DarkSide hackers mint money with ransomware franchise


As its coming-out announcement suggests, DarkSide is less a single hacking group than a sort of criminal franchise. — Dreamstime/TNS

When a new ransomware group popped up on the scene last year, the hackers did what’s in vogue for digital extortion organisations these days: They issued a press release.

The hackers had already made “millions of dollars” in profit working as affiliates for other groups when they decided to go out on their own, the announcement said. “We created DarkSide because we didn’t find the perfect product. Now we have it.”

That product – essentially a set of hacking tools and related services – was responsible for the shutdown last week of the biggest fuel pipeline in the US, raising gas prices on the Eastern Seaboard and turning DarkSide into a household name.

Much of the US has been riveted by the attack ever since, and even Americans who knew little about ransomware are getting a lesson in the uniquely lucrative world of global cybercrime.

As its coming-out announcement suggests, DarkSide is less a single hacking group than a sort of criminal franchise. The platform supplies affiliates with tools and follow-up services in much the same way McDonald’s Corp supplies local store owners with pre-made soft serve and frozen hamburger patties.

“These guys provide the marketing, the people who handle customer success, as well as the actual ransomware,” said Mark Arena, chief executive officer of the cybersecurity firm Intel 471, which tracks DarkSide. “Fortune 500 CEOs would be impressed with the efficiency of the business model.”

That model has helped the group rack up scores of victims beginning late last summer, ranging from oil field services companies to law firms to banks.

An unpublished analysis by BAE Systems Applied Intelligence found that most DarkSide victims were US companies, but the hackers also hit firms in Europe, South Africa and Brazil. The report noted that affiliates are asked not to attack targets within the borders of the Commonwealth of Independent States, a group of nations that includes Russia and much of the former Soviet Union, possibly indicating the hackers’ home base.

Data posted to the group’s dark web page suggest that victims included Dixie Group Inc, a major US manufacturer of carpets and rugs; the farm products supplier Carolina Eastern Inc; and Paslin Co, a Michigan company that makes welding machinery for the auto industry. Representatives for the three companies didn’t immediately respond to a request for comment, but the Dixie Group in April disclosed a ransomware hack.

None of those garnered the kind of attention that has resulted from the attack on Colonial Pipeline, which operates more than 5,000 miles of pipeline that ship gasoline and jet fuel from Houston up the East Coast to the area around New York City.

There is some evidence that DarkSide did not intend for the hack to have so great an impact. The group’s operators released a statement Monday saying that they had no interest in geopolitics, and weren’t even in control of which companies get attacked using their platform.

That could very well be true, said Adrian Nish, head of cyber for BAE Systems Applied Intelligence. “The traditional affiliate model is like a distributor in business,” he said. “You build the tools but then scale up by getting a whole lot of people to use your tools and services.”

In DarkSide’s case, that includes not just the actual ransomware used to encrypt data on a victims’ computers, but also services like making calls to those victims and also hosting a website where sensitive data stolen during attacks can be posted. Ransom demands easily reach into the millions of dollars for large companies, and DarkSide takes a 10% to 25% cut off the top of any payment, according to Intel 471’s Arena.

He said Intel 471 analysts were able to observe a negotiation between DarkSide and a large US victim over several days in January. The hackers began by demanding US$30mil (RM123.76mil), which would double if payment wasn’t made by a defined date. The hackers also threatened to release sensitive data stolen from the company unless it paid, providing samples to validate the threat.

During the negotiations, the hackers said they had encrypted 500 of the company’s main data servers, plus hundreds of back-up servers, a trick to make it harder for victims to recover from the attack. After four days of haggling, the company paid more than US$14mil (RM57.75mil) in ransom, according to an Intel 471 report on the event.

The earliest cybersecurity experts can find traces of the criminals behind DarkSide is around 2013, when the same hackers were attacking financial organisations in Russia, before moving on in subsequent years to targets in the Middle East, Europe and United States, according to Adam Meyers, senior vice president of intelligence at the cybersecurity firm CrowdStrike Inc.

CrowdStrike dubbed that earlier organisation Carbon Spider, and by 2016 the group had lost some of its hackers, who split off and formed their own crime organisation focused on the financial sector.

By 2020, some of the hackers were using ransomware from another group, called REvil, before launching the “ransomware as service program” called DarkSide that hit Colonial Pipeline, according to CrowdStrike.

Some ransomware groups have vicious reputations – hitting hospitals during the pandemic, for example – but DarkSide has tried to cultivate a reputation for professionalism, and even humanism.

They have rules against attacking hospitals and nonprofits, according to an analysis of the group’s postings by the cybersecurity firm ESentire. And they say they have donated several thousand dollars to a charity supporting disadvantaged children and another one that works to provide clean drinking water in Africa.

At one point the group offered to provide stock traders with insider information from victim companies, which they could use to make money on the market – a move that appeared to be an attempt to cultivate a Robin Hood-esque reputation for spreading corporate wealth, according to screen shots of the group’s blog provided by ESentire.

Following all the attention garnered by the Colonial hack, the group vowed to be more careful in vetting affiliates and keeping an eye on the victims they are targeting. “Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future,” the group said in a statement posted on its dark web page.

BAE’s Nish said he believes that DarkSide’s carefully cultivated image is just a marketing ploy. The group does pick its targets for ideological reasons, he said. Like other ransomware groups, DarkSide has learned that large manufacturing companies often have cyber insurance and pay quickly.

“You hear this talk of the geopolitical stuff, but this is really about money,” Nish said. “These are criminals and they act rationally; they do what they need to make money.” – Bloomberg

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 46
Cxense type: free
User access status: 3
Join our Telegram channel to get our Evening Alerts and breaking news highlights
   

Next In Tech News

Factbox: India's new e-commerce rules that could jolt foreign, local players
GameStop raises more than $1 billion in latest share offer
Google gets EU antitrust probe into ad tech services
As Venezuela's economy regresses, crypto fills the gaps
Chinese tech names among the fastest growing valuable brands in the world but US companies still dominate
China’s TikTok gets its own web version as user growth plateaus, nearing the country’s total mobile user base
Bollore scores win as Vivendi investors back $39 billion Universal spin-off
Exclusive: Google drops engineering residency after protests over 'inequities'
Nokia will redesign offices as it adapts to more flexible work
Google in EU crosshairs again with advertising antitrust inquiry

Stories You'll Enjoy


Vouchers