fbpx
Wikipedia

DarkSide (hacker group)

May 04, 2023

DarkSide is a cybercriminal hacking group, believed to be based in Eastern Europe, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack.[1][2][3][4] It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.[4][5][6]

DarkSide
DarkSide
PurposeRansomware as a service
Region
Eastern Europe
Official language
Russian

DarkSide itself claims to be apolitical.[7]

Targets

DarkSide is believed to be based in Eastern Europe, likely Russia, but unlike other hacking groups responsible for high-profile cyberattacks it is not believed to be directly state-sponsored (i.e., operated by Russian intelligence services).[3][8] DarkSide avoids targets in certain geographic locations by checking their system language settings. In addition to the languages of the 12 current, former, or founding CIS countries the exclusion list contains Syrian Arabic.[9] Experts state that the group is "one of the many for-profit ransomware groups that have proliferated and thrived in Russia" with at least the implicit sanction of the Russian authorities, who allow the activity to occur so long as it attacks foreign targets.[8] The language check feature can be disabled when an instance of ransomware is built. One such version was observed in May 2021.[10] Additionally, DarkSide does not target healthcare centers, schools, and non-profit organizations.[11]

Ransomware code used by DarkSide resembles ransomware software used by REvil, a different hacking group; REvil's code is not publicly available, suggesting that DarkSide is an offshoot of REvil[12] or a partner of REvil.[4] DarkSide and REvil use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.[13]

According to Trend Micro Research data, the United States is by far DarkSide's most targeted country, at more than 500 detections, followed by France, Belgium, and Canada.[13] Of 25 countries observed by McAfee the most affected by DarkSide attacks in terms of number of devices impacted per million devices are Israel (1573.28), Malaysia (130.99), Belgium (106.93), Chile (103.97), Italy (95.91), Turkey (66.82), Austria (61.19), Ukraine (56.09), Peru (26.94), the U.S. (24.67).[14]

As of June 2021, DarkSide has only published data from one company; the amount of data published exceeds 200 GB.[15]

Mechanism of attack

The DarkSide ransomware initially bypasses UAC using the CMSTPLUA COM interface.[15] The software then checks the system's location and language to avoid machines in former Soviet countries; the list of languages that are excluded are Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Moldovan Romanian, and Syrian Arabic.[15]

The software then creates a file named LOG.{userid}.TXT, which serves as a log file.[15] The software deletes files in the recycle bin one by one, uninstalls certain security and backup software programs, and terminates processes to allow access to user data files.[15] During the encryption process proper, a user ID is generated based on a MAC address and appear appended to filenames, and file data is encrypted with Salsa20 and a randomly generated matrix key (which, encrypted with a hardcoded RSA key, is itself appended to the file).[15] However, the software avoids encrypting certain folders, files, and filetypes.[15]

Finally, the ransomware leaves behind a ransom note titled README.{userid}.TXT, which directs the user to access a site with Tor; this site then prompts the user to verify their identity and to make a payment using Bitcoin or Monero.[15]

Business model

DarkSide uses intermediary hackers 26c3weq ("affiliates").[16] It uses "ransomware-as-a-service"[4][5][6] — a model in which DarkSide grants its "affiliate" subscribers (who are screened via an interview) access to ransomware developed by DarkSide, in return for giving DarkSide a share of the ransom payments (apparently 25% for ransom payments under US$500,000 and 10% for ransom payments over US$5 million).[4] Affiliates are given access to an administration panel on which they create builds for specific victims. The panel allows some degree of customization for each ransomware build. Cybersecurity firm Mandiant, a subsidiary of FireEye, has documented five clusters of threat activity that may represent different affiliates of the DarkSide RaaS platform, and has described three of them, referred to as UNC2628, UNC2659, and UNC2465.[10]

