The DarkSide ransomware gang said it is facing heat from the U.S. government and is shutting shop after raking in $90 million in ransom payments in its nine months of existence. This has triggered a domino effect wherein REvil, and a couple of other ransomware gangs have announced restrictions on respective criminal operations.
The DarkSide ransomware gang, which victimized Colonial Pipeline recently, has reportedly minted $90 million in ransom payments in the last nine months from its victims. The revelation came from the London-based blockchain analytics vendor Elliptic, which was able to trace the DarkSide cryptocurrency wallet that was the designated recipient of ransom payments in the form of Bitcoin from 47 victims.
The attack on Colonial Pipeline, the largest oil pipeline system in the United States, crippled gasoline supply to the East coast of the U.S. for a better part of the week earlier in May. Pipelines laid out by the company supplies 45% of the oil consumed on the East Coast, the obstruction to which caused a 4% increase in fuel prices, which is why the attack was so profound.
Operations have since been restored, although Georgia-based Colonial Pipeline didn’t disclose whether any ransom was paid. The company now deniesOpens a new window that they were even hacked. However, Elliptic’s analysis reveals that over 5% or approximately $5 million of the total $90 million ransom came from Colonial Pipeline to decrypt systems and ensure 100 GB of stolen data is safely returned or deleted.
DarkSide Ransomware
DarkSide ransomware is a trojanized malware that can function across Windows and Linux systems (Trojan-Ransom.Win32.Darkside and Trojan-Ransom.Linux.Darkside). It operates on a ransomware-as-a-service (RaaS) model, wherein the developers of the ransomware strain lease out the code and related infrastructure to affiliates that propagate the attacks.
A RaaS model allows those with limited technical, programming knowledge to carry out attacks. In a RaaS deal between the ransomware developer and the affiliate, the latter usually pays a fee for using the strain or may allocate a part of the proceeds from the attack.
Marisa MidlerOpens a new window , Member of Technical Staff at Software Engineering Institute at Carnegie Mellon University, noted in a blog post, “With RaaS, ransomware is no longer limited to the developers who create it. Ransomware developers now sell their product to ransomware affiliates who use it to extort organizations. RaaS decreases the risk for ransomware developers since they do not have to execute attacks.â€
In DarkSide’s RaaS model, the developer takes home 25% of the ransom if the ransom is less than $500,000. This decreases to 10% if proceeds are over $5 million. The rest goes to the affiliates. So far, DarkSide developers have received $15.5 million (17%) in Bitcoin, while the remaining $74.7 million (83%) have been paid to various affiliates.
Based on data, the average ransom payout comes up to $1.9 million per victim. This is disproportionately higher than the average ransom payout in 2020, which Palo Alto Networks’ Unit 42 estimated at $312,000.
Opens a new window
Source: Elliptic
According to the White House, there is no evidence that the Russian state was involved in the Colonial Pipeline and other DarkSide attacks. President of the United States Joe Biden said, “We do not believe — I emphasize, we do not believe the Russian government was involved in this attack. But we do have strong reason to believe that criminals who did the attack are living in Russia. That’s where it came from — were from Russia.â€
Join me as I give an update on the Colonial Pipeline incident.
— President Biden (@POTUS) May 13, 2021Opens a new window
The notable thing about DarkSide is that the strain was launched in August 2020 and has already raked in $90 million, almost 20% of which came in the past three months. This makes DarkSide one of the most successful ransomware operations in existence. Some ransomware gangs which surpassed DarkSide ransom earnings are Ryuk, REvil/Sodinokibi, and GandCrabOpens a new window .
See Also: Ransomware Attack on Colonial Pipeline: Was It Preventable?
How Do Cybercriminals Exchange Cryptocurrencies Such as Bitcoin?
Cybercriminals such as ransomware operators and affiliates generally use exchanges to convert Bitcoin into fiat currency. Ransomware gangs usually stay away from well-known crypto exchanges but may occasionally use them. For instance, the Ryuk ransomware gang uses Huobi and Binance, both of which handled 50% of all illicit Bitcoin transactions in 2019Opens a new window .
Opens a new window
Bitcoin Exchange Process of Ryuk Ransomware | Source: Advintel, HYAS
But there are some exchanges that operate in a country with no enforcement of anti-money laundering regulations. Elliptic said this is where ransom proceeds end up.
And even if the cybercriminals seek to convert Bitcoin to fiat currency on a known exchange, there’s no guarantee that documents, usually any identity-proof, for transactions are thoroughly scrutinized. Brian CarterOpens a new window , principal researcher at HYAS, and Vitali KremezOpens a new window , CEO and chairman of Advanced Intelligence wrote in a joint blog postOpens a new window , “They (exchanges) claim to comply with international financial laws and are willing to participate in legal requests but are also structured in a way that probably wouldn’t obligate them to comply.
