DarkSide (hacker group)

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

DarkSide itself claims to be apolitical.

Targets
DarkSide is believed to be based in Eastern Europe, likely Russia, but unlike other hacking groups responsible for high-profile cyberattacks it is not believed to be directly state-sponsored (i.e., operated by Russian intelligence services). DarkSide avoids targets in certain geographic locations by checking their system language settings. In addition to the languages of the 12 current, former, or founding CIS countries the exclusion list contains Syrian Arabic. Experts state that the group is "one of the many for-profit ransomware groups that have proliferated and thrived in Russia" with at least the implicit sanction of the Russian authorities, who allow the activity to occur so long as it attacks foreign targets. The language check feature can be disabled when an instance of ransomware is built. One such version was observed in May 2021. Additionally, DarkSide does not target healthcare centers, schools, and non-profit organizations.

Ransomware code used by DarkSide resembles ransomware software used by REvil, a different hacking group; REvil's code is not publicly available, suggesting that DarkSide is an offshoot of REvil or a partner of REvil. DarkSide and REvil use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.

According to Trend Micro Research data, the United States is by far DarkSide's most targeted country, at more than 500 detections, followed by France, Belgium, and Canada. Of 25 countries observed by McAfee the most affected by DarkSide attacks in terms of number of devices impacted per million devices are Israel (1573.28), Malaysia (130.99), Belgium (106.93), Chile (103.97), Italy (95.91), Turkey (66.82), Austria (61.19), Ukraine (56.09), Peru (26.94), the U.S. (24.67).

As of June 2021, DarkSide has only published data from one company; the amount of data published exceeds 200 GB.

Mechanism of attack
The DarkSide ransomware initially bypasses UAC using the CMSTPLUA COM interface. The software then checks the system's location and language to avoid machines in former Soviet countries; the list of languages that are excluded are Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Moldovan Romanian, and Syrian Arabic.

The software then creates a file named LOG.{userid}.TXT, which serves as a log file. The software deletes files in the recycle bin one by one, uninstalls certain security and backup software programs, and terminates processes to allow access to user data files. During the encryption process proper, a user ID is generated based on a MAC address and appear appended to filenames, and file data is encrypted with Salsa20 and a randomly generated matrix key (which, encrypted with a hardcoded RSA key, is itself appended to the file). However, the software avoids encrypting certain folders, files, and filetypes.

Finally, the ransomware leaves behind a ransom note titled README.{userid}.TXT, which directs the user to access a site with Tor; this site then prompts the user to verify their identity and to make a payment using Bitcoin or Monero.

Business model
DarkSide uses intermediary hackers 26c3weq ("affiliates"). It uses "ransomware-as-a-service" &mdash; a model in which DarkSide grants its "affiliate" subscribers (who are screened via an interview) access to ransomware developed by DarkSide, in return for giving DarkSide a share of the ransom payments (apparently 25% for ransom payments under US$500,000 and 10% for ransom payments over US$5 million). Affiliates are given access to an administration panel on which they create builds for specific victims. The panel allows some degree of customization for each ransomware build. Cybersecurity firm Mandiant, a subsidiary of FireEye, has documented five clusters of threat activity that may represent different affiliates of the DarkSide RaaS platform, and has described three of them, referred to as UNC2628, UNC2659, and UNC2465.

Some researchers have contended that DarkSide’s business model is comparable to a franchise, meaning that buyers can use DarkSide’s branding in their attacks. Additionally, DarkSide is known to operate with a level of professionalism, as analysts have noted that the hacker group has a press room, mailing list, and victim hotline found on their website.

2020
The group was first noticed in August 2020. Cybersecurity company Kaspersky described the group as an "enterprise" due to its professional-looking website and attempts to partner with journalists and decryption companies. The group "has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments." The group has sought to foster a "Robin Hood" image, claiming that they donated some of their ransom proceeds to charity. In a darkweb post, the group posted receipts for donations of 0.88 BTC (then worth US$10,000) each to Children International and to The Water Project dated to October 13, 2020; Children International stated that it will not keep the money.

2020 to 2021
From December 2020 to May 2021, ransoms demanded by the group ranged from US$200,000 to US$2 million. DarkSide attacked U.S. oil and gas infrastructure on four occasions. DarkSide ransomware hit the IT managed services provider CompuCom in March 2021, costing over US$20 million in restoration expenses; it also attacked Canadian Discount Car and Truck Rentals and Toshiba Tec Corp., a unit of Toshiba Corp. DarkSide extorted money from the German company Brenntag. The cryptocurrency security firm Elliptic stated that a Bitcoin wallet opened by DarkSide in March 2021 had received US$17.5 million from 21 Bitcoin wallets (including the Colonial Pipeline ransom), indicating the number of ransoms received over the course of a few months. Elliptic's analysis showed that in total, Darkside received over $90 million in ransom payments from at least 47 victims. The average ransom payment was $1.9 million.

2021
The Federal Bureau of Investigation identified DarkSide as the perpetrator of the Colonial Pipeline ransomware attack, a cyberattack on May 7, 2021, perpetrated by malicious code, that led to a voluntary shutdown of the main pipeline supplying 45% of fuel to the East Coast of the United States. The attack was described as the worst cyberattack to date on U.S. critical infrastructure. DarkSide successfully extorted about 75 Bitcoin (almost US$5 million) from Colonial Pipeline. U.S. officials are investigating whether the attack was purely criminal or took place with the involvement of the Russian government or another state sponsor. Following the attack, DarkSide posted a statement claiming that "We are apolitical, we do not participate in geopolitics...Our goal is to make money and not creating problems for society."

In May 2021, the FBI and Cybersecurity and Infrastructure Security Agency issued a joint alert urging the owners and operators of critical infrastructure to take certain steps to reduce their vulnerability to DarkSide ransomware and ransomware in general.

On 14 May 2021, in a Russian-language statement obtained by the cybersecurity firms Recorded Future, FireEye, and Intel 471 and reported by the Wall Street Journal and The New York Times, DarkSide said that "due to the pressure from the U.S." it was shutting down operations, closing the gang's "affiliate program" (the intermediary hackers that DarkSide works with to hack). The specific "pressure" referred to was not clear, but the preceding day, U.S. President Joe Biden suggested that the U.S. would take action against DarkSide to "disrupt their ability to operate." DarkSide claimed that it had lost access to its payment server, blog, and funds withdrawn to an unspecified account. Cybersecurity experts cautioned that DarkSide's claim to have disbanded might be a ruse to deflect scrutiny, and possibly allow the gang to resume hacking activities under a different name. It is common for cybercriminal networks to shut down, revive, and rebrand in this way.

Agence France-Presse reporters discovered that the Recorded Future report which detailed the loss of DarkSide servers and funds was retweeted by the Twitter account of the 780th Military Intelligence Brigade, a US Army Cyberwarfare group involved in offensive operations.

Posterity
By April 2022, the Federal Bureau of Investigation (FBI) released an advisory that several developers and money launderers for BlackCat had links to two defunct ransomware as a service (RaaS) groups – DarkSide and BlackMatter. According to some experts, BlackCat might be a rebranding of DarkSide, after their attack of the Colonial Pipeline.