History and attacks

2020

August to October

The group was first noticed in August 2020.[15] Cybersecurity company Kaspersky described the group as an "enterprise" due to its professional-looking website and attempts to partner with journalists and decryption companies.[2] The group "has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments."[6] The group has sought to foster a "Robin Hood" image, claiming that they donated some of their ransom proceeds to charity.[1][17] In a darkweb post, the group posted receipts for donations of BTC 0.88 (then worth US$10,000) each to Children International and to The Water Project dated to October 13, 2020; Children International stated that it will not keep the money.[18][19]

2020 to 2021

December to May

From December 2020 to May 2021, ransoms demanded by the group ranged from US$200,000 to US$2 million.[15][12] DarkSide attacked U.S. oil and gas infrastructure on four occasions.[8] DarkSide ransomware hit the IT managed services provider CompuCom in March 2021, costing over US$20 million in restoration expenses; it also attacked Canadian Discount Car and Truck Rentals[20] and Toshiba Tec Corp., a unit of Toshiba Corp.[21] DarkSide extorted money from the German company Brenntag.[16] The cryptocurrency security firm Elliptic stated that a Bitcoin wallet opened by DarkSide in March 2021 had received US$17.5 million from 21 Bitcoin wallets (including the Colonial Pipeline ransom), indicating the number of ransoms received over the course of a few months.[16] Elliptic's analysis showed that in total, Darkside received over $90 million in ransom payments from at least 47 victims. The average ransom payment was $1.9 million.[22]

2021

May

The Federal Bureau of Investigation identified DarkSide as the perpetrator of the Colonial Pipeline ransomware attack, a cyberattack on May 7, 2021, perpetrated by malicious code, that led to a voluntary shutdown of the main pipeline supplying 45% of fuel to the East Coast of the United States.[3][12][23] The attack was described as the worst cyberattack to date on U.S. critical infrastructure.[1] DarkSide successfully extorted about 75 Bitcoin (almost US$5 million) from Colonial Pipeline.[16] U.S. officials are investigating whether the attack was purely criminal or took place with the involvement of the Russian government or another state sponsor.[12] Following the attack, DarkSide posted a statement claiming that "We are apolitical, we do not participate in geopolitics...Our goal is to make money and not creating problems for society."[12]

In May 2021, the FBI and Cybersecurity and Infrastructure Security Agency issued a joint alert urging the owners and operators of critical infrastructure to take certain steps to reduce their vulnerability to DarkSide ransomware and ransomware in general.[6]

On 14 May 2021, in a Russian-language statement obtained by the cybersecurity firms Recorded Future, FireEye, and Intel 471 and reported by the Wall Street Journal and The New York Times, DarkSide said that "due to the pressure from the U.S." it was shutting down operations, closing the gang's "affiliate program" (the intermediary hackers that DarkSide works with to hack).[16][24] The specific "pressure" referred to was not clear, but the preceding day, U.S. President Joe Biden suggested that the U.S. would take action against DarkSide to "disrupt their ability to operate."[16] DarkSide claimed that it had lost access to its payment server, blog, and funds withdrawn to an unspecified account.[16] Cybersecurity experts cautioned that DarkSide's claim to have disbanded might be a ruse to deflect scrutiny,[16] and possibly allow the gang to resume hacking activities under a different name.[24] It is common for cybercriminal networks to shut down, revive, and rebrand in this way.[16]

Agence France-Presse reporters discovered that the Recorded Future report which detailed the loss of DarkSide servers and funds was retweeted by the Twitter account of the 780th Military Intelligence Brigade, a US Army Cyberwarfare group involved in offensive operations.[25]

