Rise of DarkSide: Ransomware Victims Have Been SurgingCrime Syndicate's Big Game Hunting and Advanced Extortion Risk Becoming Commonplace
For anyone wondering how a Russian-speaking, ransomware-wielding crime syndicate was able to disrupt a major U.S. fuel pipeline, a more pertinent question might be: Why didn’t it happen sooner?
The DarkSide operation first appeared in August 2020 with a clear MO: To take down big targets in pursuit of massive ransom payoffs. Information security experts call this strategy big game hunting.
Unless something is done to disrupt this criminal business model, what seems audacious today risks becoming even more commonplace tomorrow.
Unfortunately, extortionists pursuing this strategy have not only been disrupting large organizations but also have seen many of them pay ransoms, yielding massive profits.
On Monday, the FBI blamed DarkSide for disrupting IT systems at Colonial Pipeline Co., which transports about 45% of all fuel used on the U.S. East Coast. While full details of the attack have yet to be made public, the U.S. Cybersecurity and Infrastructure Security Agency says attackers only appear to have hit IT systems, rather than Colonial Pipeline's operational technology networks, such as the pipelines themselves.
This may be because once Colonial Pipeline realized on Friday that it had been hit by ransomware, it says it quickly responded, and "proactively took certain systems offline to contain the threat" which "temporarily halted all pipeline operations and affected some of our IT systems." White House officials say they expect the pipeline to "be substantially operational" by this weekend.
'We Do Not Want to Kill Your Business'
For a relative newcomer, DarkSide has already left a big impression. The operation announced its debut on cybercrime forums on Aug. 10, 2020, saying that "we are a new product on the market, but that does not mean that we have no experience and we came from nowhere." Threat intelligence firm Flashpoint says the group's first known attack also occurred the same day.
At the time, the gang promised that it would not attack any organizations in the medical, healthcare, nonprofit or government sectors. "We only attack companies that can pay the requested amount, we do not want to kill your business," the gang claimed.
In November 2020, on Russian-language cybercrime forums, gang member "darksupp" began to advertise for two types of affiliates for what was becoming a ransomware-as-a-service operation: initial access brokers able to hack into targets and attackers able to use already obtained access to deploy ransomware, security firms say.
Most ransomware-wielding gangs today operate via this type of ransomware-as-a-service model, in which operators develop the malware and infrastructure, including payment portals for victims, and provide this as a service to affiliates, who infect victims. Such specialization has helped ransomware operators increase their profits, especially as they recruit more technical specialists to the operation and sign up more technically advanced affiliates. Whenever a victim pays, the operator and affiliate share the profits.
Experts say competition between RaaS operators for skilled affiliates remains fierce, driving operators to continually improve their malware, add fresh capabilities and negotiate generous profit-sharing deals.
The version of DarkSide ransomware spotted last November, for example, included the ability to encrypt Windows as well as Linux systems, with the latter feature likely being attractive to big game hunters, Sophos says.
DarkSide's operators tailor the amount of every ransom they keep to incentivize affiliates to take down bigger targets. "Based on forum advertisements, this percentage starts at 25% for ransom fees less than $500,000 and decreases to 10 percent for ransom fees greater than $5 million," meaning that affiliates keep 75% to 90% of every successful ransom payment, FireEye's Mandiant incident response group says in a blog post.
Not just any would-be hacker can join this crime syndicate. "DarkSide RaaS affiliates are required to pass an interview after which they are provided access to an administration panel," Mandiant says. The panel enables affiliates to generate a fresh ransomware build, queue stolen content for publishing to DarkSide's dedicated data leak site - reachable only via the anonymizing Tor bowser - and contact support. Alleged capabilities on offer to affiliates also include the ability to launch a distributed denial-of-service attack against victims as well as instruct a call center to contact them, seeking a ransom payment.
Affiliates' Skill Sets
Different DarkSide affiliates operate in different ways, based on their skill sets.
Mandiant says it has so far identified at least five Russian-speaking affiliates, all of whom "commonly relied on commercially available and legitimate tools to facilitate various stages of their operations," although at least one of them "also employed a now patched zero-day vulnerability" - a flaw in the SonicWall's SMA100 SSL VPN, designated CVE-2021-20016. The dwell time for that affiliate tended to be less than 10 days, Mandiant said, while other affiliates typically progressed from first accessing a victim's network to leaving files crypto-locked and a ransom note in just two or three days.
Sophos notes that the five DarkSide attacks it's investigated to date all had a much longer dwell time - 44 to 88 days, with a median of 45 days. "This time can vary significantly depending on the affiliate," Kimberly Goody, senior manager for financial crime analysis at Mandiant Threat Intelligence, tells me.
As with almost every type of ransomware attack code seen in the wild, DarkSide is built so that it won't crypto-lock any system that appears to be in the Commonwealth of Independent States, which includes Russia and other nations that were part of the former Soviet Union (see: Russia's Cybercrime Rule Reminder: Never Hack Russians).
In response to allegations that the gang members are acting as state-sanctioned pirates, DarkSide issued this statement via its website: "We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money, and not creating problems for society."
Following the pipeline disruption, the gang also claimed that it would henceforth vet all affiliates' targets before allowing their systems to get crypto-locked (see: DarkSide's Pipeline Ransomware Hit: Strictly Business?).
Continually Refined Extortion Tactics
The DarkSide ransomware operation caused a stir in April after suggesting it would feed stock traders advance notice of organizations it breached so traders could capitalize on likely drops in share prices once the attacks became public knowledge.
New "press release" from DarkSide ransomware actors: "About stock traders."— MalwareHunterTeam (@malwrhunterteam) April 22, 2021
So if I not missed anything, they are the first ransomware group that is offering info for shorting.
Seriously not sure what "new" thing to expect from ransomware groups now...
cc @VK_Intel pic.twitter.com/UZqY8BmcpA
The DarkSide operation has also proven to be adept at obtaining inside information from victims to strengthen its negotiating hand. In one case, for example, Mandiant notes that "an attacker was able to obtain the victim's cyber insurance policy and leveraged this information during the ransom-negotiation process, refusing to lower the ransom amount given their knowledge of the policy limits."
In the bigger picture, however, DarkSide is just one of a number of RaaS operations that continue to refine its extortion tactics, as well as its ability to successfully target and take down large targets, including the occasional private operator of critical infrastructure. Unless something is done to disrupt this criminal business model, what seems audacious today risks becoming even more commonplace tomorrow.