DarkSide ransomware is part of a growing underground industry, experts say

WASHINGTON — On Monday, the FBI said a ransomware attack that disabled a major U.S. pipeline last week originated from a product developed by the criminal group DarkSide.

The hackers who crafted the malware that compromised Colonial Pipeline Co., which provides 45 percent of the East Coast’s gasoline, diesel and jet fuel, sell an easy-to-use tool kit to customers hoping to get into the ransomware business — a growing industry that now allows nearly anyone to reap payments from victims after encrypting their private files and holding them hostage.

“The days of the hooded hacker … are gone,” said Lior Div, the CEO and co-founder of cybersecurity company Cybereason. “It’s not dark anymore, it’s a real business. … When there is financial motivation, there are bad people that are going to fund it.”

Image showing the Colonial Pipeline Houston Station facility in Pasadena, Texas (East of Houston) taken on May 10, 2021. (Francois Picard/AFP via Getty Images)
A Colonial Pipeline facility in Pasadena, Texas. (Getty Images)

Div and his colleagues have been monitoring the spread of DarkSide ransomware since late last summer, and, according to Div, have successfully blocked attacks that used the tool on many occasions. “It almost came from nowhere, and it became very active and very aggressive,” he recalled.

While Colonial Pipeline announced on Monday that it had protected most of its systems from the impact of the intrusion and was slowly bringing parts of the pipeline back online, the days-long disruption in delivery of fuel to a large segment of the country highlighted the growing real-world impact of ransomware. But at the same time, it placed a spotlight on the criminals behind the growing ransomware industry, who, Div suggested, may not appreciate the attention from the U.S. government, as it’s “bad for business.”

DarkSide, a relatively new ransomware tool, is sold by hackers who claim to have “received millions of dollars profit by partnering with other well-known cryptolockers,” creating a “perfect product” based on years of experience, according to a press release the group published in August 2020.

According to Div, because offering an easy-to-deploy full-service ransomware tool to buyers requires substantial funding, expertise and resources, it’s clear the criminal group is sophisticated, not unlike a startup company staffed by experts. While the hacking group’s website was down on Tuesday for a period of time, it’s clear it has a very professional operation, he told Yahoo News. “We know for sure these are people who have been there, done that. You can see it in the speed, the quality [of attacks]. In order to develop something like this, you need a list of developers, you need to pay them well.” The company will need to employ experts to make sure the ransomware tool works at all times. “This is not two people in a garage,” Div said.

Holding tanks are seen in an aerial photograph at Colonial Pipeline's Dorsey Junction Station in Woodbine, Maryland, U.S. May 10, 2021. (Drone Base/Reuters)
Holding tanks at Colonial Pipeline’s Dorsey Junction Station in Woodbine, Md. (Reuters)

While the product itself is fairly new, ransomware has become an increasingly popular and profitable enterprise for criminals and nation-states alike over recent years. By August 2020, just a couple of months after millions of people around the world began working from home amid the coronavirus pandemic, DarkSide had launched its operations on the dark web, but it is far from the only threat. According to recent remarks by Homeland Security Secretary Alejandro Mayorkas, ransomware attacks have increased by 300 percent over the past year, costing victims more than $350 million. North Korean hackers, in an effort to evade harsh sanctions on the isolated kingdom, have deployed their own ransomware and other digital attacks to pilfer over $1 billion in recent years, according to a Justice Department indictment unsealed in February.

While Div said he doesn’t keep specific statistics about the number of companies offering ransomware as a service at any given time, he did explain that his company saw a huge uptick in the sale of ransomware tools as people began working from home during the pandemic, unprotected by corporate networks and security tools.

Ransomware as a service, according to cybersecurity researchers who have analyzed the industry, is a popular new business model in which professional hackers, rather than going after targets themselves, sell access to their malicious digital tools to customers. This model “gives everyone, even people without much technical knowledge, the ability to launch ransomware attacks just by signing up for a service,” explained cybersecurity firm CrowdStrike in a blog post in January.

According to cybersecurity firm Digital Shadows, DarkSide is “hardly innovating” in the methods it uses to compromise its targets, making use of well-known vulnerabilities, though the group “has a highly targeted approach” in selecting victims, according to the researchers.

Additionally, the group that sells DarkSide has put on a professional veneer, publishing press releases, providing victim service communication portals and establishing corporate principles, including not attacking hospitals, schools and universities, nonprofits or government agencies. The group also promises to provide a good-faith example of its ability to decrypt files to demonstrate trust, and has even made attempts to donate anonymous digital currency to various charities, though those groups have refused the funds based on their criminal origins.

Secretary of Homeland Security Alejandro Mayorkas briefs reporters on the cyber attack on the Colonial Pipeline and the U.S. response during the daily press briefing at the White House on May 11, 2021 in Washington, DC. (Drew Angerer/Getty Images)
Homeland Security Secretary Alejandro Mayorkas briefs reporters on the cyberattack on the Colonial Pipeline and the U.S. response on Tuesday. (Getty Images)

The criminal group has been described as something of a “Robin Hood,” though its list of prohibited targets notably excludes companies that fall under the banner of critical infrastructure, despite their importance to the functioning of everyday society.

According to Div, the hackers’ attempt at appearing like “the good guy" is driven purely by the desire for profit, because “by generating trust, saying they’re not the bad guys, the probability you’re going to pay them is higher.” He analyzed an announcement made after the pipeline attack, in which the group promised to investigate its customer for targeting critical infrastructure, as part of the same style of reputation management rather than genuine concern. Ultimately, he concluded, the criminal group is likely actually quite familiar with its customers, because it is sharing profits with them.

Researchers have concluded the veteran hackers are based in Eastern Europe, partially based on the fact that the malware does not work when a device’s keyboard is set up for a variety of languages spoken in former Soviet bloc countries, including Russian, Ukrainian and Armenian.

On Monday, President Biden said that “there is no evidence from our intelligence people that Russia is involved,” referring to the Russian government. However, he indicated that there is evidence “the actor’s ransomware is in Russia,” concluding that “they have some responsibility to deal with this.” In countries like Russia, researchers have studied how independent hackers often work directly or indirectly with the state in intelligence operations and, in turn, are given leniency and discretion to make a living through criminal activity. Therefore, it’s likely the Russian government or intelligence services would have at least been aware of the activities of the hackers selling the DarkSide ransomware, even if they are not involved in the hackers’ day-to-day operations.

U.S. President Joe Biden delivers remarks on the economy in the East Room of the White House on May 10, 2021 in Washington, DC. (Drew Angerer/Getty Images)
President Biden delivers remarks at the White House on Monday. (Getty Images)

Former top counterintelligence official William Evanina, in a tweet posted on Monday afternoon, wrote that DarkSide “is a criminal organization based in Russia,” which “cannot operate from within Russia without at least a tacit approval of the intelligence services or Moscow leadership.”

The Biden administration is focused on a broad effort to counter ransomware and increase the defenses of industrial control systems companies in particular.

According to Biden’s deputy national security adviser for cyber and emerging technologies, Anne Neuberger, who spoke during the White House press briefing on Monday, the FBI has been investigating the DarkSide ransomware variant since October and, beyond offering specific indicators of compromise and advice on mitigating attacks to potential victims, has been specifically working on disrupting the digital infrastructure, such as servers the attackers use to launch their attacks. The FBI recently teamed up with international partners to shut down infrastructure used to launch the costly and dangerous Emotet and NetWalker ransomware strains.


Read more from Yahoo News: