When a new ransomware group popped up on the scene last year, the hackers did what’s in vogue for digital extortion organizations these days: They issued a press release.
The hackers had already made “millions of dollars” in profit working as affiliates for other groups when they decided to go out on their own, the announcement said. “We created DarkSide because we didn’t find the perfect product. Now we have it.”
That product — essentially a set of hacking tools and related services — was responsible for the shutdown last week of the biggest fuel pipeline in the U.S., raising gas prices on the Eastern Seaboard and turning DarkSide into a household name.
Much of the U.S. has been riveted by the attack ever since, and even Americans who knew little about ransomware are getting a lesson in the uniquely lucrative world of global cybercrime.
As its coming-out announcement suggests, DarkSide is less a single hacking group than a sort of criminal franchise. The platform supplies affiliates with tools and follow-up services in much the same way McDonald’s supplies local store owners with pre-made soft serve and frozen hamburger patties.
“These guys provide the marketing, the people who handle customer success, as well as the actual ransomware,” said Mark Arena, chief executive officer of the cybersecurity firm Intel 471, which tracks DarkSide. “Fortune 500 CEOs would be impressed with the efficiency of the business model.”
That model has helped the group rack up scores of victims beginning late last summer, ranging from oil field services companies to law firms to banks.
An unpublished analysis by BAE Systems Applied Intelligence found that most DarkSide victims were U.S. companies, but the hackers also hit firms in Europe, South Africa and Brazil. The report noted that affiliates are asked not to attack targets within the borders of the Commonwealth of Independent States, a group of nations that includes Russia and much of the former Soviet Union, possibly indicating the hackers’ home base.
Data posted to the group’s dark web page suggest that victims included Dixie Group Inc., a major U.S. manufacturer of carpets and rugs; the farm products supplier Carolina Eastern Inc.; and Paslin Co., a Michigan company that makes welding machinery for the auto industry. Representatives for the three companies didn’t immediately respond to a request for comment, but the Dixie Group in April disclosed a ransomware hack.
None of those garnered the kind of attention that has resulted from the attack on Colonial Pipeline, which operates more than 5,000 miles of pipeline that ship gasoline and jet fuel from Houston up the East Coast to the area around New York City.
There is some evidence that DarkSide did not intend for the hack to have so great an impact. The group’s operators released a statement Monday saying that they had no interest in geopolitics and weren’t even in control of which companies get attacked using their platform.
That could very well be true, said Adrian Nish, head of cyber for BAE Systems Applied Intelligence. “The traditional affiliate model is like a distributor in business,” he said. “You build the tools but then scale up by getting a whole lot of people to use your tools and services.”
In DarkSide’s case, that includes not just the actual ransomware used to encrypt data on a victims’ computers but also services like making calls to those victims and also hosting a website where sensitive data stolen during attacks can be posted. Ransom demands easily reach into the millions of dollars for large companies, and DarkSide takes a 10 percent to 25 percent cut off the top of any payment, according to Intel 471’s Arena.
He said Intel 471 analysts were able to observe a negotiation between DarkSide and a large U.S. victim over several days in January. The hackers began by demanding $30 million, which would double if payment wasn’t made by a defined date. The hackers also threatened to release sensitive data stolen from the company unless it paid, providing samples to validate the threat.
During the negotiations, the hackers said they had encrypted 500 of the company’s main data servers, plus hundreds of back-up servers, a trick to make it harder for victims to recover from the attack. After four days of haggling, the company paid more than $14 million in ransom, according to an Intel 471 report on the event.
The earliest cybersecurity experts can find traces of the criminals behind DarkSide is around 2013, when the same hackers were attacking financial organizations in Russia, before moving on in subsequent years to targets in the Middle East, Europe and United States, according to Adam Meyers, senior vice president of intelligence at the cybersecurity firm CrowdStrike Inc.
CrowdStrike dubbed that earlier organization Carbon Spider, and by 2016 the group had lost some of its hackers, who split off and formed their own crime organization focused on the financial sector.
By 2020, some of the hackers were using ransomware from another group, called REvil, before launching the “ransomware as service program” called DarkSide that hit Colonial Pipeline, according to CrowdStrike.
Some ransomware groups have vicious reputations — hitting hospitals during the pandemic, for example — but DarkSide has tried to cultivate a reputation for professionalism, and even humanism.
They have rules against attacking hospitals and nonprofits, according to an analysis of the group’s postings by the cybersecurity firm ESentire. And they say they have donated several thousand dollars to a charity supporting disadvantaged children and another one that works to provide clean drinking water in Africa.
At one point the group offered to provide stock traders with insider information from victim companies, which they could use to make money on the market — a move that appeared to be an attempt to cultivate a Robin Hood-esque reputation for spreading corporate wealth, according to screen shots of the group’s blog provided by ESentire.
Following all the attention garnered by the Colonial hack, the group vowed to be more careful in vetting affiliates and keeping an eye on the victims they are targeting. “Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future,” the group said in a statement posted on its dark web page.
BAE’s Nish said he believes that DarkSide’s carefully cultivated image is just a marketing ploy. The group does pick its targets for ideological reasons, he said. Like other ransomware groups, DarkSide has learned that large manufacturing companies often have cyber insurance and pay quickly.
“You hear this talk of the geopolitical stuff, but this is really about money,” Nish said. “These are criminals and they act rationally; they do what they need to make money.”