DarkSide, We Hardly Knew Ya: Ransomware Gang Behind Pipeline Hack ‘Quits’ the Business

Illustration for article titled DarkSide, We Hardly Knew Ya: Ransomware Gang Behind Pipeline Hack 'Quits' the Business

Photo: PHILIPPE HUGUEN/AFP (Getty Images)

Less than 24 hours after President Joe Biden announced that the U.S. would seek to disrupt the operations of those responsible for the Colonial Pipeline attack, the gang in question seems to be ducking for cover—and claims it will shut down its criminal operation, at least for now.

Advertisement

In posts made online Thursday, the ransomware gang DarkSide said that large parts of its IT infrastructure had been targeted by an “unknown law enforcement agency” and that some amount of its cryptocurrency had been seized, a new report from security firm Intel471 shows. Security researchers spotted the announcements on an underground forum, where the gang claimed that its “name-and-shame blog, ransom collection website, and breach data content delivery network (CDN) were all allegedly seized, while funds from their cryptocurrency wallets allegedly were exfiltrated.”

The gang further announced that it would be shutting down operations and issuing decryptors to all of its affiliates “for the targets they attacked.” An excerpt of the note, shared by Intel471, reads as follows:

A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the

blog

payment server

CDN servers

At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked.

The hosting support service doesn’t provide any information except “at the request of law enforcement authorities.” In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.

After detailing its plans to shut down operations, the group then explicitly mentioned the U.S. as having added “pressure” to their situation:

In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck. The landing page, servers, and other resources will be taken down within 48 hours.

If this is all true, it’s a swift turnaround for DarkSide—which rocketed to notoriety last week when it successfully crippled the network of Colonial Pipeline, thus managing to extort America’s largest oil and gas conduit for a reported $5 million. Until now, the gang has run a prolific ransomware-as-a-service business, wherein it loaned out its malware to criminal “affiliates,” who then conducted cyberattacks on its behalf. In the RaaS model, affiliates get paid some amount of the cut from every successful ransom secured.

According to the Intel471 report, the incident appears to have set off a shudder throughout the ransomware community, with other cybercrime forums and groups alleging similar “takedowns” and announcing new restrictions on operations. However, whether this is actually the result of some sort of law enforcement crackdown is unclear.

Advertisement

By the same token, not everyone agrees that DarkSide is actually telling the truth about its plans.

Kimberly Goody, senior manager of Financial Crime Analysis at FireEye’s Mandiant, said in a statement shared with Gizmodo that her company has not yet been able to verify the claims. Instead, she said, there is some online speculation that it could be a scam:

Mandiant has observed multiple actors cite a May 13 announcement that appeared to be shared with DARKSIDE RaaS affiliates by the operators of the service. This announcement stated that they lost access to their infrastructure, including their blog, payment, and CDN servers and would be closing their service…We have not independently validated these claims and there is some speculation by other actors that this could be an exit scam.

Advertisement

At any rate, if the gang is indeed retreating into the digital underworld, it’s likely that it will eventually regroup and resume operations at some point in the future, experts say. “A number of the operators will most likely operate in their own [close-knit groups, resurfacing under new names and updated ransomware variants,” Intel471 says.

Ireland Shuts Down Hospital Computer Systems Nationwide After Ransomware Attack

File photo of the CEO of Ireland’s Health Service Executive (HSE) Paul Reid (center) and Chief of Staff of Ireland’s Defense Forces, Vice Admiral Mark Mellett (left) with Irish Army cadets on March 13, 2020.

File photo of the CEO of Ireland’s Health Service Executive (HSE) Paul Reid (center) and Chief of Staff of Ireland’s Defense Forces, Vice Admiral Mark Mellett (left) with Irish Army cadets on March 13, 2020.
Photo: Paul Faith/AFP (Getty Images)

Ireland’s public health care system, known as the Health Service Executive or HSE, shut down all of its computer systems nationwide Friday after hospital administrators became aware of a cyberattack late Thursday.

