THE TIBERIUM BLOG - recent events, threats, and all things cyber

Party like a Russian

A pretty unusual and disturbing couple of weeks in the ransomware department to even try and summarise, even through interpretive, presumably Cossack style, dance.

In order to collect our thoughts and set the scene, it would be appropriate to review the work of Robbie Williams Esq. and his little known, but in our book, rather brilliant, work ‘Party Like A Russian’.

Amongst the lines in this multi-layered work of genius are:

I put a bank inside a car inside a plane inside a boat

It takes half the western world just to keep the ship afloat

As we all know, the majority of ransomware gangs are linked, known to be, or pretend they are, Russian, or at least that part of the World they said sweepingly generalising (see below).

If you haven’t been on a sabbatical to one of the remotest places on Earth, you will have heard of a couple of absolutely massive, worrying and downright sinister Ransomware attacks in the last week or so.

The first was a takedown of the American Gas provider Colonial Pipeline:

Colonial Pipeline was hit with a devastating cyberattack earlier this month that forced the company to shut down approximately 5,500 miles of pipeline in the United States, crippling gas delivery systems in Southeastern states. The FBI blamed the attack on DarkSide, a cybercriminal gang believed to be based in Eastern Europe, and Colonial reportedly paid a $5 million ransom to the group.


As the report says, this was the work of the DarkSide ransomware as a service outfit, presumably executed by parties nefarious (mwahaha). Claiming now to be ‘shutdown’, having lost access to its servers and Bitcoin Wallets emptied, DarkSide had allegedly received $90 million in Ransomware fees before turning up its toes, joining the choir invisible etc. This data provided by the reliable investigators at Elliptic.

Anybody who believes that Darkside has actually shuffled off needs their heads examining of course. One only has to read the testimony of ‘UNKOWN’ from REvil, which we covered a few weeks ago, to expose this as nonsense.

DarkSide leak site / Victims

The second and more traumatic Ransomware incident was and continues to be the ransoming of the Ireland Health Services, the HSE. This one claimed by the Conti/Wizard Spider, you guessed it, Russian speaking, criminal gang.

The response to these activities has been markedly different. The HSE is not going to pay, and Colonial Pipeline did.  Regular readers of this blog (thank you, thank you) will be well aware that like all proper security outfits, we recommend that you plan for events like this so that you do not have to pay, ever, understanding the time to recover, building (and regularly testing) associated disaster recover/business continuity plans. DO NOT PAY, EVER.

Unsurprisingly, the scale of Ransomware has reached the dizzy heights of Governments the world over, and there are murmurings about making it illegal to pay. Quite how that can be brought into legislation in a free market economy, or indeed enforced, has yet to be seen.

At Tiberium, we protect our customers at the point of infection and the point of execution, stopping ransomware using your existing Microsoft tooling supported by our managed services.

We deploy our FROST service in minutes, not months and significantly harden your environment from the outset, continuously measuring your levels of security and automatically protecting you from then on.

We would very much like the opportunity to show you how we do this, and we can show you what day one of onboarding our service looks like. It is really something. Contact us for a meeting and demonstration, maybe actually in real life (wow!).

And now we come to the unusual bit.

The esteemed, we are not worthy, Mr Brian Krebs has posted some research/advice on his site (and we had to check that it wasn’t an April’s fool) that goes along these lines…

Russian/Eastern European hacking outfits are unlikely to be prosecuted locally unless they offend locally. To prevent this, there are often (but not always!) checks to see if infected machines have Russian or other Eastern European keyboard drivers installed.

Tests have shown many instances of ransomware deleting itself if this is the case, and maybe, just maybe, this may offer some level of protection. There are even scripts to trick your Windows registry into reporting Eastern European keyboards available. You couldn’t make this stuff up, but it is worth a read.

But then again, you couldn’t make up the fact that the Russian Government are offering assistance to the Irish HSE, could you? Or could you?

BREAKING NEWS! Would you believe it? A bit of Putin pressure appears to go a very long way. As good a result as possible, but stinks of murkiness!

Have a great weekend.

Share on: