Last week, people felt nostalgic for all the wrong reasons: 70’s-era gas lines were back after a crippling ransom attack hit the Colonial Pipeline, which is responsible for transporting 100 million gallons of fuel to consumers across the eastern seaboard every day. Though operations have resumed, nearly 10,000 gas stations are still without gas.
The FBI confirmed that the hacker group known as DarkSide was responsible for the attack. So what do we know?
1. DarkSide is based on a “ransomware as a service” business model.
Rather than carry out ransom attacks itself, under this model, DarkSide develops and markets its ransomware tools and sells them to other criminals.
2. DarkSide received $5 million in ransom funds from Colonial Pipeline.
In a story first reported by Bloomberg, the oil company made the payment in cryptocurrency last week, despite early claims that it did not intend to cave to ransom demands. In exchange, DarkSide provided a decryption tool which was so slow the company started using its own backups to restore its data.
3. DarkSide has recently “gone dark.”
The eight websites the hacker group uses to communicate with its victims have gone down in the past couple days. Whether the organization has suspended its operations, is closing for good, or simply pulling a stunt remains unclear. Some sources report that it has lost access to its servers, and that its cryptocurrency wallets have been seized and emptied by law enforcement.
According to CNBC:
On Friday, London-based blockchain analytics firm Elliptic said it had identified the bitcoin wallet used by DarkSide to collect ransom payments from its victims. The same day, security researchers Intel 471 said DarkSide had closed down after losing access to its servers and as its cryptocurrency wallets were emptied. DarkSide also blamed “pressure from the U.S.,” according to a note obtained by Intel 471.
4. It is Russia-based, but self-described as apolitical.
DarkSide remarked in a statement on its blog:
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives [sic]. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Well there you have it. We should just take the cybercriminals at their word, right? It’s not as if they purposefully do not launch attacks on anyone with a Cyrillic keyboard (the alphabet used by Russians.) Oh wait…
Pro tip for the "but how do we protect ourselves?" folks. DarkSide ransomware, like many other strains, will not install on systems where certain Cyrillic keyboard and other scripts are already installed. So, install the Russian keyboard. You don't have to use it.
— briankrebs (@briankrebs) May 11, 2021
5. DarkSide supposedly operates on a code of ethics.
DarkSide purports to be a principled criminal group, claiming that it guarantees decryptor tools, gives money to charity, avoids targets such as the medical and education sectors. Krebson security shared the following screenshot of its “code of ethics” :
Source: Krebson Security
6. DarkSide allegedly received $90 million in Bitcoin before being shut down.
7. DarkSide is … strangely professional?
In addition to sharing its code of ethics, the group also has a help desk that victims can call in to. Additionally, the confidential data of more than 40 of its victims has been published on a website called “DarkSide Leaks,” which is maintained by Darkside.
8. DarkSide operates on a “double-extortion” model.
This means that not only does DarkSide lock up your data until you pay the ransom, but it will make your data public if you do not make the deadline.