DarkSide Attacks European Branch of Toshiba Corporation

Hot on the trail of the successful attack carried out on the infrastructure of Colonial Pipeline that resulted in a $5 million ransom payout, the threat actor group known as DarkSide executed another ransomware attack. This time DarkSide's target was a European subdivision of Japanese-based Toshiba Corporation.

On May 14 Toshiba published an informational piece, stating that European subsidiaries of Toshiba Tec Group have become the latest victim of a ransomware attack and "suffered damage".

Toshiba have pulled the plug on the affected networks, to prevent the further spread of the ransomware and systems operating between the old continent and Japan, as well as inter-European systems have been stopped to minimize damage.

According to current information, the damage is limited to several European regions and there is no evidence of customer information being stolen.

Despite the reassurance that no customer information was leaked or stolen, the announcement does mention that "some information and data may have been leaked". The group responsible for the attack is the DarkSide group that deployed ransomware on Colonial Pipeline systems in the US and caused a major fuel supply outage that lasted for several days.

The result of the previous attack was a $5 million ransom payment that Colonial effected mere hours after the attack. Despite the prompt payment, the decryption tool provided by the hackers proved way too slow and the company restored operations using its own internal backups. Toshiba is currently doing the same, working to bring the affected networks up to operating order, using backups.

Even though the DarkSide group website is currently not accessible, ZDNet reported that a caches version of a page published by DarkSide showed claims that around 740 gigabytes of data was exfiltrated from Toshiba's systems and included scanned passports as well as project documentation that belongs to Toshiba.

It remains to be seen whether the bad actors re-publish those files. Threat groups who use ransomware have recently moved on to a double extortion model, both encrypting the victim's files and exfiltrating as much sensitive data as possible, in an attempt to further blackmail the victim and threaten data leaks if the ransom demands are not met.

DarkSide operate on a ransomware-as-a-service principle, licensing out their malicious tools to third party hackers. Once a payment comes through, the third-party hackers split the payout with the top-level threat actor who operates and supports the ransomware.

Two days ago, DarkSide boasted that they already have attacked three more targets. Chances are, the Toshiba European branch was the first of those three targets.

May 14, 2021

Leave a Reply