US authorities have identified a relatively new gang of cyber criminals as being behind the ransomware attack which paralyzed a key fuel pipeline.
Called DarkSide, experts say it is one of a growing number of outfits that provide attack software to other groups.
DarkSide first emerged publicly in August 2020 and it specializes in what is known as ransomware: programs that infiltrate a victim’s computer network and then encrypt data on machines, thus blocking operations. The criminals then demandi a ransom to free the data.
– Pay or data sold –
Experts believe that the team behind DarkSide is made up of experienced cyber criminals as the software goes beyond earlier indiscriminate ransomware attacks.
“DarkSide follows the double extortion trend, which means the threat actors not only encrypt the user’s data, but first exfiltrate the data and threaten to make it public if the ransom demand is not paid,” said analysts at Cybereason, a firm which helps companies protect themselves against such attacks.
“This technique effectively renders the strategy of backing up data as a precaution against a ransomware attack moot,” the company said on its website.
If the group doesn’t get what it wants, it can “auction the data off to other pirates, to databases of stolen information,” said Damien Bancal, a journalist at Zataz.com who specializes in the illegal traffic of stolen information.
DarkSide can also threaten to make public sensitive or embarrassing data.
“The amount of a DarkSide ransom varies between $200,000 and $2 million,” France’s national data security agency Ansii said in February.
– Ransomware as a service –
Experts believe that DarkSide rarely carries out attacks itself.
Instead, it provides the software and assists its clients who carry out the attacks.
“Those responsible for DarkSide are very organized, and they have a mature Ransomware as a Service (RaaS) business model and affiliate program,” said Cybereason.
“The group has a phone number and even a help desk to facilitate negotiations with and collect information about its victims — not just technical information regarding their environment but also more general details relating to the company itself like the organization’s size and estimated revenue,” the company added.
Zataz.com’s Damien Bancal said DarkSide even offers a sort of “after-sale service” option to help negotiate with victims.
Security expert Gerome Billois at WaveStone compared DarkSide’s business model to that of technology platforms like Uber. It links up cyber criminals with potential victims, provides the necessary software, and receives a commission from whatever ransom is paid.
– Based in Russia? –
In a statement published on the darknet — a area of the Internet not accessible by the general public — DarkSide states that it has no political agenda and no governmental links.
It said it is out to make money, not to create social problems so it claimed it will only ransom companies that can afford it.
US authorities believe DarkSide is based in Russia.
While US President Joe Biden said US intelligence had no evidence linking the group to the Kremlin, he said the Russian government had “some responsibility to deal with this”.
The Russian embassy in Washington on Tuesday denied any government link to the attack on the Colonial Pipeline, which carries fuel from Texas to major cities across the eastern United States.
But certain computer security experts suspect that the Russian government may condone DarkSide’s operations as it appears to target Western firms but not Russian.
“So a ransomware group we believe is operating (and likely harbored) by Russia has shutdown a company that is moving 45 percent of petroleum supplying the East Coast,” tweeted at the weekend Dmitri Alperovitch, founder of the computer security firm CrowdStrike.
Kaspersky, a Russian computer security firm believes that DarkSide may not have expected the attack against Colonial to result in the shutting down of the pipeline and the attention that has drawn.
The company believes DarkSide may dial back its attacks to avoid any similar situation.