In just nine short months, the ransomware gang dubbed DarkSide has netted more than $90 million from victims worldwide. Experts are calling this group one of the most profitable cybercriminal groups in history.
The Inside Scoop
Threat experts Elliptic, say the gang has extorted just over $90 million spread over 47 different Bitcoin wallets. Ninety-nine organizations have been infected by DarkSide ransomware, and roughly 47% have paid the ransom. The average ransom payment is $1.9 million.
The way DarkSide is organized is the developer of the software takes 25% for payments under $500,000 and 10% when the ransom is over $5 million. Therefore, the developer has netted $15.5 million Bitcoin, and DarkSide affiliates have split the remaining $74.7 million.
According to The Hacker News “DarkSide, which went operational in August 2020, is just one of many groups that operated as a service provider for other threat actors, or “affiliates,” who used its ransomware to extort targets in exchange for a cut of the profits, but not before threatening to release the data — a tactic known as double extortion.”
Last week, however, DarkSide announced they were closing up shop because their servers and Bitcoin had been seized by law enforcement.
One recent very notable victim of DarkSide ransomware is Colonial Pipeline which had to shut down 5550 miles of the pipeline due to the attack. Colonial Pipeline confirmed this week that they paid the DarkSide ransomware gang a ransom of $4.4 million to release their files and unlock their systems to reverse the effects of fuel shortages and a spike in fuel prices.
Experts believe that the attack was not intended to disrupt operations but simply targeting a company with deep enough pockets to reap a great reward. Threat assessors call these “big game hunting” attacks. To confirm this theory, DarkSide was quoted as saying,
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives [sic]. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Who is DarkSide?
According to an in-depth article on the DarkSide by KrebsonSecurity
“First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. DarkSide says it targets only big companies and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector, and non-profits.”
DarkSide uses the common practice of double-extortion to illicit payments from its victims. How this works is that they first demand a ransom to unlock their encrypted files and systems. Then they demand a second ransom not to expose the exfiltrated personal or sensitive information stolen.
Oddly enough, DarkSide cares about its reputation among affiliates, and on its “Why Choose Us” page on its marketing website, they profess “High trust level of our targets. They pay us and know that they’re going to receive decryption tools. They also know that we download data. A lot of data. That’s why the percent of our victims who pay the ransom is so high, and it takes so little time to negotiate.”
Recently DarkSide added two new features to their ransomware, including a call service to pressure victims into paying and a DDoS attack follow-up if the ransom is not paid within a specific amount of time.