Advertisement

The attack is being characterized as a ransomware hack, but it’s not yet clear if the hackers succeeded at acquiring enough data to hold hostage. Ransomware hackers will steal data that hasn’t been backed up sufficiently and refuse to return it until a certain amount of money has been paid, like in the Colonial Pipeline hack in the U.S. where nearly $5 million was paid just yesterday.

“There is a significant ransomware attack on the HSE IT systems,” the HSE said in a statement posted to Twitter early Friday. “We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.”

All medical equipment at Ireland’s hospitals are reportedly still operational, according to the Irish Times, but registration and record-keeping have reverted to pen and paper. The nation’s ambulance service is also operating normally, according to the HSE, and covid-19 vaccinations are still taking place.

Ransomware hackers will also sometimes threaten to release sensitive information publicly, such as medical records, as another angle to make money. It’s not clear whether any patient records have been compromised.

Paul Reid, the CEO of HSE, told Irish radio that the attack was “significant” and they were working with the military as well as third-party experts on cybersecurity, according to the Irish Times.

“There has been no ransom demand at this stage. The key thing is to contain the issue,” said Reid.

Advertisement

Reid also said the perpetrators were an, “internationally operated criminal operation,” though didn’t go into specifics about who might be behind this attack on the Irish health system.

Fergal Malone, an administrator at the Rotunda Maternity Hospital in Dublin, told RTE Radio Ireland that his hospital was shutting down for everything deemed non-urgent and explained that doctors were currently unable to access the electronic records of patients. The radio host asked Malone when he expected the hospital would continue normal operations and he said they were simply taking it a day at a time.

Advertisement

“All appointment have been cancelled for today Friday 14th May. The only exception are for patients who are 36 weeks or over pregnant,” the Rotunda Hospital said in a statement to Ireland’s RSVP Live.

“Otherwise you are asked NOT to attend at the Rotunda unless it is an emergency. The Rotunda will issue updated information as soon as possible.”

Advertisement

Ireland’s HSE did not immediately respond to an inquiry emailed early Friday but Gizmodo will update this post if we hear back.

Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn’t Very Useful

Illustration for article titled Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn't Very Useful

Photo: JIM WATSON / AFP (Getty Images)

About a week ago, Colonial Pipeline apparently paid the ransomware group DarkSide approximately $5 million in exchange for a data decryption key that didn’t really decrypt that much data.

Advertisement

An investigation from Bloomberg found that, despite earlier reports suggesting the company had no intention of paying the cybercriminals, Colonial actually did just that “within hours of the attack,” using an untraceable cryptocurrency. In exchange for that fat stack of cash, Colonial received a decryption tool that was so slow that the company had to partially rely on its own back-ups to continue restoring service, the news outlet reports. New York Times reporter Nicole Perlroth later stated that the ransom was paid using 75 Bitcoin. Gizmodo sent multiple emails to Colonial representatives for comment and will update this story when we hear back.

The network-crippling attack on the energy giant brought the operation of its 5,500-mile oil pipeline system to an abrupt halt last week, swiftly spurring an energy crisis throughout many of the Southeastern cities to which it delivers oil. The incident led to shortages in multiple states and subsequently spurred a gas-buying binge, as panicked Americans flocked to stores and gas stations to purchase car fuel. The epidemic of End Time-type behavior even led the U.S. Consumer Product Safety Commission to helpfully remind consumers to “not fill plastic bags with gasoline,” always a helpful tip.

However, just as it looked like society might collapse, the pipeline came back online Wednesday night and began to churn oil back into America’s veins once more. In a statement published Thursday, the energy company iterated that it had regained almost full operational capacity—though getting back to a regular fuel flow is expected to take some time.

“Colonial Pipeline has made substantial progress in safely restarting our pipeline system and can report that product delivery has commenced in a majority of the markets we service. By mid-day today, we project that each market we service will be receiving product from our system,” the company said, while also providing a map of the areas that it said were currently operational, as of 9 a.m. EST. As of noon EST, the entire system was expected to have been fully operational.

