DarkSide (hacker group)

DarkSide is believed to be based in Eastern Europe, likely Russia, but unlike other hacking groups responsible for high-profile cyberattacks it is not believed to be directly state-sponsored (i.e., operated by Russian intelligence services).Nicolás Rivero, [https://qz.com/2007399/the-darkside-hackers-are-state-sanctioned-pirates/ Hacking collective DarkSide are state-sanctioned pirates], Quartz (May 10, 2021). DarkSide avoids targets in certain geographic locations by checking their system language settings. In addition to the languages of the 12 current, former, or founding CIS countries the exclusion list contains Syrian Arabic.[https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware Cybereason vs. DarkSide Ransomware], Cybereason (April 1, 2021). Experts state that the group is "one of the many for-profit ransomware groups that have proliferated and thrived in Russia" with at least the implicit sanction of the Russian authorities, who allow the activity to occur so long as it attacks foreign targets. The language check feature can be disabled when an instance of ransomware is built. One such version was observed in May 2021.{{Cite web|url=https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html|title = Shining a Light on DARKSIDE Ransomware Operations | Mandiant}} Additionally, DarkSide does not target healthcare centers, schools, and non-profit organizations.{{Cite web|last=Muncaster|first=Phil|date=2021-03-12|title=Darkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds|url=https://www.infosecurity-magazine.com:443/news/darkside-20-ransomware-fastest/|access-date=2021-05-21|website=Infosecurity Magazine}}

Ransomware code used by DarkSide resembles ransomware software used by REvil, a different hacking group; REvil's code is not publicly available, suggesting that DarkSide is an offshoot of REvilDavid E. Sanger & Nicole Perlroth, [https://www.nytimes.com/2021/05/10/us/politics/pipeline-hack-darkside.html F.B.I. Identifies Group Behind Pipeline Hack], New York Times (May 10, 2021). or a partner of REvil. DarkSide and REvil use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.[https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html What We Know About the DarkSide Ransomware and the US Pipeline Attack], Trend Micro Research (May 14, 2021).

According to Trend Micro Research data, the United States is by far DarkSide's most targeted country, at more than 500 detections, followed by France, Belgium, and Canada. Of 25 countries observed by McAfee the most affected by DarkSide attacks in terms of number of devices impacted per million devices are Israel (1573.28), Malaysia (130.99), Belgium (106.93), Chile

(103.97), Italy (95.91), Turkey (66.82), Austria (61.19), Ukraine (56.09), Peru (26.94), the U.S. (24.67).[https://www.mcafee.com/enterprise/en-us/lp/insights-preview.html Threat Profile: DarkSide Ransomware], MVISION Insights, McAfee.

As of June 2021, DarkSide has only published data from one company; the amount of data published exceeds 200 GB.

{{Expand section|date=June 2021}}

The DarkSide ransomware initially bypasses UAC using the CMSTPLUA COM interface. The software then checks the system's location and language to avoid machines in former Soviet countries; the list of languages that are excluded are Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Moldovan Romanian, and Syrian Arabic.

The software then creates a file named LOG.{userid}.TXT, which serves as a log file. The software deletes files in the recycle bin one by one, uninstalls certain security and backup software programs, and terminates processes to allow access to user data files. During the encryption process proper, a user ID is generated based on a MAC address and appear appended to filenames, and file data is encrypted with Salsa20 and a randomly generated matrix key (which, encrypted with a hardcoded RSA key, is itself appended to the file). However, the software avoids encrypting certain folders, files, and filetypes.

Finally, the ransomware leaves behind a ransom note titled README.{userid}.TXT, which directs the user to access a site with Tor; this site then prompts the user to verify their identity and to make a payment using Bitcoin or Monero.

DarkSide uses intermediary hackers 26c3weq ("affiliates").Michael Schwirtz & Nicole Perlroth, [https://www.nytimes.com/2021/05/14/business/darkside-pipeline-hack.html DarkSide, Blamed for Gas Pipeline Attack, Says It Is Shutting Down], New York Times (May 14, 2021). It uses "ransomware-as-a-service"Chris Nuttall, [https://www.ft.com/content/78b2decb-f14a-4bf2-8e5e-87a3076b72dc DarkSide's ransomware-as-a-service], Financial Times (May 10, 2021).[https://us-cert.cisa.gov/ncas/alerts/aa21-131a Alert (AA21-131A): DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks], Cybersecurity and Infrastructure Security Agency/Federal Bureau of Investigation (May 11, 2021, last revised May 12, 2021). — a model in which DarkSide grants its "affiliate" subscribers (who are screened via an interview) access to ransomware developed by DarkSide, in return for giving DarkSide a share of the ransom payments (apparently 25% for ransom payments under US$500,000 and 10% for ransom payments over US$5 million). Affiliates are given access to an administration panel on which they create builds for specific victims. The panel allows some degree of customization for each ransomware build. Cybersecurity firm Mandiant, a subsidiary of FireEye, has documented five clusters of threat activity that may represent different affiliates of the DarkSide RaaS platform, and has described three of them, referred to as UNC2628, UNC2659, and UNC2465.

Some researchers have contended that DarkSide’s business model is comparable to a franchise, meaning that buyers can use DarkSide’s branding in their attacks. Additionally, DarkSide is known to operate with a level of professionalism, as analysts have noted that the hacker group has a press room, mailing list, and victim hotline found on their website.{{Cite book |last1=Beerman |first1=Jack |last2=Berent |first2=David |last3=Falter |first3=Zach |last4=Bhunia |first4=Suman |chapter=A Review of Colonial Pipeline Ransomware Attack |date=May 2023 |title=2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW) |chapter-url=https://ieeexplore.ieee.org/document/10181159 |publisher=IEEE |pages=8–15 |doi=10.1109/CCGridW59191.2023.00017 |isbn=979-8-3503-0208-0}}

The group was first noticed in August 2020.{{cite web |title=Case study: Darkside Ransomware does not attack hospitals, schools and governments|url=https://www.acronis.com/en-au/articles/darkside-ransomware/ |publisher=Acronis|access-date=May 15, 2021}} Cybersecurity company Kaspersky described the group as an "enterprise" due to its professional-looking website and attempts to partner with journalists and decryption companies. The group "has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments." The group has sought to foster a "Robin Hood" image, claiming that they donated some of their ransom proceeds to charity.{{cite web|date=19 October 2020|title=Mysterious 'Robin Hood' hackers donating stolen money|url=https://www.bbc.com/news/technology-54591761|access-date=10 May 2021|publisher=BBC News}} In a darkweb post, the group posted receipts for donations of {{Currency|0.88|BTC}} (then worth {{Currency|10,000|USD}}) each to Children International and to The Water Project dated to October 13, 2020; Children International stated that it will not keep the money.{{Cite web|last=|first=|date=1 April 2021|title=Cybereason vs. DarkSide Ransomware|url=https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware|url-status=live|access-date=10 June 2021|website=www.cybereason.com|language=en|archive-url=https://web.archive.org/web/20210401143047/https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware |archive-date=April 1, 2021 }}{{Cite news|last=Tidy|first=Joe|date=19 October 2020|title=Mysterious 'Robin Hood' hackers donating stolen money|language=en-GB|work=BBC News|url=https://www.bbc.com/news/technology-54591761|access-date=10 June 2021}}

From December 2020 to May 2021, ransoms demanded by the group ranged from US$200,000 to US$2 million. DarkSide attacked U.S. oil and gas infrastructure on four occasions. DarkSide ransomware hit the IT managed services provider CompuCom in March 2021, costing over US$20 million in restoration expenses; it also attacked Canadian Discount Car and Truck Rentals{{Cite web|last=Immanni|first=Manikanta|date=2021-03-28|title=Ransomware Attack on CompuCom Costs Over $20 Million in Restoration Expenses|url=https://techdator.net/compucom-ransomware-attack/|access-date=2021-05-14|website=TechDator|language=en-US}} and Toshiba Tec Corp., a unit of Toshiba Corp.Benoit Overstraeten & Makiko Yamazaki, [https://www.reuters.com/business/autos-transportation/toshibas-european-business-hit-by-cyberattack-source-2021-05-14/ Toshiba unit hacked by DarkSide, conglomerate to undergo strategic review], Reuters (May 14, 2021). DarkSide extorted money from the German company Brenntag. The cryptocurrency security firm Elliptic stated that a Bitcoin wallet opened by DarkSide in March 2021 had received US$17.5 million from 21 Bitcoin wallets (including the Colonial Pipeline ransom), indicating the number of ransoms received over the course of a few months. Elliptic's analysis showed that in total, Darkside received over $90 million in ransom payments from at least 47 victims. The average ransom payment was $1.9 million.{{cite web |title=DarkSide Ransomware has Netted Over $90 million in Bitcoin|url=https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin/ |publisher=Elliptic|access-date=May 20, 2021}}

