The news that the cybercriminals whose ransomware operation was responsible for the $5 million Colonial Pipeline attack are shutting up shop may not actually amount to all that much. Far from being the start of the demise of ransomware as a leading cybersecurity threat, I’d suggest it’s not even the last we’ll see of the criminals behind DarkSide.
I was one of the first people to write about the DarkSide ransomware threat, way back in August 2020, and the group even used that story as part of a ‘who are DarkSide’ FAQ for potential affiliates. At that time, it appeared likely that DarkSide had links to REvil, currently the biggest and most successful of the ransomware criminal groups, with some shared code and ransom note templates. It’s now thought that some REvil actors were responsible for creating DarkSide and turning it into a ransomware innovator in many ways.
DarkSide ransomware tactics
Although the ransomware-as-a-service model that DarkSide used very successfully, at least up until the Colonial Pipeline attack, was nothing new, some tactics employed certainly were. Not the double extortion data exfiltration along with network lockdowns as so successfully used by REvil, nor the cultivation of a polished dark web marketing forum for victim shaming, media attention and affiliate recruitment.
However, the implementation of a cold-calling service in the ransomware management console whereby affiliates could personally call the victims in an attempt to help to convince them to pay was new. As was the addition of a denial of service (DDoS) capability for added negotiation leverage and the tactic of offering information about an attack to unscrupulous traders before alerting the media to enable the shorting of company stock. All these innovations aimed directly at tightening the payment screw.
What went so spectacularly wrong for DarkSide?
What DarkSide got spectacularly wrong was the level of trust placed in affiliates using the ransomware-as-a-service scheme to follow the so-called code of conduct that was in place. This code, which prohibited attacks on targets such as hospitals, schools, charities and public-sector bodies, appeared designed to give DarkSide a friendly ‘Robin Hood’ face. Indeed, DarkSide even went as far as donating some ransom proceeds to selected charities. The truth, of course, is that DarkSide attacks, like all such criminal activity, were driven by greed rather than benevolence.
The statement released by the cybercriminals after the Colonial Pipeline attack was attributed to them was quick to point out the group was apolitical and not connected with any government but instead had a simple goal of making money. It went on to try shifting the blame for the attack to an affiliate rather than itself. Which, of course, is valid to the extent that an affiliate would have, indeed, carried out the attack itself.
Big game hunting
That’s the whole point of the ransomware-as-a-service business model: the developer of the ransomware code provides tools and resources to deploy that code, the attacker does the donkey work and gets a cut of any ransom paid. In the case of DarkSide, an affiliate could expect 10% of a ransom greater than $5 million, rising to 25% for those less than $500,000. This encourages ‘big game hunting’ of targets, which will likely pay higher ransoms.
It seems rather too simplistic to assume that Colonial was somehow caught up in an attack in error, that the affiliate didn’t know who the victim was or the potential fallout that would occur. Ransomware attacks are, on the whole, highly targeted affairs and the ‘spray and pray’ days of old long gone.
I suspect they simply didn’t care: ransomware had already reached a tipping point where big targets were the norm, the consequences of which mattered not one jot when compared to the potential profit to be made. Sorry if this is news to you, but that’s how criminals work.
The death of DarkSide may not be all it seems
DarkSide tried to suggest differently after it became apparent that the U.S. government, national security and law enforcement were not going to sit back and do nothing this time. The gang said it would start moderating the targets that affiliates had chosen before an attack could be launched to “avoid social consequences in the future.” To avoid getting their asses in the fire, more like.
DarkSide was effectively forced into retreat by alleged law enforcement or unspecified government disruption of the publicity blog and the ransom negotiation dark web site.
The main Russian-language criminal forum that acted as a recruitment post for potential affiliates banned all ransomware groups from advertising. The cryptocurrency wallets used by DarkSide were, it has also been said, found and funds exfiltrated.
How will the ransomware business model change?
The knock-on effect has already started: Babuk, the group behind the recent District of Columbia police department ransomware attack, is thought to be abandoning the ransomware-as-a-service business and going ‘private’ instead.
REvil has followed where DarkSide left off in announcing a ban on affiliate targeting of healthcare, education, public sector and government organizations.
“I do find it particularly interesting that other ransomware groups like REvil are speaking on their code of ethics in response to the actions observed to have been taken against DarkSide,” Curtis Simpson, CTO of Armis, said. “The primary reasons for these so-called codes of ethics can be assumed to be: the likelihood of swift, global actions being taken against ransomware-as-a-service operators and their infrastructure is high.”
With criminal forums likely to want to avoid additional heat by imposing blankets bans on recruitment advertising and ransomware groups wishing to avoid the heat by tightly moderating targets, the days of affiliate ransomware schemes as we’ve known them could soon be over.
Classic case of misdirection
What won’t be over is DarkSide as a criminal organization; it will continue in all but name. “It’s not a death; it’s a rebrand,” says Cyjax CISO and threat intelligence specialist Ian Thornton-Trump. “I think this is a classic case of misdirection in order to prevent very bad things from happening to the members,” he continues, adding, “messing with ‘big oil’ was a terrible idea, DarkSide stuck their **** into a hornet’s nest.”
What also won’t be over, I’m sad to say, is ransomware as a very profitable criminal business. The business model will change, just as it has always evolved, but it won’t go away. Why would it when there are so many big corporate targets out there continuing to make the mistakes that let these attackers onto their networks?
As far as the Colonial Pipeline compromise is concerned, “absent a detailed technical report which identifies the security control or process, procedure or policy failure that lead to the shutdown we have little to go on,” Thornton-Trump says, concluding, “the first item would be a requirement for full transparency of the incident so others can learn from what happened…”