Illustration for article titled Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn't Very Useful

Screenshot: Lucas Ropek/Colonial Pipeline

President Joe Biden also addressed the nation on Thursday, hoping to quell fears about surging gas prices and to update Americans about how the government was handling the incident. The President reiterated during his remarks that the White House did not believe that the Russian government had been involved in the ransomware attack but that it would be communicating with the Kremlin to more effectively target the criminals responsible.

Advertisement

“We do not believe that the Russian government was involved in this attack—but we do have strong reason to believe that the criminals who did the attack are living in Russia,” said the President. “We have been in direct communications with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks. We’re also going to pursue a measure to disrupt their ability to operate.”

Biden also referenced an executive order he passed Wednesday night, designed to bolster America’s defenses against cybercriminal networks. The order requires the creation of a Cyber Safety Review Board, a Department of Homeland Security team that will be in charge of investigating major cyber incidents. It also introduces measures to increase information sharing between private industry and the U.S. government on cyberattacks. And it creates a mandate for federal agencies to introduce multi-factor authentication and data encryption within a period of six months.

Advertisement

Biden did not comment at all on any financial exchange that may have occurred between Colonial and the hackers. Several high-level federal officials also refused to talk about it: “I have no knowledge of whether a ransom was paid, how much was paid, if it was paid, when it was paid,” said Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, which has been working with the embattled gas company since the attack last week.

One of the oft-made arguments for not paying ransomware gangs is that there is no guarantee that hackers will actually make good on their word to assist with decryption once money has been paid. While the ransomware business model largely hinges on criminals sticking to their promise, in many cases, decryption can be a slow, hugely imperfect process—as the Colonial episode may well demonstrate. At the same time, payment also legitimates the business model, encouraging criminals to continue seeking out new victims.

Advertisement

Gas Is Back: Colonial Opens Up the Corpse Juice Hoses Just as Much of East Coast Runs Out

A gas station in Atlanta, Georgia, that was out of gas on Tuesday.

A gas station in Atlanta, Georgia, that was out of gas on Tuesday.
Photo: Ben Margot (AP)

Large swathes of the East Coast are running out of the precious refined corpse juice used to fuel most of the nation’s vehicles, five days after ransomware knocked out most of the 5,500-mile Colonial Pipeline system—the biggest gasoline pipeline in the country, connecting Gulf Coast refineries to cities as far north as New York. Due to a combination of panic buying, hoarding, and regular gas guzzling, some regions have now almost completely run out. (The pipeline is coming back, see update below.)

Advertisement

There’s no shortage of fossil fuels; they just can’t reach their destination thanks to malware that encrypted Colonial computer systems and forced them to shut down the pipeline as a “precautionary measure.” The Colonial Pipeline system ships 2.5 million barrels of gasoline, diesel, and jet fuel a day, which Bloomberg reports is equivalent to the capacity of the entire nation of Germany. According to CNN Business, nearly two-thirds (65%) of gas stations in North Carolina were without gas as of 12:37 p.m. ET, with similar outages at 42% of stations in Georgia, Virginia, and South Carolina. Tennesee (14%), Florida (10%), Maryland (9%), and West Virginia (4%) were also running low. Some cities were even worse off: 71% of stations in metro Charlotte, 60% in Atlanta, 72% in Raleigh, and 73% in Pensacola have run dry.

The total number of stations shut down runs over ten thousand, and gas prices broke $3 a gallon, according to AAA data. Making the situation worse, the pipeline outage coincides with a shortage of fuel truck drivers. The feds have considered waiving the Jones Act, a maritime law that requires U.S.-built and manned ships to transport goods between U.S. ports, in the hope that enlisting foreign vessels could ease the logistical difficulties currently preventing gas from reaching consumers.

Bloomberg reported on Wednesday that a solution to the issue is still days away, with three distribution hubs in Pennsylvania out of gas and long lines of tanker trucks waiting to fill up in New Jersey. The network reported that Colonial will announce on Wednesday whether it will be able to begin the process of restarting the pipeline network.

