Ransomware groups may be trying to retreat from the spotlight—and preserve their business models—after high-profile attacks in recent weeks disrupted daily life in two countries and sparked widespread condemnation.
Ireland’s public healthcare system’s computer networks remain crippled after hackers from the so-called Conti ring struck early this month, disrupting care throughout the country. Conti handed over a tool last week to help reverse the damage but still threatened to leak stolen data unless a ransom was paid. The move came after the ransomware gang DarkSide claimed it disbanded following its attack on Colonial Pipeline Co. and other hacking groups urged members to move deeper underground.
The backpedaling shows how ransomware gangs that prefer to operate in the shadows, using publicity when it suits them in the form of extortion schemes, are trying to avoid scrutiny after some within their ranks inflicted real-world pain, security experts say. The likely goal, they say, is to regroup while the possibility of law-enforcement pushback is high and vet future targets more carefully.
“It is possible that we’re beginning to see potentially important signs of unrest [among hackers],” said
former head of the National Cyber Security Centre, the British government’s cybersecurity agency.
U.S. lawmakers and officials have responded to the attacks by floating new powers for federal agencies and new cyber regulations for companies. Security experts say hackers’ recent moves could also point to new pressure by foreign governments, such as the Kremlin, which the U.S. and others say provide safe harbor to ransomware groups.
“If they’re quietly forcing C-suite executives to hand over large checks, that’s one thing,” said Mr. Martin, now a professor at the University of Oxford. “If they’re causing huge problems for the U.S. president and EU member states, that’s quite a different problem.”
The hack of Ireland’s Health Service Executive pushed healthcare providers to keep records by hand and cancel or delay some procedures. A top official warned of tens of millions of Euros in repairs as a result of the breach.
On Friday, Minister of Health Stephen Donnelly told public broadcaster RTÉ Radio 1 that hackers who encrypted the healthcare system’s data offered a tool to help unlock it—free of charge.
“It came as a surprise,” Mr. Donnelly said. Irish officials, who say they won’t pay a ransom per government policy, have warned that the group behind the attack also stole personal data that could be leaked in an extortion scheme.
A spokesperson for HSE didn’t immediately respond to a request for comment on the status of the decryption tool.
Some ransomware groups in the past have offered decryptors to victims such as hospitals or nonprofits, said Brett Callow, a threat analyst at the cyber firm Emsisoft Ltd.
“It’s possible that they’re concerned with the well-being of others or, more likely, it was an act of self-preservation,” Mr. Callow said. “Attacks of this scale, which are so high-profile, mean that governments really can’t be seen as ignoring this anymore.”
U.S. officials have increasingly warned of such threats to privately owned infrastructure, such as Colonial Pipeline. Executives’ decision to pay hackers $4.4 million in bitcoin, just hours after receiving a ransom note on May 7, failed to prevent a six-day shutdown of the East Coast’s largest conduit for fuel or a continuing cybersecurity cleanup job that could cost tens of millions of dollars. Energy Secretary
sought to assure the U.S. public that fuel supplies were temporarily disrupted and that there was no gasoline shortage.
A week later, the DarkSide ransomware gang behind the hack told associates who use its malware that it was disbanding because the infrastructure behind its operation had been shut down, according to a copy of the message translated from Russian by the cyber firm Intel 471 Inc.
“In view of the above and due to the pressure from the U.S., the affiliate program is closed,” the group said. “Stay safe and good luck.”
The disruption came after President Biden said the White House was in contact with the Russian government about taking action against such criminal groups.
A White House spokeswoman declined to comment on a Washington Post report that the U.S. government wasn’t behind the DarkSide takedown. The Russian embassy in Washington didn’t immediately respond to a request for comment.
As the fallout from the Colonial Pipeline hack rippled outward, some other ransomware groups have stopped openly advertising their services online, said Mark Arena, chief executive of Intel 471, which monitors forums and chat rooms to watch how hackers operate.
Instead, he said, hackers are likely communicating directly with existing associates in the hope of protecting their groups’ reputations. Cybersecurity experts and ransom negotiators say they consider ransomware gangs’ trustworthiness when deciding whether to make payments.
Mr. Arena said the recent activity shouldn’t be confused for hackers halting their communications. “It’s going to be happening more behind the scenes,” he said.
Write to David Uberti at [email protected]
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8