“DarkSide is a relatively new ransomware strain that made its first appearance in August 2020. DarkSide follows the RaaS (ransomware-as-a-service) model, and, according to Hack Forums, the DarkSide team recently made an announcement that DarkSide 2.0 has been released. According to the group, it is equipped with the fastest encryption speed on the market, and even includes Windows and Linux versions. The team is very active on hack forums and keeps its customers updated with news related to the ransomware. In an effort to grow and expand their operations, the group has started an affiliates program for potential users.”
“Like many other ransomware variants, DarkSide follows the double extortion trend, which means the threat actors not only encrypt the user’s data, but first exfiltrate the data and threaten to make it public if the ransom demand is not paid. This technique effectively renders the strategy of backing up data as a precaution against a ransomware attack moot.”
“DarkSide is observed being used against targets in English-speaking countries, and appears to avoid targets in countries associated with former Soviet Bloc nations. The ransom demand ranges between US$200,000 to $2,000,000, and according to their website, the group has published stolen data from more than 40 victims, which is estimated to be just a fraction of the overall number of victims.”
“The DarkSide group is a relatively new player in the game of ransomware. Despite being a new group, though, the DarkSide team has already built itself quite a reputation for making their operations more professional and organized. The group has a phone number and even a help desk to facilitate negotiations with victims, and they are making a great effort at collecting information about their victims – not just technical information about their environment, but more general information about the company itself, like the organization’s size and estimated revenue.”
Comment: IMO this is not a Russian government cyber operation. It is a Russian criminal enterprise, pure and simple. I spent years communicating with similar Russian hackers. They are talented often coders and criminally ingenious. Several of my “acquaintances” formed a group with the ostensible goal of striking at porn sites. They would appear to take over the target site’s web page and deface it with a rant about how perverted and dangerous they were. It was just a diversion. Their goal was to hack into the site’s payment system and steal the customer’s credit card data. The group’s leader explained this all to me. Not only would the porn site’s owner not realize their payment system was breached, but the customers would most likely not complain about the theft.
The Russian authorities, the FSB and perhaps the GRU, may have kept tabs on the DarkSide group and the individual hackers involved. They do that a lot. So do the Chinese. The Russian government sees these hackers as a farm team system and often reach out to hackers of interest with an offer they can’t refuse. I’ve also known Russian hackers who have suffered this fate. They let me know of their new status in their own Russian hackspeak samizdat way.
Unfortunately for the DarkSide hackers, they are now most definitely under the unwanted burning glare of their government’s cyber officials. One of their affiliates made a mistake in targeting the Colonial Pipeline. Even if the hacker extortionists didn’t target the pipeline’s control system, they failed to anticipate Colonial’s shutting down that control system in response to the breach of their IT system. Oops. Now they’ve attracted the gaze of the NSA and CYBERCOM as well. And all they wanted to do was make a little money.
Such is the life of a pirate.
The linked article is from an Israeli cyber security company started in 2012 by several Israeli former military and intelligence cyber specialists. It does a fairly good job at describing the group and also has details about how the group’s ransomware code works. A lot of these companies are founded by former government security specialist. Some of the best also employ former dark hat and grey hat hackers. The Russians also successfully employ dark hat and grey hat hackers. I have always advocated that we do the same. Use these hackers as auxiliaries or controlled (semi-controlled) assets, something beyond our usual advertising for employees at the annual Defcon.