Update: UK Insurer Recovering From Ransomware AttackRansom Note Purportedly From DarkSide Gang Not Verified
The U.K.-based insurance firm One Call told Information Security Media Group May 28 that it has successfully restored its systems onto a new environment that is separate from the one that was impacted by a ransomware attack May 13, adding that a ransomware note which purported to be from DarkSide could not be verified as authentic.
In response to ISMG's requests to clarify reports by the Doncaster Free Press that the ransom gang has demanded a ransom of 15 million pounds ($21 million) or else it will release all the company’s confidential information that it had stolen, a spokesperson told ISMG: "We have not made contact with the threat actor and have no knowledge of the 15 million pounds ($21 million) ransom demand."
The spokesperson adds: "Upon discovery, our IT team took immediate steps to mitigate the impact by shutting off our servers. Thanks to our robust back-up systems, we have been able to restore all normal services to our existing policy holders and we are now operational as normal. We have set up online monitoring as a matter of precaution. No data has been identified by this monitoring (as having been stolen)."
DarkSide malware was used in the attack against Colonial Pipeline Co. in the U.S., which led to the temporary shutdown of the company's pipeline serving much of the U.S. East Coast (see: DarkSide Ransomware Gang Says It Has Shut Down). Colonial's CEO, Joseph Blount, acknowledged that the firm paid a $4.4 million ransom to receive what turned out to be a faulty decryptor.
The newspaper reported that a One Call staff member, who asked not to be identified, claimed that customers' personal information was seized by the attackers, who sent a message to staff computers announcing: “Welcome to the DarkSide” and demanding the cash in return for restoration of the firm’s database.
The security firm HackNotice said Sunday that at least one DarkSide server is still online.
Xueyin Peh, senior cyberthreat intelligence analyst at the security firm Digital Shadows, says that since One Call's May 13 intrusion came just five days after the attack on Colonial Pipeline, it’s possible that the attack on One Call occurred at roughly the same time as the pipeline attack but was not immediately discovered.
Brett Callow, threat analyst at Emsisoft adds, "Based on the timing, it seems like that this may have been one of DarkSide's last attacks before going dark. However, whether the group remains dark or rebrands remains to be seen."
One Call's Action
An update on One Call's website Tuesday said: "Our customer portal is now available for customers wishing to access their documents, make a payment or amend their policy.”
The statement also noted: "As we have been restoring our systems, we opted to prioritize supporting our existing customers and therefore, at this time we are not accepting new instructions or onboarding new customers. The investigation is at an early stage so there are many details which are yet to emerge. We have already notified the Information Commissioner’s Office and other regulators as a precautionary measure, and we will of course be complying with our regulatory requirements as we continue to respond to this incident."
Gang Still Active?
"Despite claims that the DarkSide RaaS [operation] has now ceased, it is possible that these claims may have been exaggerated," Peh says. "With unwanted attention given to the group following its high-profile attack on Colonial Pipeline, DarkSide operators and affiliates could be attempting to remove themselves from the public's attention. Darkside's announcement that some of its infrastructure has been taken down could also have been falsely made in an attempt to obfuscate their exposure to law enforcement."
Some DarkSide affiliates have recently complained about not getting paid for past services even though the gang promised to make final payments, BleepingComputer reports.