DarkSide (hacker group)

Last updated

DarkSide
DarkSide
PurposeRansomware as a service
Region
Eastern Europe
Official language
Russian

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. [1] [2] [3] [4] It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service. [4] [5] [6]

Contents

DarkSide itself claims to be apolitical. [7]

Targets

DarkSide is believed to be based in Eastern Europe, likely Russia, but unlike other hacking groups responsible for high-profile cyberattacks it is not believed to be directly state-sponsored (i.e., operated by Russian intelligence services). [3] [8] DarkSide avoids targets in certain geographic locations by checking their system language settings. In addition to the languages of the 12 current, former, or founding CIS countries the exclusion list contains Syrian Arabic. [9] Experts state that the group is "one of the many for-profit ransomware groups that have proliferated and thrived in Russia" with at least the implicit sanction of the Russian authorities, who allow the activity to occur so long as it attacks foreign targets. [8] The language check feature can be disabled when an instance of ransomware is built. One such version was observed in May 2021. [10] Additionally, DarkSide does not target healthcare centers, schools, and non-profit organizations. [11]

Ransomware code used by DarkSide resembles ransomware software used by REvil, a different hacking group; REvil's code is not publicly available, suggesting that DarkSide is an offshoot of REvil [12] or a partner of REvil. [4] DarkSide and REvil use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country. [13]

According to Trend Micro Research data, the United States is by far DarkSide's most targeted country, at more than 500 detections, followed by France, Belgium, and Canada. [13] Of 25 countries observed by McAfee the most affected by DarkSide attacks in terms of number of devices impacted per million devices are Israel (1573.28), Malaysia (130.99), Belgium (106.93), Chile (103.97), Italy (95.91), Turkey (66.82), Austria (61.19), Ukraine (56.09), Peru (26.94), the U.S. (24.67). [14]

As of June 2021, DarkSide has only published data from one company; the amount of data published exceeds 200 GB. [15]

Mechanism of attack

The DarkSide ransomware initially bypasses UAC using the CMSTPLUA COM interface. [15] The software then checks the system's location and language to avoid machines in former Soviet countries; the list of languages that are excluded are Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Moldovan Romanian, and Syrian Arabic. [15]

The software then creates a file named LOG.{userid}.TXT, which serves as a log file. [15] The software deletes files in the recycle bin one by one, uninstalls certain security and backup software programs, and terminates processes to allow access to user data files. [15] During the encryption process proper, a user ID is generated based on a MAC address and appear appended to filenames, and file data is encrypted with Salsa20 and a randomly generated matrix key (which, encrypted with a hardcoded RSA key, is itself appended to the file). [15] However, the software avoids encrypting certain folders, files, and filetypes. [15]

Finally, the ransomware leaves behind a ransom note titled README.{userid}.TXT, which directs the user to access a site with Tor; this site then prompts the user to verify their identity and to make a payment using Bitcoin or Monero. [15]

Business model

DarkSide uses intermediary hackers 26c3weq ("affiliates"). [16] It uses "ransomware-as-a-service" [4] [5] [6] a model in which DarkSide grants its "affiliate" subscribers (who are screened via an interview) access to ransomware developed by DarkSide, in return for giving DarkSide a share of the ransom payments (apparently 25% for ransom payments under US$500,000 and 10% for ransom payments over US$5 million). [4] Affiliates are given access to an administration panel on which they create builds for specific victims. The panel allows some degree of customization for each ransomware build. Cybersecurity firm Mandiant, a subsidiary of FireEye, has documented five clusters of threat activity that may represent different affiliates of the DarkSide RaaS platform, and has described three of them, referred to as UNC2628, UNC2659, and UNC2465. [10]

Some researchers have contended that DarkSide’s business model is comparable to a franchise, meaning that buyers can use DarkSide’s branding in their attacks. Additionally, DarkSide is known to operate with a level of professionalism, as analysts have noted that the hacker group has a press room, mailing list, and victim hotline found on their website. [17]

History and attacks

2020

The group was first noticed in August 2020. [15] Cybersecurity company Kaspersky described the group as an "enterprise" due to its professional-looking website and attempts to partner with journalists and decryption companies. [2] The group "has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments." [6] The group has sought to foster a "Robin Hood" image, claiming that they donated some of their ransom proceeds to charity. [1] [18] In a darkweb post, the group posted receipts for donations of BTC  0.88 (then worth US$ 10,000) each to Children International and to The Water Project dated to October 13, 2020; Children International stated that it will not keep the money. [19] [20]

