DarkSide appeared deep within the web in mid-August of last year. “We don’t want to kill your company,” they stated in their original manifesto. The group of cybercriminals specialized in computer kidnappings responsible, according to the statement issued on Monday by the FBI, for the attack on Colonial – one of the main oil pipeline networks in the United States – was presented on its dark internet page – part of the web only accessible from specific browsers – like a sort of Robin Hood. It would only attack those companies capable of assuming the payment of the ransom of your data and it would avoid directing its computer hijacking programs to hospitals, schools, non-profit companies or government agencies.
To this promise were added allegedly altruistic actions, such as the donation of part of their profits to solidarity projects. As the band proclaimed in a statement released in October 2020, their intention was to deliver part of the ransoms to charities. “No matter how bad you think we are, we are satisfied to know that we help change someone’s life,” they stated in the announcement of donations $ 10,000 to Children International and The Water Project. José Rosell, managing partner of the cybersecurity company specialized in critical infrastructures S2Group, is especially skeptical of these proclamations: “Rotten lie. This is pure business. Let’s not forget that they are criminals like the crown of a pine tree ”.
Who are they? “Everything indicates that they come from Eastern Europe with some ramifications in Russia, but there is no evidence to ensure this,” says Hervé Lambert, head of global consumer operations at the cybersecurity firm Panda Security. His name, DarkSide, could be a reference to the dark side of the saga of Star Wars. In their cover letter they describe themselves as experts with harvests of millions of dollars in ransoms: “We created DarkSide because we could not find the perfect product for us.” Before reaching their first month of life they could already boast of having collected large sums in attacks launched under the new banner, through Payments ranging between 200,000 and 2 million dollars.
Moderation and checking system
Following the attack on Colonial, Darkside has issued a statement insisting on its apolitical nature. In addition, aware of the damage caused to thousands of citizens – the attack affected the supply of crude oil to the south and east of the United States – they agree to introduce a system of moderation and checking of each company that their partners want to attack to avoid possible consequences in the future. “Our goal is to make money, not to create problems for society,” they say. For Lambert, the short term in which they have established themselves on top of the dark side of the internet is not so surprising: “They are very skilled people at this. They have great advantages when launching their shares of marketing. They can make a lot of noise in a very short time ”.
In the beginning, DarkSide was associated with REvil, another well-known computer hijacking operator, given the similarities in the code used by the attackers of both groups and, especially, in the structure and contents of the ransom note with which they accompany their offensives. In addition, they agree with REvil in their active intention to avoid infecting victims of countries of the former Soviet republics.
Among its first victims was the US real estate company Brookfield Residential, whose infection they made public on their website. The announcement, headed with the name of the portal, detailed the contents of the 200 gigabytes of information stolen in the attack: “We have downloaded a lot of interesting data from your website.” In the same statement they offered to send evidence and – in what later became a common practice – they warned that the data would be automatically uploaded to the network in case the company did not pay the ransom. The subsequent publication of the data suggests that the real estate company did not agree to the blackmail.
In November 2020, the band began announcing a new line of services for third parties in the main cybercrime forums. As part of their affiliate program, they offer the latest versions of their software of computer kidnapping to partners with whom they then share the profits obtained in the ransom. According to the cybersecurity firm Ke-la, the part of the pie reserved for affiliates ranges between 15 and 25% of the sum, that is, in a hypothetical ransom of two million dollars, Darkside would pocket a minimum of 1 , 5 million and its partners, a maximum of 500,000. The practice is also part of REvil’s portfolio of services, which promises to pay 30% of each ransom and raises the stake to 40% if the client successfully surpasses the three ransoms collected. “There is a growing presence of highly professionalized groups. We must not forget that cybercrime moves a lot of money ”, Lambert points out.
This business model allows cybercriminals to focus on developing their malicious programs, while affiliates get their viruses ready to launch the infection. The downside for these gangs is that their reputation is damaged if clients violate their code of ethics, as appears to have happened in the case of pipelines, and that their routes of activity are more exposed to potential infiltration by investigators and law enforcement agencies. safety.
A complex organization
The rise to the Olympus of cybercrime has not been an easy ride for DarkSide. In early 2021, the cybersecurity firm Bitdefender launched a free tool to help the victims of the collective to regain access to the files encrypted in the kidnapping, thus avoiding the need to pay any ransom. The band rebounded from this setback in March, with the release of DarkSide 2.0. An improved version of their services that also include faster encryption of infected files and allows affiliates to communicate with their victims through a voice call.
DarkSide’s eye-catching corporate approach, offering customer service channels, sending out press releases and making donations to charity projects, is not unique to the band. “They are complex organizations with many capabilities. They invest in research and development, marketing… In the dark web there are entire catalogs with the price of each database ”, says Rosell. According to a analysis Karspersky’s practices are one more example of how the computer hijacking industry is consolidating.
Given the growth of this sector, Lambert prescribes a greater respect for safety in the environment of large infrastructures. “Has it really been so easy to get into such a sensitive infrastructure?” He wonders. In addition, the success of attacks like this leads to a long life for DarkSide. And the wide attack surface that the increasingly digital operation of different entities supposes does not invite hope either. “Do you know the weak points there are to attack in an infrastructure such as an oil pipeline? There are thousands of providers, users … The lack of awareness of society is of such caliber that they can give us everywhere. And what has happened is the beginning ”, warns Rosell.
Eddie is an Australian news reporter with over 9 years in the industry and has published on Forbes and tech crunch.