DarkSide, which is believed to be based out of Russia and made up of veteran cybercriminals, cultivates a Robin Hood image of stealing from corporations and giving a cut to charity. In a statement (above) following the Colonial attack, the group said their only goal was to ‘make money’
The cyberextortion attack that forced the shutdown of America’s largest fuel pipeline was carried out by a criminal gang known as DarkSide that is based out of Russia where they are given free rein to target Western countries.
DarkSide is made up of veteran cybercriminals but insists it is not political.
Like many others, however, DarkSide seems to spare Russian, Kazakh and Ukrainian-speaking companies, which suggests a link to Russia.
In Russia, hackers are essentially allowed to act without penalty.
Cyber experts say Russia gives free rein to hackers who target Western countries.
‘Whether they work for the state or not is increasingly irrelevant, given Russia’s obvious policy of harboring and tolerating cybercrime,’ said Dmitri Alperovitch, a co-founder of CrowdStrike.
The FBI on Monday confirmed that DarkSide was responsible for the attack on Colonial Pipeline that has experts fearing widespread gas shortages and significant price hikes.
The federal agency did not mention DarkSide’s ties to Russia.
DarkSide, which cultivates a Robin Hood image of stealing from corporations and giving a cut to charity, said in a statement posted on the dark web that their only goal was to ‘make money’ and not create problems for society.
The FBI on Monday confirmed that DarkSide was responsible for the attack on Colonial Pipeline (above) that has experts fearing gas shortages and significant prices hikes
The group has posted receipts from donations it claims it has made to US charities in the wake of ransom attacks
The hackers cultivate a Robin Hood image of stealing from corporations and giving a cut to charity. Pictured is a receipt the group claims shows they donate a cut of their ransoms to charity
‘We are apolitical, we do not participate in geopolitics,’ the statement read. ‘Our goal is to make money and not creating problems for society.’
‘From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.’
Colonial, which is based in Atlanta, Georgia, has not yet said whether it has paid or is negotiating a ransom with the hackers.
Despite only emerging in August last year, DarkSide appears to be very organized, according to cybersecurity experts.
Those who have tracked DarkSide said it appears to be composed of veteran cybercriminals who are focused on squeezing out as much money as they can from their targets.
‘They’re very new but they’re very organized,’ Lior Div, the chief executive of Boston-based security firm Cybereason, said.
‘It looks like someone who’s been there, done that.’
DarkSide is one of a number of increasingly professionalized groups of digital extortionists, with a mailing list, a press center and a victim hotline to help facilitate ransom payments.
Experts say DarkSide was likely composed of ransomware veterans and that it came out of nowhere in the middle of last year and immediately unleashed a digital crimewave.
‘It’s as if someone turned on the switch,’ said Div, who noted that more than 10 of his company’s customers have fought off break-in attempts from the group in the past few months.
DarkSide finds vulnerabilities in a network, gains access to administrator accounts and then harvests data from the victim’s server and encrypts it. The software leaves a ransom note text file with demands (pictured above)
DarkSide’s site on the dark web hints at their hackers’ past crimes with claims they previously made millions from extortion and that just because their software was new ‘that does not mean that we have no experience and we came from nowhere’.
The site also features a Hall of Shame-style gallery of leaked data from victims who haven’t paid up.
It advertises stolen documents from more than 80 companies across the US and Europe.
One of the more recent victims featured on its list was Georgia-based rugmaker Dixie Group Inc, which publicly disclosed a digital shakedown attempt affecting ‘portions of its information technology systems’ last month.
DarkSide has previously targeted Enterprise rental cars, Canadian real estate firm Brookfield Residential and an Office Depot subsidiary called CompuCom.
The group has a supposed code of conduct intended to spin the group as reliable, if ruthless, business partners.
They have publicly stated that they prefer not to attack hospitals, schools, non-profits, and governments.
They instead go after big organizations that can afford to pay large ransoms and claims to donates a portion of its take to charity.
‘Before any attack, we carefully analyze your accountancy and determine how much you can pay based on your net income,’ the group has previously said.
The group has posted receipts from donations it claims it has made to US charities in the wake of ransom attacks.
According to data security firm Arete, DarkSide finds vulnerabilities in a network, gains access to administrator accounts and then harvests data from the victim’s server and encrypts it.
The software leaves a ransom note text file with demands.
Sources told Bloomberg News that hackers stole nearly 100 gigabytes of data out of Colonial’s network on Thursday before demanding a ransom. Colonial, which is based in Georgia, has not yet said whether it has paid or is negotiating a ransom with the hackers
The attack on Colonial Pipeline, which runs from Texas to New Jersey and transports 45 percent of the East Coast’s fuel supply, is the largest assault on US energy infrastructure in history and has sent shockwaves across the industry
Ransoms average more than $6.5 million and the attacks lead to an average of five days of downtime for the business.
Sometimes stolen data is more valuable to ransomware criminals than the leverage they gain by crippling a network because some victims are loath to see sensitive information of theirs dumped online.
Ransom software works by encrypting victims’ data and typically hackers will then offer the victim a key in return for cryptocurrency payments that can run into the hundreds of thousands or even millions of dollars.
If the victim resists, hackers threaten to leak confidential data in a bid to pile on the pressure.
According to some experts, DarkSide’s code is standard ransomware but Div said that what does set them apart is the intelligence work they carry out against their targets beforehand.
Typically ‘they know who is the manager, they know who they’re speaking with, they know where the money is, they know who is the decision maker,’ Div said.
In that respect, Div said that the targeting of Colonial Pipeline, with its potentially massive knock-on consequences for Americans up and down the Eastern seaboard – may have been a miscalculation.
‘It’s not good for business for them when the US government becomes involved, when the FBI becomes involved,’ he said.
‘It’s the last thing they need.’
The FBI released a statement on Monday, saying: ‘The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation.’