2020 to 2021

From December 2020 to May 2021, ransoms demanded by the group ranged from US$200,000 to US$2 million. [15] [12] DarkSide attacked U.S. oil and gas infrastructure on four occasions. [8] DarkSide ransomware hit the IT managed services provider CompuCom in March 2021, costing over US$20 million in restoration expenses; it also attacked Canadian Discount Car and Truck Rentals [21] and Toshiba Tec Corp., a unit of Toshiba Corp. [22] DarkSide extorted money from the German company Brenntag. [16] The cryptocurrency security firm Elliptic stated that a Bitcoin wallet opened by DarkSide in March 2021 had received US$17.5 million from 21 Bitcoin wallets (including the Colonial Pipeline ransom), indicating the number of ransoms received over the course of a few months. [16] Elliptic's analysis showed that in total, Darkside received over $90 million in ransom payments from at least 47 victims. The average ransom payment was $1.9 million. [23]

2021

The Federal Bureau of Investigation identified DarkSide as the perpetrator of the Colonial Pipeline ransomware attack, a cyberattack on May 7, 2021, perpetrated by malicious code, that led to a voluntary shutdown of the main pipeline supplying 45% of fuel to the East Coast of the United States. [3] [12] [24] The attack was described as the worst cyberattack to date on U.S. critical infrastructure. [1] DarkSide successfully extorted about 75 Bitcoin (almost US$5 million) from Colonial Pipeline. [16] U.S. officials are investigating whether the attack was purely criminal or took place with the involvement of the Russian government or another state sponsor. [12] Following the attack, DarkSide posted a statement claiming that "We are apolitical, we do not participate in geopolitics...Our goal is to make money and not creating problems for society." [12]

In May 2021, the FBI and Cybersecurity and Infrastructure Security Agency issued a joint alert urging the owners and operators of critical infrastructure to take certain steps to reduce their vulnerability to DarkSide ransomware and ransomware in general. [6]

On 14 May 2021, in a Russian-language statement obtained by the cybersecurity firms Recorded Future, FireEye, and Intel 471 and reported by the Wall Street Journal and The New York Times, DarkSide said that "due to the pressure from the U.S." it was shutting down operations, closing the gang's "affiliate program" (the intermediary hackers that DarkSide works with to hack). [16] [25] The specific "pressure" referred to was not clear, but the preceding day, U.S. President Joe Biden suggested that the U.S. would take action against DarkSide to "disrupt their ability to operate." [16] DarkSide claimed that it had lost access to its payment server, blog, and funds withdrawn to an unspecified account. [16] Cybersecurity experts cautioned that DarkSide's claim to have disbanded might be a ruse to deflect scrutiny, [16] and possibly allow the gang to resume hacking activities under a different name. [25] It is common for cybercriminal networks to shut down, revive, and rebrand in this way. [16]

Agence France-Presse reporters discovered that the Recorded Future report which detailed the loss of DarkSide servers and funds was retweeted by the Twitter account of the 780th Military Intelligence Brigade, a US Army Cyberwarfare group involved in offensive operations. [26]

Posterity

By April 2022, the Federal Bureau of Investigation (FBI) released an advisory that several developers and money launderers for BlackCat had links to two defunct ransomware as a service (RaaS) groups – DarkSide and BlackMatter. [27] According to some experts, BlackCat might be a rebranding of DarkSide, after their attack of the Colonial Pipeline. [28]

Related Research Articles

Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Bitdefender</span> Romanian cybersecurity technology company

Bitdefender is a Romanian cybersecurity technology company dual-headquartered in Bucharest, Romania and Santa Clara, California, with offices in the United States, Europe, Australia and the Middle East.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It was propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end of life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

<span class="mw-page-title-main">Petya (malware family)</span> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that afflicted computerized equipment managing the pipeline. The Colonial Pipeline Company halted all pipeline operations to contain the attack. Overseen by the FBI, the company paid the amount that was asked by the hacker group within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool required a very long processing time to restore the system to a working state.

<span class="mw-page-title-main">Health Service Executive ransomware attack</span> 2021 cyber attack on the Health Service Executive in Ireland

On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest, was a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.

On May 30, 2021, JBS S.A., a Brazil-based meat processing company, suffered a cyberattack, disabling its beef and pork slaughterhouses. The attack impacted facilities in the United States, Canada, and Australia.

On 2 July 2021, a number of managed service providers (MSPs) and their customers became victims of a ransomware attack perpetrated by the REvil group, causing widespread downtime for over 1,000 companies. The attack was carried out by exploiting a vulnerability in VSA, a remote monitoring and management software package developed by Kaseya. Two suspects were identified and one sentenced.

Ransomware as a service (RaaS) is a cybercrime business model where ransomware operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

<span class="mw-page-title-main">LockBit</span> Criminal hacking organization

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.

BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.

