U.S. arm of a Swiss automation company.
Websites for two smaller ransomware gangs went down over the weekend, prompting some speculation that DarkSide’s disappearance marked the beginning of cybercriminals’ facing consequences for their sprees.
But the reality is probably more bland, said Allan Liska, a ransomware analyst at the cybersecurity firm Recorded Future.
“The most likely scenario is that DarkSide, rightfully, feared they had attracted too much attention, so they decided to shut down operations and drain their accounts,” Liska said. The other groups “were second-tier players — they won’t be missed.”