Last week, we told a story about the world’s hacker group, Anonymous, who recorded a video about Elon Musk. The video carried with it a dissatisfaction with the businessman and an indirect threat. This time, we will talk about a group called DarkSide. Hackers have been blackmailing the biggest companies in the world for years. But in May, a lot of media talked about them. The New York Times suggested that the hacker association that became the face of cybercrime was from Russia. Thanks to this, there is a lot of excitement around DarkSide, we will tell in the article.
DarkSide first announced itself in August 2020, when they publicly presented their malware. The product is called RaaS. After that, the group gained popularity, due to the fact that the operations were always good and efficient, but most importantly professional. It can also be noted that hackers have always extorted impressive amounts of money from companies. Before attacking the victim, hackers analyze its financial side well.
It is believed that the name DarkSide originated from the Star Wars film series.
Contrary to many opinions, there is no evidence that the organization has former specialists from the IT security industry. But the way operations are conducted can be concluded: the residents of the group are well versed in security technologies, have a deep understanding of the infrastructure, and also analyze the weaknesses of future victims.
DarkSide made a public statement that they were not going to attack hospitals, educational institutions, non-profit companies, and government agencies. They prefer to target rather large organizations from which to extort large ransoms. Let’s return to the opinion of The New York Times. It appeared after it turned out that the malware checks the language parameters of the device before the attack and never attacks Russian users. Also, at various forums, representatives of the organization communicated in Russian. In addition, at the same forums, it was said that new specialists from Russia are being recruited.
Nicole Pirlo, a New York Times journalist, suggested that the organization was Russian. This certainly does not mean that DarkSide is a 100% Russian organization, but there are some definite conclusions to make that are problematic and most likely we will not know the truth about it.
As it may seem, DarkSide are the pioneers who invented such malware in order to extort large sums. But the reality is a little different. In 2017, a ransomware virus called NotPetya earned billions of dollars for its creators. The principle of operation was the same as that of the current DarkSide. There are a lot of similar examples, but in 2019, the hacker extortion industry has evolved into something progressively new.
The basis was laid by the now closed Maze group. They actively interacted with the media, conducted their own PR service. PR specialists defended the reputation, debunked myths, if there were any false reviews about the activities of hackers. Soon, this principle of operation was adopted by other hacker organizations, including DarkSide.
The organizers of such groups create cloud platforms, on which they can provide a payment gateway and money distribution chains. After that, hackers take their software, use vulnerabilities that they found themselves or bought. As a result, a virus is launched into the company’s network. Such vulnerabilities of companies are usually found by hackers-pentesters. One such vulnerability can cost $1,000 or even tens of thousands.
When the hack is successful, a negotiator joins in, communicates with the victim, and then helps the company pay off the hackers. After that, the money from the negotiations is shared between the hacker and the software developer. But the problem is, even after the hackers get the money, all the data they’ve been able to download during the hack stays on their servers. The control of the servers is exercised by the creators of the organizations. This is to ensure that the hackers maintain their reputation and act as a guarantee for the victim of the break-in while negotiations are underway. Finding out who’s behind all this extortion is almost impossible. Because a single group usually has a lot of people behind it. Even if we can catch some particular hackers who did the hacking or cashed the money, we won’t be able to get to their customers. This is because the network does not use real names and often only nicknames are known.
What does DarkSide do today
A hacker organization that positions itself as a corporation. They actively promote their movement on the Internet. They even do charity work.
In May of this year, many media outlets around the world started talking about the organization. And it happened thanks to their hacking of the largest supplier of petroleum products in the United States – Colonial Pipeline. What is the Colonial Pipeline? This is the company that controls the operation of the pipeline, which supplies fuel to the entire East Coast of the United States. This, in turn, is 45% of the refined fuel.
The attack occurred on May 7. DarkSide hackers launched a ransomware virus into the computers of the Colonial Pipeline company, thereby blocking the entire system. Along with this, they siphoned off about 100 gigabytes of the company’s data. A regional emergency was declared in 19 states. This was done in order to organize the delivery of fuel and petroleum products in tankers. Truck drivers were allowed to work overtime. But with a mandatory night’s sleep. This relieved the country a little. It is worth noting that a few days before the attack on the American company, it turned out that DarkSide was behind the attack on the French division of Toshiba. About 740 GB was downloaded from the corporation’s servers, including screenshots of passports and various personal information of employees.
The situation with the Colonial Pipeline ended with the fact that the hacker group ceased to function and a statement was made about the dissolution of the group. This was due to the growing pressure on the organization from law enforcement agencies. We must not forget that this practice is not uncommon among hacker groups. They are dissolved for a short time, and then returned under a new name. It is worth noting that DarkSide, before it’s statement about the dissolution, managed to receive $5 million in cryptocurrency from the company Colonial Pipeline, after which they restored the system and computers to work.
Let’s summarize a small summary of all that was told above. Cybercrime has ceased to be a rarity for a long time. Time passes, cybersecurity seems to be already at the highest level, but hacker organizations do not stand still. They develop new software, ransomware, and other malicious applications every day. In order not to become a victim of them, you should always remember about the precautions.