Fortunately, the infrastructure supporting DarkSide’s malicious operations has been disrupted. Darksupp, an operator of the Darkside ransomware, said in a post found by Recorded FutureOpens a new window threat intelligence analyst Dmitry SmilyanetsOpens a new window , “A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. CDN servers. Now these servers are unavailable via SSH, and the hosting panels are blocked.â€
Disruption of DarkSide Ransomware Infrastructure
The DarkSide infra was swiftly seized, apparently by the U.S. law enforcement a day after Biden’s press conferenceOpens a new window ordering a strong response to the high-profile attack on Colonial Pipeline.
The DarkSide ransomware group’s darknet site has gone down. No indication of whether the site was taken down intentionally or not. pic.twitter.com/obrkCm43LAOpens a new window
— Mikael Thalen (@MikaelThalen) May 13, 2021Opens a new window
It was later discovered by Intel471 that the DarkSide ransomware group was intentionally shutting down its operations due to “pressure from the U.S.†Consequently, the developers of the strain sent out the following note to its affiliates, which are probably spread globally.
Opens a new window
Source: Intel471
According to the message, DarkSide lost access to the public data leak site, payment servers, and CDN servers. Additionally, funds from the payment server were withdrawn.Â
Translation of DarkSide’s message to its affiliates:Â
Starting from version one, we promised to speak about problems honestly and openly. A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the
- blog
- payment server
- CDN servers
At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked.
The hosting support service doesn’t provide any information except “at the request of law enforcement authorities.†In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.
The following actions will be taken to solve the current issue:Â
- You will be given decryption tools for all the companies that haven’t paid yet. After that, you will be free to communicate with them wherever you want in any way you want. Contact the support service. We will withdraw the deposit to resolve the issues with all the affected users.
- The approximate date of compensation is May 23 (due to the fact that the deposit is to be put on hold for 10 days on XSS).
In view of the above and due to the pressure from the U.S., the affiliate program is closed. Stay safe and good luck.
The landing page, servers, and other resources will be taken down within 48 hours.
Where exactly the Bitcoin went is unclear as of this writing, although speculation is rife that the DarkSide shutdown may be a ruse by its operators to renege on payments to affiliates and take home the prize.
See Also: Global Task Force Seeks To Curb the Ransomware Menace, Here’s What They’re Proposing
Domino Effect on Ransomware Gangs
Smilyanets also came across a post from UNKN, an associate of the REvil ransomware gang, that verified DarkSide’s takedown. The post came following the DarkSide shutdown, which states that the REvil gang may cease its RaaS service and go private. UNKN also said REvil, also known as Sodinokibi, is putting restrictions on who can and cannot be targeted. Those that cannot, according to the post, are:
- Any organization in the social sector (health care, educational institutions)
- Govt-sector organizations of any country
Source: Recorded Future
The administrator of a popular Russian-language cybercrime forum banned all ransomware-related activity on the forum. Subsequently, ransomware advertising, sales, ransom negotiation services and similar offers are now prohibited on the forum, and existing listings will be deleted.
Avaddon RaaS amended its rules, which now prohibit targeting government, healthcare, educational and charity organizations irrespective of the country they’re based in.
@ddd1msOpens a new window & @campuscodiOpens a new window Some change is happening…. @Raj_SamaniOpens a new window @ChristiaanBeekOpens a new window @McAfee_LabsOpens a new window pic.twitter.com/SIgNW3V2DfOpens a new window
— John Fokker (@John_Fokker) May 14, 2021Opens a new window
Further, the Babuk ransomware group announced that they’re handing over the source code to another team. The group also released 250 GB of data stolen from the Metropolitan Police Department, District of Columbia and is encouraging other gangs to switch to a private mode of operation.
Wrapping Up
Ransomware gangs have had a field day, except it was a year, thanks to the COVID-19 pandemic. The attack surface area surged while normal organizational functioning was uprooted. And since every other professional was stretched to their limits, cybercriminals continued to take advantage of and target those involved in essential services such as healthcare. 2020 even saw the first death (of a patient) due to a ransomware attack on a hospital in Germany.
By December 2020, a coalition of global companies formed a Ransomware Task Force led by the California-based Institute for Security and Technology (IST), which recently proposed a comprehensive framework to contain the ransomware threat. The U.S. Department of Justice also formed a separate task force with similar aims.
But it seems the tide is turning now. Depending on how things shape up, the Colonial Pipeline hack has put ransomware gangs in the spotlight, some of which have already started scaling down operations. However, if weakness in IT Asset Management (computing devices as well as software) continues, there’s only so much a task force can do.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!