The Federal Bureau of Investigation identified DarkSide as the perpetrator of the Colonial Pipeline ransomware attack, a cyberattack on May 7, 2021, perpetrated by malicious code, that led to a voluntary shutdown of the main pipeline supplying 45% of fuel to the East Coast of the United States.Ellen Nakashima, Yeganeh Torbati & Will Englund, [https://www.washingtonpost.com/business/2021/05/08/cyber-attack-colonial-pipeline/ Ransomware attack leads to shutdown of major U.S. pipeline system], Washington Post (May 8, 2021). The attack was described as the worst cyberattack to date on U.S. critical infrastructure. DarkSide successfully extorted about 75 Bitcoin (almost US$5 million) from Colonial Pipeline. U.S. officials are investigating whether the attack was purely criminal or took place with the involvement of the Russian government or another state sponsor. Following the attack, DarkSide posted a statement claiming that "We are apolitical, we do not participate in geopolitics...Our goal is to make money and not creating problems for society."

In May 2021, the FBI and Cybersecurity and Infrastructure Security Agency issued a joint alert urging the owners and operators of critical infrastructure to take certain steps to reduce their vulnerability to DarkSide ransomware and ransomware in general.

On 14 May 2021, in a Russian-language statement obtained by the cybersecurity firms Recorded Future, FireEye, and Intel 471 and reported by the Wall Street Journal and The New York Times, DarkSide said that "due to the pressure from the U.S." it was shutting down operations, closing the gang's "affiliate program" (the intermediary hackers that DarkSide works with to hack).Robert McMillan & Dustin Volz, [https://www.wsj.com/articles/web-site-of-darkside-hacking-group-linked-to-colonial-pipeline-attack-is-down-11621001688 Colonial Pipeline Hacker DarkSide Says It Will Shut Operations], Wall Street Journal (May 14, 2021). The specific "pressure" referred to was not clear, but the preceding day, U.S. President Joe Biden suggested that the U.S. would take action against DarkSide to "disrupt their ability to operate." DarkSide claimed that it had lost access to its payment server, blog, and funds withdrawn to an unspecified account. Cybersecurity experts cautioned that DarkSide's claim to have disbanded might be a ruse to deflect scrutiny, and possibly allow the gang to resume hacking activities under a different name. It is common for cybercriminal networks to shut down, revive, and rebrand in this way.

Agence France-Presse reporters discovered that the Recorded Future report which detailed the loss of DarkSide servers and funds was retweeted by the Twitter account of the 780th Military Intelligence Brigade, a US Army Cyberwarfare group involved in offensive operations.{{cite web |title=Servers of Colonial Pipeline hacker Darkside forced down: security firm|url=https://news.yahoo.com/servers-colonial-pipeline-hacker-darkside-135655617.html |publisher=AFP|access-date=May 25, 2021}}

By April 2022, the Federal Bureau of Investigation (FBI) released an advisory that several developers and money launderers for BlackCat had links to two defunct ransomware as a service (RaaS) groups – DarkSide and BlackMatter.{{Cite web |title=Ransomware Spotlight: BlackCat - Security News |url=https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat |access-date=2023-07-14 |website=www.trendmicro.com |language=en}} According to some experts, BlackCat might be a rebranding of DarkSide, after their attack of the Colonial Pipeline.{{Cite web |title= Breaking Down the BlackCat Ransomware Operation|url=https://www.cisecurity.org/insights/blog/breaking-down-the-blackcat-ransomware-operation |website=cisecurity.org|date=July 7, 2022 }}

{{Reflist}}

{{Hacking in the 2020s|state=autocollapse}}

Category:Hacker groups

Category:Hacking in the 2020s