Brian Krebs: Darkside Ransomware Does Not Encrypt Pcs With Russian Keyboard Layout

✨ Megiddo

✨ President ✨
Staff member
Joined
May 15, 2016
Messages
13,116
Likes
2,643
Points
1,730
The FBI said the ransomware DarkSide was responsible for the attack on the Colonial Pipeline, a major supplier of gasoline and petroleum products in the United States. Security researcher Brian Krebs found that hackers do not attack systems in the countries of the former Soviet bloc.

94ac094c8e6707699c419d4b2a11de02.png


Flashpoint, a New York-based cyber intelligence company, said the DarkSide attack was not aimed at damaging national infrastructure, but involved extortion. Previously, hackers from the group have already taken similar actions against other companies with solid capital.

DarkSide itself confirmed that "they do not participate in geopolitics," but "make money." The group promised to take measures to ensure that such attacks, with serious consequences for society, do not recur in the future.

DarkSide started working on Russian-language hacker forums in August 2020. Hackers provide ransomware to attack companies in order to demand money to unblock and remove stolen information. Representatives of the group stated that they have a ban on attacks against health organizations, funeral services, education, the public sector and NGOs.

At the end of March, DarkSide introduced a “call service” that was integrated into the control panel and made it possible to organize calls to force victims to pay ransom. In mid-April, the group announced a new ability to launch distributed denial of service (DDoS) attacks against targets whenever additional negotiation pressure is required. DarkSide also advertised the ability to sell information about victims prior to posting the stolen information on a dedicated blog so that scammers could cash in on their promotions.

Brian Krebs, along with Intel 471, analyzed negotiations between the DarkSide team and a $ 15 billion US company that received a $ 30 million ransom demand in January 2021. At first, the victim company offered to pay only $ 2.25 million. traded, but in the end agreed to reduce the ransom requirement to $ 28.7 million, threatening to then raise the price tag immediately to $ 60 million.The company raised the amount to $ 4.75 million, and the hackers made a new concession - they reduced the ransom amount to $ 12 mln. In response, the victim demanded guarantees that classified information would not be disseminated and that such attacks would not be repeated. The hackers agreed to these terms.

According to Flashpoint, some of the hackers behind DarkSide were working with another ransomware, REvil, also known as Sodinokibi.

Krebs notes that DarkSide, like many other ransomware, will not install on systems with Cyrillic keyboards and other scripts. At the same time, the description of DarkSide from Mandiant and FireEye says that the malware checked the system language before hacking.

This is also confirmed by the analysis from Cybereason Defense. When the ransomware runs on an infected host, it checks the language using the GetSystemDefaultUILanguage () and GetUserDefaultLangID () functions to avoid systems located in the former Soviet bloc countries.

66220593415895706c1f09755099653b.png


In the commentary to the analysis, the user drew attention to the fact that this information does not relate to information on the localization of systems.

Meanwhile, the FBI believes that DarkSide is based in Russia or one of the countries of Eastern Europe. US President Joe Biden said there was no evidence of this, but Russia could be held responsible for the attacks if cybercriminals operated from its territory. Moscow denies involvement in the hack.

Meanwhile, hackers from the DarkSide group organized an attack on the French division of the Japanese corporation Toshiba. They stole more than 740 gigabytes of information, including about new business projects, as well as personal data.
__________________
 
Top Bottom