Doncaster insurance firm One Call hit by not-dead-at-all Darkside ransomware gang

A Doncaster insurance company has been hit by ransomware from the Darkside crew – whose "press release" declaring it was shutting down its operations last week was taken at face value by some pundits.

The Doncaster Free Press reports that One Call Insurance, based in the northern English city, had been compromised by Darkside a week ago.

Quoting the extortionist gang's well-known "welcome to the darkside" ransom note, the local paper said: "A message appeared on the screen from the hackers stating if they do not receive £15m, the data they have will be made public. That's including all customer data such as passwords and bank details."

One Call told The Register: "On May 13th we began experiencing some disruption to our IT systems and immediately hired a dedicated team of IT forensic specialists to help restore our systems and investigate what happened. We prioritised the restoration of our customer services systems in an entirely new and secure environment, meaning that all existing customers are receiving the normal support."

This was just a few days after the Colonial Pipeline's initial compromise on 7 May and one day before the ransomware gang claimed to be shutting up shop.

One Call's spokeswoman added: "The specialists confirmed that the disruption was the result of a ransomware attack, from a criminal organisation who are under investigation by the authorities."

A forensic IT specialist firm is said to be assisting with the investigation. Even though it happened a week ago, the insurer told The Register it didn't yet know "whether any data was impacted in the incident."

The ICO is aware of the attack, as are insurance industry regulators, One Call told us, adding: “We apologise for the temporary disruption and any frustration caused.”

Didn't the crims shut themselves down?

Darkside is the extortionist criminal gang that targeted the US Colonial Pipeline company, operators of an oil conduit on America's east coast that supplied just under half of the region's daily refined petroleum needs.

Following that attack and the furious response from the US, Darkside used its Tor-hosted stolen data repository to announce it was shutting down its operations, as conveyed to the wider world by a blog affiliated to infosec firm Recorded Future.

This was premature: as many speculated, Darkside appears to have used furious US promises of retribution to pull its publicly known infrastructure offline (and took several tens of millions of dollars' worth of cryptocurrency with it) while keeping its criminal activities going, as the One Call incident suggests.

• Two ransomware strains target VMware’s ESXI hypervisor through stolen vCenter creds
• US declares emergency after ransomware shuts oil pipeline that pumps 100 million gallons a day
• Hackers break the bank to the tune of $300 MEEELLION
• Eufycam Wi-Fi security cameras streamed video feeds from other people's homes
• Ransomware victim Colonial Pipeline paid $5m to get oil pumping again, restored from backups anyway – report
• Colonial Pipeline was looking to hire cybersecurity manager before ransomware attack shut down operations

Back in March the Darkside ransomware was seen targeting VMware ESXi hypervisors, according to infosec firm Crowdstrike. Researchers reckoned Darkside's operators in that instance were a well-established criminal crew known as Carbon Spider, aka Carbanak.

That gang has been active since the mid-2010s, most noticeably hauling in a claimed $300m in the years up to 2015 with its eponymous banking malware. ®