“Colonial has announced that they’re working toward full restoration by the end of this week, but we are not taking any chances,” Pete Buttigieg, the Secretary of Transportation, told reporters at a press briefing on Wednesday. “Our top priority now is getting fuel to communities that need it, and we will continue doing everything that we can to meet that goal in the coming days.”

Even then, Bloomberg reported, it will take quite a bit of time for normal service to be fully restored:

Colonial has only managed to restart a small segment of the pipeline as a stopgap measure. Even when the pipeline is restored to full service, it will take about two weeks for gasoline stored in Houston to reach East Coast filling stations, according to the most recent schedule sent to shippers. For diesel and jet fuel, the transit time is even longer — about 19 days — because they are heavier and move more slowly.

Advertisement

The FBI believes that the hackers behind the ransomware attack belong to a gang of cybercriminals called DarkSide that has been active since August 2020 and generally does not attack targets in the former Soviet bloc, according to the Associated Press. (Cybersecurity expert Brian Krebs recommends installing a Cyrillic keyboard on your PC to avoid contamination.) Ransomware functions by infiltrating a computer network, duplicating itself to connected machines, and then locking out users from access by encrypting file systems, typically prompting them with a ransom demand in cryptocurrency. Unless there’s a known flaw in the encryption technique or cybersecurity researchers have discovered the specific encryption key used in an attack, it is practically impossible to decrypt a computer network once ransomware has triggered. Hackers have used variants of the malware to attack everything in the U.S. from hospitals and school networks to entire municipal governments in recent years, causing billions in damages.

DarkSide has tried to cultivate a reputation for only using ransomware to attack the rich, not institutions like hospitals, and has given out some of its proceeds in charitable donations. The group has also publicly announced on its website that the Colonial chaos was not intentional or motivated by political reasons. However, as Wired explains, the gang’s business model appears to be ransomware as a service, loaning out its malware and cyber infrastructure to other attackers and pocketing a slice of any profit, and it has tried to shift the blame for the Colonial incident to one of the criminal partners it works with. (Ransomware can also be indiscriminate, spreading to systems never explicitly anticipated by whoever is controlling it.) As of this time, the feds have indicated they do not believe the attack was conducted by or on behalf of a rival nation-state.

Advertisement

According to CBS, it remains unclear whether a ransom has been demanded or whether Colonial intends to pay–the FBI officially encourages ransomware victims not to pay such ransoms but has acknowledged they may feel they have no other choice. The Washington Post reported Colonial has enlisted cybersecurity firm Mandiant (a division of FireEye) to help it rebuild its system from backups, and that DarkSide’s access to the targeted systems has been cut off, meaning there may no longer be any incentive to pay up.

It’s easy to see why DarkSide has tried to distance themselves from the attack—disruption on this scale is drawing a massive federal response and U.S. authorities will be determined to track whoever did this down.

Advertisement

On Wednesday, President Biden told reporters that we should expect to “hear some good news in next 24 hours,” adding that he believes “we’ll be getting that under control.”

“I am not surprised that this happened. It was realistically only a matter of time before there was a major critical infrastructure ransomware incident,” says Brett Callow, a threat analyst at security firm Emsisoft, told Wired. “DarkSide appears to have realized that this level of attention is not a good thing and could bring governments to action. They may stay with smaller attacks now in the hope that they’ll be able to continue making money for longer.”

Advertisement

Update 5:19 PM: Secretary of Energy Jennifer Granholm confirmed moments ago that the CEO of Colonial Pipeline has informed her that pipeline operations would resume around 5 PM this afternoon. The juice will still take some time to make its way around the country.

Update: 6:20 PM: This article has been updated to clarify that the ransomware attack did not directly affect the pipeline control system, and Colonial took it offline as a precautionary measure.

Advertisement

Wanted: Colonial Pipeline Cybersecurity Manager (No, Really)

Illustration for article titled Wanted: Colonial Pipeline Cybersecurity Manager (No, Really)

Photo: JIM WATSON / AFP (Getty Images)

Sometime before the disastrous ransomware attack on its network and the East Coast gas shortage that followed, Colonial Pipeline was apparently looking for someone to help run its cybersecurity team.

