Toshiba unit struck by DarkSide ransomware group

Following Colonial Pipeline, a DarkSide affiliate has claimed another victim.

A Toshiba unit has become the latest victim of a DarkSide ransomware attack. 

On Friday, Toshiba Tec Corp said it was struck by a cyberattack that has impacted some regions in Europe. 

Toshiba Tec Corp manufactures products including barcode scanners, Point-of-Sale (PoS) systems, printers, and other electrical equipment. The unit's French subsidiary appears to have been targeted.

After discovering the attack, Toshiba Tec shut down networks between Japan, Europe, and its subsidiaries to "prevent the spread of damage" while recovery protocols and data backups were implemented.

The company says that an investigation has been launched into the extent of the damage and a third-party cyberforensics specialist has been pulled in to assist. 

"We have not yet confirmed that customer-related information was leaked externally," Toshiba's unit says.

However, the company did acknowledge that "it is possible that some information and data may have been leaked by [a] criminal gang."

This group is DarkSide, cybercriminals that hit the headlines this week following the Colonial Pipeline cyberattack.

DarkSide is a ransomware-as-a-service (RaaS) outfit that provides ransomware to affiliates within its network in return for a cut of any profits made by extorting victim organizations. 

DarkSide affiliates employ a double-extortion tactic, in which companies first receive a demand for payment in return for a decryption key to unlock systems infected with DarkSide ransomware. If they refuse, they are then threatened with the public release of confidential data and records stolen during initial access on a leak site. 

At the time of writing, DarkSide's leak site is not accessible. The Toshiba subsidiary said that only a "minimal amount of work data had been lost," reports Reuters.

However, a cached version of the leak post, accessed by ZDNet via Kela's Darkbeast search engine, appears to show stolen passport scans alongside project documents and work presentations. 

The leak record, posted May 13, claims that over 740GB of data was stolen from Toshiba. 

The ransomware operators are responsible for the attack on Colonial Pipeline last Friday. Colonial Pipeline, a company that provides roughly 45% of East Coast fuel supplies, was forced to close down its operations for close to a week following the encryption of its IT systems. 

The FBI and US Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert and advisory on DarkSide and broader RaaS criminal operations. 

Read on: Colonial Pipeline attack: Everything you need to know

ZDNet has reached out to Toshiba Tec Corp and we will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0