The ransomware group that attacked Colonial Pipeline has in the past tried to donate some of its profits to charity in a twisted take on the tale of Robin Hood. But the gang known as DarkSide is appropriately named as it has proven it won’t hesitate to target vulnerable victims to make a buck.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
DarkSide has garnered some publicity lately, and not especially wanted, after the FBI and others blamed the group for the recent ransomware attack against Colonial Pipeline, which forced the company to take down its operations. The attack caused alarm bells to ring as the distribution and delivery of fuel is considered part of the critical infrastructure in the U.S., and a service upon with so many organizations and individuals are dependent.
But who is DarkSide, what are its motives, and what are the group’s connections with the Russian government?
DarkSide started as a hacker for hire supporting REvil, the infamous provider of ransomware-as-a-service, according to Jon DiMaggio, chief security strategist for threat intelligence firm Analyst1. After gaining the necessary experience in cybercrime, the group ventured out on its own with a new variant of ransomware that shares code with REvil. In November 2020, DarkSide started hiring its own affiliates to carry out certain phases of an attack, including the initial access to a victim and the execution of the ransom payload.
Purely profit driven, the group is a player in “big game hunting” in which it targets large corporations and organizations, Vladimir Kuskov, head of threat exploration at Kaspersky, told TechRepublic. Through its affiliate relationships, DarkSide sells its ransomware product to partners, which can then buy access to organizations from other hackers as a way to deploy the actual ransomware.
The ransomware product is available for both Windows and Linux, Kuskov said. Both versions have a secure cryptographic scheme, so decryption is impossible without the criminal’s key. In the past, DarkSide used the same keys for multiple victims, which allowed security professionals to create a decryption tool to help different victims recover their files. But the gang has since corrected that flaw, so new victims won’t find themselves so lucky.
DarkSide likes to portray itself as an almost benevolent force simply interesting in turning a profit. In the past, the group has offered some of its ill-gotten booty to charities, which rejected the money based on how it was obtained. But this Robin Hood mentality is more of a PR stunt, according to DiMaggio.
“When they made the donations (two donations at $10,000 each), it was reported across cyber news organizations all over the world,” DiMaggio said. “It was essentially a $20K marketing cost that got their name out there. All of these guys seem to have big egos, which is why they have press releases and will talk to the media and researchers. So this donation was likely an attempt to increase their visibility.”
DarkSide also claims to have a certain code of conduct in which it promises not to attack hospitals, schools, government institutions, nonprofits and non-commercial organizations. The group’s Dark Web page even states: “Our goal is to make money, and not creating problems for society.”
The gang seems intent on not letting its ransomware impact any organization considered vital to society, according to Tony Cook, head of threat intelligence for DFIR at GuidePoint Security. Instead, DarkSide very specifically targets large profitable corporations.
But that raises a question. Why target Colonial Pipeline, an organization that provides a service many would consider vital to society? In fact, DarkSide may be having second thoughts about attacking such a visible entity.
In a new message on its Dark Web site, the group offered a type of apology/explanation, suggesting that one of its partners may have been behind the attack and promising to do a better job vetting potential victims in the future, Bloomberg reported on Monday.
However, DarkSide’s true regret may be in the publicity it’s brought upon itself as a result of the attack.
“Any actions that result in a negative impact to their revenue stream or the inability to pay ransoms, goes against their publicly stated long-term goals,” Cook said. “They do their best to not disrupt specific industry verticals in order to stay under the radar while still remaining profitable. In this particular instance, it could be very disruptive to their efforts as it puts them in a spotlight and could result in efforts to shut the group down or potentially add OFAC (Office of Foreign Assets Control) sanctions to make it harder for their ‘clients’ to pay their ransoms.”
Also, DarkSide’s statement may not be so much an apology as an attempt to distance itself from any affiliation with the Russian government, DiMaggio said. Reports asking about any possible government connection may have scared the group, which doesn’t want to upset the Kremlin. As such, it may be backpedaling and trying to separate itself from any government involvement.
That then brings up the question of whether DarkSide is supported or sanctioned by the Russian government. The group likely operates out of Russia, or eastern European countries, but there’s no substantial evidence tying it to the Russian government, Cook said. DarkSide checks to make sure its attacks don’t impact any systems in Russia or eastern Europe, an action that could be out of patriotism or simply fear of reprisals by the Russian government.
Any affiliation to Russia is speculation, DiMaggio said. But such attackers are available to the Russian government, which seems to provide a safe haven for the group.
“I think it is a matter of time before we have evidence that ransomware attacks have some affiliation with the Russian government, but as of today that is my opinion based on circumstantial evidence,” DiMaggio added. “However, ransomware is such a strong resource that could be used as a weapon of destruction as opposed to providing financial gain. That scenario seems more likely to take place if and when a government is behind the attack.”