Advertisement

The energy company, which manages America’s largest oil pipeline, is currently working feverishly to restore full service after being targeted by the ransomware gang DarkSide. The cyberattack, which the company says it learned about on May 7, has prompted a federal response, emergency declarations in multiple states, and spurred a panicked gas-buying melee across the Southeast.

On Wednesday, people online noticed a job listing that had recently been reposted to the job site Day Book. Colonial Pipeline was apparently looking for a “Cyber Security Manager,” as the post puts it. It’s not exactly clear when the initial job posting was created, though it would appear to have been at some point during the last few months. Colonial’s website says the listing was created “+30 days ago,” and job sites like Day Book will continually scrape sites and repost listings with new dates.

According to Colonial’s job description, the security manager would’ve been responsible for maintaining “an incident response plan and processes to address potential threats.” The company was also looking for someone who could manage “a team of cyber security certified subject matter experts and specialists including but not limited to network security engineers, SCADA & field controls network engineers and a cyber security architect.” All good stuff! The listing is still available on Colonial’s website.

Illustration for article titled Wanted: Colonial Pipeline Cybersecurity Manager (No, Really)

Screenshot: Lucas Ropek/Colonial Pipeline

Reached for comment, the company said in an email that they did not create the position in response to the DarkSide ransomware attack.

“The cybersecurity position was not created as a result of the recent ransomware attack. We have several positions open as part of our longer-term growth strategy around talent, as we are constantly recruiting top-tier talent across all functional areas of our business,” a Colonial spokesperson said in a statement.The position to support cybersecurity would be an example of that. This is a role that we have been looking to add in an effort to continue building our current cyber security team.”

Advertisement

It’s somewhat unclear whether the position was ever filled (if it wasn’t, that might explain a lot). However, the future-tense in this statement (“would be an example of that,” “looking to add”) certainly seems to suggest that the position was never actually filled.

The Colonial attack comes at a time when lawmakers are currently looking to improve overall cybersecurity for critical infrastructure. The Biden administration and Congress have both proposed varying solutions to make the country’s resources more secure. There’s no doubt that the sight of America’s largest oil pipeline being paralyzed by online extortionists will likely have some effect on those decisions. In the meantime, if you’re a security professional who wants a “a great place to work, where people matter most, and where safety 24/7 is paramount,” you can apply right here.

Advertisement

A Hacker Gang Has Been Trying to Extort D.C. Police for $4 Million

Illustration for article titled A Hacker Gang Has Been Trying to Extort D.C. Police for $4 Million

Photo: Brendan Smialowski/AFP (Getty Images)

A ransomware gang, Babuk Locker, has been attempting to extort the Metropolitan Police Department in Washington D.C. for $4 million, but negotiations between the cops and the criminals recently collapsed, leaked documents appear to show.

Advertisement

Several weeks ago, the cybercriminal group announced that it had stolen the MPD’s data—some 250GB that included thousands of pages of sensitive internal documents, including disciplinary files on officers, and intelligence on local gang activity and informant programs. The police department later confirmed that it had been hacked.

Since then, Babuk has been attempting to extort the agency, threatening to leak sensitive internal documents if cops did not pay them. About two weeks ago, the gang leaked a limited amount of data to the web, publishing personnel files on a select number of current or former MPD officers.

On Tuesday, an apparent communication breakdown between both groups resulted in a much larger tranche of the MPD’s data being leaked to the web, a 22.7GB file.

In a statement posted to their leak site, the criminals said:

“The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow. if during tomorrow they do not raise the price, we will release all the data.”

The criminals also posted screenshots of what appear to be conversations between themselves and police, giving an apparent window into how ransom negotiations went. The screenshots show that the hackers asked for $4 million in exchange for the data, but police claimed they were only willing to pay $100,000.

At one point, Babuk delivered a sober, dead-eyed address to the police department, claiming to only have monetary interests—not political ones. On April 28, the gang said:

BABUK: We want to inform you that we are not interested in the international politics and other issues between governments, conflicts, e.t.c. Our offer for you is to pay us for deletion of the information that we have collected plus we issue a warning statement on the website for other individuals not to intrude to the US government institutions. How does it sound to you?

Advertisement

After days of back and forth between the criminal group and the cops, the police negotiator seemed to signal a willingness to pay for the data, though not the allotted $4 million. A message dated May 10 goes as follows:

PD: Our proposal is an offer to pay $100,000 to prevent the release of the stolen data. If this offer is not acceptable, then it seems our conversation is complete. I think we both understand the consequences of not reaching an agreement. We are okay with that outcome.

BABUK: This is unacceptable on our side. Follow our web-site at midnight.

Not long after that, data from the police department began leaking out onto the group’s website. A spokesperson for the police department did not immediately return a request for comment from Gizmodo. We will update this story if we hear back.

Advertisement

Hackers Threatening East Coast’s Fuel Supply Claim They’re Not Trying to Cause Anybody Trouble

Illustration for article titled Hackers Threatening East Coast's Fuel Supply Claim They're Not Trying to Cause Anybody Trouble

Photo: Michael M. Santiago (Getty Images)

Over the weekend, a cyberattack by the Russia-based ransomware gang DarkSide managed to hamstring America’s largest oil pipeline, Colonial, threatening to choke off significant energy flows to the East Coast.

Advertisement

Per Bloomberg News, the gang pilfered approximately 100GB of data from the company’s IT network in just two hours on Thursday. The attack was part of what is known as a “double extortion scheme,” a tactic used by criminal groups in which they steal and then threaten to leak significant amounts of data from a high-value target in an effort to extort money from the victim. A coalition of private companies, along with major government agencies like the FBI, the NSA, and CISA, apparently worked together to stop further data theft from occurring.

The Biden administration acknowledged the attack Monday, with the President calling the incident a “criminal act, obviously.” Biden also said that he planned to meet with Russian President Vladimir Putin about the attack and that he would encourage him to take “some responsibility to deal with this.”

Like all unscrupulous businessmen, the members of DarkSide have sought to impress upon their victims that the attack was just business, and nothing personal. On Monday, a statement published to the gang’s website emphasized that their “goal is to make money” and that they are not interested in “creating problems for society.” The group stated:

We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment [sic] and look for other our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.

The gang originally emerged last summer, with the first known sighting of it in August, said Ekhram Ahmad of security firm Check Point Research. DarkSide operates via a Ransomware-as-a-Service model, by which it sells its malware to affiliate groups, who then use it in attacks. The malware has been used in other previous attacks against other energy companies. “What we do know is that to take down extensive operations like the Colonial pipeline reveals a sophisticated and well-designed cyber attack,” said Lotem Finkelsteen, head of threat intelligence with Check Point.

You’d think it would be hard to stand out in a year that has seen a veritable blitz of cyberattacks, each one seemingly more disastrous than the next (see: SolarWinds, Microsoft Exchange, the PulseVPN attacks, and more). Yet this is exactly what DarkSide has managed to do—both via its Batman villain-like ability to spur a coastal energy crisis, and its sheepish apology for, like, causing trouble or whatever.

Advertisement

As disastrous as the incident may be for Colonial, it is likely a boon to the current, ongoing efforts to elevate U.S. cyber policy. The political impact of the attack will likely only be to further strengthen the argument that America needs to take a more aggressive, proactive and organized approach when it comes to tracking and combatting cybercriminal groups—something that those in the cyber community have been lobbying for for some time.

On top of this, the fact that a coalition of private sector companies led the charge to assist in containing the fallout from the incident only further belies the argument, oft made by security professionals, that the solution to these attacks will be forged in a holistic alliance between the public and private sector.

Advertisement

Leaked Apple Documents Inadvertently Helped the Right-to-Repair Movement

Illustration for article titled Leaked Apple Documents Inadvertently Helped the Right-to-Repair Movement

Photo: GIUSEPPE CACACE / AFP (Getty Images)

Cyberattacks are rarely useful to anybody except cyber-attackers, but a recent ransomware incident has had some unexpected upsides for those in the right-to-repair community, new coverage from Motherboard suggests.

