DarkSide’s most famous hacking operation could turn out to be the last: in early May, the group launched one Ransomware attack against the Colonial Pipeline Company, which provides up to half the fuel supply for the east coast of the United States. As the hack’s impact increased, the company shut down the pipeline, leading to a spike in gasoline prices as well as days of widespread fuel shortages. president Joe Biden declared a state of emergency. DarkSide reportedly received a $ five million ransom, but receiving the payout appears to come at a cost. On May 14th, DarkSide’s website was closed and the group said it lost access to many of its communication and payment tools – either due to retaliation from the US or a decision by members who fund the organization to to pull the plug yourself.
DarkSide is a so-called ransomware-as-a-service company, which means that it doesn’t actually do the job Cyberattacks. Instead, it provides a variety of services to affiliated hackers, from handling negotiations to processing payments. There was a blog and an easy-to-use interface that hackers could use to upload and post stolen information. When DarkSide debuted on Russian-language cybercrime forums last August, its launch announcement sounded like a tech entrepreneur’s pitch deck. “We developed DarkSide because we couldn’t find the perfect product for us,” it says. “Now we have it.” Fees have been graded from twenty-five percent of ransom amounts worth less than half a million dollars to ten percent of ransom amounts worth five million or more.
Ransomware as a Service, like the modern tech economy, has developed to a high degree of specialization overall, with each market participant providing discrete skills. An operation like DarkSide’s attack on the Colonial Pipeline begins with a person or team of hackers known as “Individual Access Brokers” breaking into a target company’s network. From this point on, another hacker moves sideways to the domain controller, the server responsible for security and user access, and installs the ransomware code there. (DarkSide has its own brand of malware locking and extracting data among its numerous services.) Once a victim’s servers have been breached and computer systems have been frozen, the hackers hand things over to the operators of a ransomware-as-a -service- Outfit that manages everything else, including determining a ransom value, communicating with victim organizations, and organizing payment details. “That’s the stuff you as a hacker don’t want to deal with,” said Mark Arena, CEO of Intel 471, a private cyber-intelligence company. “You don’t have the patience or the people skills.”
On May 10, Biden said US intelligence officials believe DarkSide is in Russia, even though there is “no evidence” linking it to the Russian state. Like many sources of income in the cybercrime underworld, ransomware as a service is largely, if not entirely, dominated by Russian-speaking hackers with roots in Russia and other former Soviet states. (There are many exceptions, such as North Korea’s state hacking teamswho specialize in online bank theft.)
The reasons for this situation go back to the collapse of the Soviet Union in the 1990s, when highly skilled engineers, programmers and technicians suddenly fell behind. Decades later, not much has changed in history: younger generations of Russians have access to specialized training in physics, computer science, and math, but few opportunities to realize those talents, at least not for the salaries available to programmers, say , Silicon Valley. “And what do you see when you go online? That it is possible to make millions of dollars with their knowledge and skills, ”said Sergey Golovanov, chief security expert at Kaspersky Lab, a Moscow-based cybersecurity company. “A certain percentage of these people decide that breaking the law is worthwhile.”
Such a career can look all the more attractive as the risks seem rather small, at least if you focus on Western goals. Although Russian law enforcement agencies regularly conduct operations against domestic cyber criminals, they generally hide those who use Russia as a base for infiltrating foreign networks. This is partly a function of case law and the basis of investigation. If there is no victim on Russian territory who can appear in person to file a police report and provide evidence for a criminal case, then the authorities don’t have much to do. “Even if Russian law enforcement agencies were so inclined, there would be nothing to investigate,” said Alexey Lukatsky, a well-known cybersecurity advisor in Moscow.
To make sure they don’t run into problems on their home lawn, most ransomware-as-a-service sites prohibit any company or institution from hosting in Russia or on the territory of the former Soviet Union. “Hackers have a rule: don’t work on the .ru domain,” said Golovanov. In the case of DarkSide, part of the malware code was searched for languages installed on the target workstation. When it discovered Russian or any other language common in post-Soviet countries, it was not used and was erased from the machine.
But there is another very important reason cyber criminals feel relatively free to operate within Russia. Russia’s security services are tempted to view hackers targeting Western companies, governments and individuals as less of a threat than a resource. In 2014 the FBI accused a Russian hacker named Evgeniy Bogachev for allegedly stealing hundreds of millions of dollars from bank accounts around the world; American prosecutors asked their Russian colleagues for cooperation. Instead of arresting Bogachev, Russian authorities used his violations to search for files and emails on devices of government employees and contractors in the US, Georgia and Turkey. Like the times wroteIn fact, the Russian state has “transferred an intelligence operation to a wide-ranging cybercrime program, saving itself the hard work of hacking your own computers”.
In a 2012 Strategy paper Jason Healey, the director of the Cyber Statecraft Initiative at the Atlantic Council, proposed with the title “Beyond Attribution” that the state responsibility for hacking attacks should be assessed on a continuum that ranges from “state prohibited” to “state integrated” . It is unclear exactly where the DarkSide attack against the Colonial Pipeline falls on this line, or what Biden meant when he said that Russia “has some responsibility for it”. So far, the publicly available evidence suggests that Healey’s taxonomy categorizes “government ignored”, with “national government being aware of third party attacks but unwilling to take official action for political reasons. ”
For its part, the Kremlin has rejected any suggestion that it is to blame for not doing more to curb the activities of groups like DarkSide. “Russia has nothing to do with it” Wladimir PutinThe spokesman, Dmitry Peskov, said. However, allegations of Russia’s involvement in major hacking operations are the order of the day at this point. A month ago, Biden sanctioned Russia for them SolarWinds Breach in which at least nine separate federal agencies and a hundred private companies had their networks compromised by Russian intelligence agencies. “In Russia we are used to accusations that we hack everyone and everything,” Lukatsky told me ironically.
In the meantime, the Russian-speaking cybercrime forums, which historically served as the marketplace for DarkSide, have banned the group from their portals. The word “ransom” “has become dangerous and poisonous,” wrote one administrator, noting that the last thing Russian criminal hackers and their employees want is to create problems for the Kremlin. “Peskov is forced to apologize to our ‘friends’ overseas – this is nonsense and a sign that things have gone too far.”
But nobody expects the practice to go away. A number of the biggest ransomware-as-a-service outfits announced they were going into “private” mode, no longer advertising on the dark web, and only accepting affiliate hackers they know and trust. They also announced that they will take a more active role in reviewing and approving goals in advance. DarkSide itself is likely to regroup and rename itself as a new product – some kind of recovery in the tech world after a public flameout. “Such people don’t stay unemployed forever,” said Dmitry Volkov, the chief technology officer of Group-IB, a Moscow cybersecurity company.