Rhysida is a ransomware group that encrypts data on victims' computer systems and threatens to make it publicly available unless a ransom is paid. The group uses eponymous ransomware-as-a-service techniques, targets large organisations rather than making random attacks on individuals, and demands large sums of money to restore data. The group perpetrated the notable 2023 British Library cyberattack and Insomniac Games data dump. It has targeted many organisations, including some in the US healthcare sector, and the Chilean army.

References

  1. 1 2 3 "Who are DarkSide, the 'Robin Hood' criminal gang blamed for shutting down one of the biggest fuel Has found its new leader Qadir khan". www.abc.net.au. May 9, 2021. Retrieved May 10, 2021.
  2. 1 2 Dedenok, Roman (May 10, 2021). "DarkSide leaks shows how ransomware is becoming an industry". Kaspersky Daily. AO Kaspersky Lab.
  3. 1 2 3 Dustin Volz, U.S. Blames Criminal Group in Colonial Pipeline Hack, Wall Street Journal (May 10, 2021).
  4. 1 2 3 4 5 Charlie Osborne, Researchers track down five affiliates of DarkSide ransomware service, ZDNet (May 12, 2021).
  5. 1 2 Chris Nuttall, DarkSide's ransomware-as-a-service, Financial Times (May 10, 2021).
  6. 1 2 3 4 Alert (AA21-131A): DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks, Cybersecurity and Infrastructure Security Agency/Federal Bureau of Investigation (May 11, 2021, last revised May 12, 2021).
  7. Javers, Eamon (May 10, 2021). "Here's the hacking group responsible for the Colonial Pipeline shutdown". CNBC. Retrieved May 21, 2021.
  8. 1 2 3 Nicolás Rivero, Hacking collective DarkSide are state-sanctioned pirates, Quartz (May 10, 2021).
  9. Cybereason vs. DarkSide Ransomware, Cybereason (April 1, 2021).
  10. 1 2 "Shining a Light on DARKSIDE Ransomware Operations | Mandiant".
  11. Muncaster, Phil (March 12, 2021). "Darkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds". Infosecurity Magazine. Retrieved May 21, 2021.
  12. 1 2 3 4 5 David E. Sanger & Nicole Perlroth, F.B.I. Identifies Group Behind Pipeline Hack, New York Times (May 10, 2021).
  13. 1 2 What We Know About the DarkSide Ransomware and the US Pipeline Attack, Trend Micro Research (May 14, 2021).
  14. Threat Profile: DarkSide Ransomware, MVISION Insights, McAfee.
  15. 1 2 3 4 5 6 7 8 9 10 "Case study: Darkside Ransomware does not attack hospitals, schools and governments". Acronis. Retrieved May 15, 2021.
  16. 1 2 3 4 5 6 7 8 9 Michael Schwirtz & Nicole Perlroth, DarkSide, Blamed for Gas Pipeline Attack, Says It Is Shutting Down, New York Times (May 14, 2021).
  17. Beerman, Jack; Berent, David; Falter, Zach; Bhunia, Suman (May 2023). "A Review of Colonial Pipeline Ransomware Attack". 2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW). IEEE. pp. 8–15. doi:10.1109/CCGridW59191.2023.00017. ISBN   979-8-3503-0208-0.
  18. "Mysterious 'Robin Hood' hackers donating stolen money". BBC News. October 19, 2020. Retrieved May 10, 2021.
  19. "Cybereason vs. DarkSide Ransomware". www.cybereason.com. April 1, 2021. Archived from the original on April 1, 2021. Retrieved June 10, 2021.
  20. Tidy, Joe (October 19, 2020). "Mysterious 'Robin Hood' hackers donating stolen money". BBC News. Retrieved June 10, 2021.
  21. Immanni, Manikanta (March 28, 2021). "Ransomware Attack on CompuCom Costs Over $20 Million in Restoration Expenses". TechDator. Retrieved May 14, 2021.
  22. Benoit Overstraeten & Makiko Yamazaki, Toshiba unit hacked by DarkSide, conglomerate to undergo strategic review, Reuters (May 14, 2021).
  23. "DarkSide Ransomware has Netted Over $90 million in Bitcoin". Elliptic. Retrieved May 20, 2021.
  24. Ellen Nakashima, Yeganeh Torbati & Will Englund, Ransomware attack leads to shutdown of major U.S. pipeline system, Washington Post (May 8, 2021).
  25. 1 2 Robert McMillan & Dustin Volz, Colonial Pipeline Hacker DarkSide Says It Will Shut Operations, Wall Street Journal (May 14, 2021).
  26. "Servers of Colonial Pipeline hacker Darkside forced down: security firm". AFP. Retrieved May 25, 2021.
  27. "Ransomware Spotlight: BlackCat - Security News". www.trendmicro.com. Retrieved July 14, 2023.
  28. "Breaking Down the BlackCat Ransomware Operation". cisecurity.org. July 7, 2022.