Advertisement

In April, the ransomware gang REvil announced that it had stolen blueprints for some of Apple’s newest products. The documents were allegedly obtained via a cyberattack on Quanta Computer, a Taiwanese company that manufactures parts for Apple. When the hackers’ extortion demands were not met, they leaked a limited amount of the product diagrams to the web.

If you’re struggling to see a silver lining here, consider the ongoing fight between tech giants like Apple and the loose-knit community of activists and business owners who have been struggling to obtain just this kind of data.

Right-to-repair is a grassroots movement that seeks to make it easy for consumers and small businesses to repair products that big companies make difficult or impossible to repair themselves. The goal is to give consumers more autonomy over their possessions while also cutting down on the blight of “planned obsolescence,” the practice in which manufacturers create products that are meant to be phased out, thus creating needless waste.

Large corporations like Apple have hedged against these proposals, iterating that sharing hardware manuals or diagrams like the kind that were leaked by REvil would expose “trade secrets.” This means that there is no easy roadmap for those who might want to learn how to mend their own product, should it break. Enthusiasts can reverse engineer a product once they have it, but a simple diagram would sure make this process a whole lot easier.

Louis Rossmann, owner of the Rossmann Repair Group, recently told Motherboard that the REvil cyberattack was actually a big win for people in his business. Rossmann’s company offers repairs and data retrieval for damaged or broken Apple products, such as a MacBooks and iPads. Rossmann said that the blueprints would assist with delivering better results to his customers:

“Our business relies on stuff like this leaking. This is going to help me recover someone’s data. Someone is going to get their data back today because of this…You can’t go to Apple and say ‘I will give you $800,000 to give me this data,’” Rossmann told Vice.

Advertisement

Speaking with Motherboard, Rossmann clarified that he wasn’t happy about the cyberattack on Quanta, per se, but noted that there are few other ways for him to obtain the information that had been leaked:

“I’m not saying I’m in favor of people hacking into computers to get this information,” Rossmann said. “I would prefer to get this by going to Apple and giving them $1,000 every year to get this information.”

Advertisement

Another right-to-repair proponent, Justin Ashford, owner of the Art of Repair YouTube channel, told Motherboard:

“I’m still waiting for someone to tell me legitimately what having a wiring diagram ahead of time does to hurt them, especially since they used to give it away,” Ashford said. “I’m going to use it and I’m going to help people with it.”

Advertisement

If there haven’t been any major legal shifts as a result of this whole conversation yet, it increasingly looks like that might be the case. Bloomberg reports that at least 20 states are now considering legislation that would bolster customers’ ability to fix their things themselves.

Colonial Pipeline, the Largest Fuel Pipeline in the U.S., Has Shut Down Over a Ransomware Attack

Illustration for article titled Colonial Pipeline, the Largest Fuel Pipeline in the U.S., Has Shut Down Over a Ransomware Attack

Photo: John Randeris Hansen / Ritzau Scanpix / AFP (Getty Images)

If you live on the East Coast and see fuel prices go up soon, there’s a good chance it’s because of the cyberattack that forced the Colonial pipeline, the country’s largest refined products pipeline, to shut down. There is currently no indication of when it will start back up again.

Advertisement

Operators of the Colonial pipeline—a 5,500-mile system that takes fuel from refineries in Houston, Texas to the New York harbor—have shut down the entire system because of the cyberattack, which officials revealed to be ransomware on Saturday. Hackers that use ransomware, a type of malware, encrypt a victim’s files and demand a ransom payment in order to restore access.

According to NBC News, the pipeline, which is owned by a company of the same name, transports 2.5 million barrels of gas, diesel, jet fuel, and other refined products per day.

Colonial Pipeline (the company), which is controlled by companies including Koch Industries and Royal Dutch Shell, affirms it’s responsible for transporting 45% of the East Coast’s fuel supply alone, the outlet stated. In a statement on its website on Saturday, the company affirmed that it had engaged a leading third-party cybersecurity firm to investigate the incident. The Wall Street Journal reported that the cybersecurity company FireEye is investigating the attack.

Colonial Pipeline said that after it determined that the cyberattack involved ransomware, it “proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”

The company has contacted law enforcement and other federal agencies, it said in the statement.

In the Journal report, two people familiar with the investigation stated that the attack appeared to be limited to Colonial Pipeline’s information systems. It seemed like it hadn’t affected its operational control systems, they said, adding that the inspection was still in its early stages.

Advertisement

This isn’t the first time the Colonial pipeline has made headlines in recent months. Earlier this year, the company revealed that a spill in North Carolina last August led to a leak of 1.2 million gallons of gasoline, the biggest spill since 1997. Initially, the company stated that only 63,000 gallons had been leaked, but that number steadily crept way up.

It is unclear when the pipeline will resume operations. Colonial Pipeline stated it was taking steps to understand and resolve the issue.

Advertisement

“At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation,” Colonial Pipeline said. “This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.”

The federal government has recently been sounding the alarm about the threat posed by ransomware attacks. On Wednesday, Department of Homeland Security Secretary Alejandro Mayorkas stated that these attacks were on the rise and that targets ranged from government agencies to small businesses. The threat is real, Mayorkas said, and there is a risk to all of us.

Advertisement

Additionally, last month a Justice Department memo obtained by CNN stated that the agency had created a new task force dedicated to confronting and responding to ransomware threats.

As far as price increases go, Reuters points out that prices aren’t expected to rise unless the closure lasts more than three days. States in the southeastern part of the country would likely see price jumps first. In 2016, for instance, a Colonial system leak forced the line to shut down for more than 10 days, driving prices up by more than 30 cents a gallon.

Advertisement

Update 5/8/2021, 11:18 p.m. ET: This post has been updated with additional information provided by Colonial Pipeline.

Hackers Leak Data on D.C. Cops as Part of Extortion Scheme

Illustration for article titled Hackers Leak Data on D.C. Cops as Part of Extortion Scheme

Photo: Alex Wong (Getty Images)

In an attempt to extort some unknown amount of money out of the D.C. Metropolitan Police Department, hackers with the Babuk ransomware gang have leaked large amounts of data on five of the department’s officers.

Advertisement

The data, which was published on the gang’s dark web site early Wednesday morning, is quite extensive, and includes individual dossiers on each officer that have been marked “confidential” and are “around 100 pages long,” NBC News reports. Those dossiers include a “vast array of personal information,” including “arrest history, housing and financial records, polygraph results and extensive details about their training and work background,” the outlet writes. Some officers detailed in the files are currently employed with the department, while others are former employees.

The files are part of a larger 250GB-ish cache that was stolen from the police department’s servers sometime during the past few weeks. That large stockpile goes far beyond the data published Wednesday—and potentially includes intelligence on D.C.’s local gang activity, the agency’s response to the violent Jan. 6 Capitol riot, and much more. The hackers have threatened to publish the rest if their demands are not met.

Babuk, which is a relatively new cybercriminal gang, has played an increasingly aggressive game with the police department over the last several days—posting taunting messages on its website and threatening to “out” information on police informants if the ransom is not paid, among other things. On Tuesday, the group stated, “We advise the police station to get in touch as soon as possible, you do not need this leak, because of it people may suffer.”

The gang had previously advertised screenshots of the stolen data, “previewing” them on its website, but Wednesday was the first actual release of such data. As of Monday, Babuk had given the law enforcement agency a period of approximately three days to respond to their demands.

Shortly after Wednesday’s leak, the page referring to the MPD disappeared from Babuk’s website. In a cyber extortion plot, a page takedown would typically indicate that a victimized party has agreed to negotiate with the ransomware gang. It’s unclear if that is the case. We have reached out to the MPD for comment.

Ransomware gangs will typically use any leverage available to them to increase the likelihood of a payout. To strike a prominent police department during the current moment—only a week or so after the Derek Chauvin verdict and amidst ongoing police-involved shooting scandals—shows that logic at work. Every police department in the country is in a vulnerable position right now, and cybercriminals are taking advantage.

Advertisement