References

  1. ^ a b c "Who are DarkSide, the 'Robin Hood' criminal gang blamed for shutting down one of the biggest fuel pipelines?". www.abc.net.au. May 9, 2021. Retrieved May 10, 2021.
  2. ^ a b Dedenok, Roman (May 10, 2021). "DarkSide leaks shows how ransomware is becoming an industry". Kaspersky Daily. AO Kaspersky Lab.
  3. ^ a b c Dustin Volz, U.S. Blames Criminal Group in Colonial Pipeline Hack, Wall Street Journal (May 10, 2021).
  4. ^ a b c d e Charlie Osborne, Researchers track down five affiliates of DarkSide ransomware service, ZDNet (May 12, 2021).
  5. ^ a b Chris Nuttall, DarkSide's ransomware-as-a-service, Financial Times (May 10, 2021).
  6. ^ a b c d Alert (AA21-131A): DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks, Cybersecurity and Infrastructure Security Agency/Federal Bureau of Investigation (May 11, 2021, last revised May 12, 2021).
  7. ^ Javers, Eamon (May 10, 2021). "Here's the hacking group responsible for the Colonial Pipeline shutdown". CNBC. Retrieved May 21, 2021.
  8. ^ a b c Nicolás Rivero, Hacking collective DarkSide are state-sanctioned pirates, Quartz (May 10, 2021).
  9. ^ Cybereason vs. DarkSide Ransomware, Cybereason (April 1, 2021).
  10. ^ a b "Shining a Light on DARKSIDE Ransomware Operations | Mandiant".
  11. ^ Muncaster, Phil (March 12, 2021). "Darkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds". Infosecurity Magazine. Retrieved May 21, 2021.
  12. ^ a b c d e David E. Sanger & Nicole Perlroth, F.B.I. Identifies Group Behind Pipeline Hack, New York Times (May 10, 2021).
  13. ^ a b What We Know About the DarkSide Ransomware and the US Pipeline Attack, Trend Micro Research (May 14, 2021).
  14. ^ Threat Profile: DarkSide Ransomware, MVISION Insights, McAfee.
  15. ^ a b c d e f g h i j "Case study: Darkside Ransomware does not attack hospitals, schools and governments". Acronis. Retrieved May 15, 2021.
  16. ^ a b c d e f g h i Michael Schwirtz & Nicole Perlroth, DarkSide, Blamed for Gas Pipeline Attack, Says It Is Shutting Down, New York Times (May 14, 2021).
  17. ^ "Mysterious 'Robin Hood' hackers donating stolen money". BBC News. October 19, 2020. Retrieved May 10, 2021.
  18. ^ "Cybereason vs. DarkSide Ransomware". www.cybereason.com. April 1, 2021. from the original on April 1, 2021. Retrieved June 10, 2021.
  19. ^ Tidy, Joe (October 19, 2020). "Mysterious 'Robin Hood' hackers donating stolen money". BBC News. Retrieved June 10, 2021.
  20. ^ Immanni, Manikanta (March 28, 2021). "Ransomware Attack on CompuCom Costs Over $20 Million in Restoration Expenses". TechDator. Retrieved May 14, 2021.
  21. ^ Benoit Overstraeten & Makiko Yamazaki, Toshiba unit hacked by DarkSide, conglomerate to undergo strategic review, Reuters (May 14, 2021).
  22. ^ "DarkSide Ransomware has Netted Over $90 million in Bitcoin". Elliptic. Retrieved May 20, 2021.
  23. ^ Ellen Nakashima, Yeganeh Torbati & Will Englund, Ransomware attack leads to shutdown of major U.S. pipeline system, Washington Post (May 8, 2021).
  24. ^ a b Robert McMillan & Dustin Volz, Colonial Pipeline Hacker DarkSide Says It Will Shut Operations, Wall Street Journal (May 14, 2021).
  25. ^ "Servers of Colonial Pipeline hacker Darkside forced down: security firm". AFP. Retrieved May 25, 2021.

May 04, 2023
darkside, hacker, group, darkside, cybercriminal, hacking, group, believed, based, eastern, europe, that, targets, victims, using, ransomware, extortion, believed, behind, colonial, pipeline, cyberattack, thought, that, they, have, been, able, hack, extort, mo. DarkSide is a cybercriminal hacking group believed to be based in Eastern Europe that targets victims using ransomware and extortion it is believed to be behind the Colonial Pipeline cyberattack 1 2 3 4 It is thought that they have been able to hack and extort money from around 90 companies in the USA alone The group provides ransomware as a service 4 5 6 DarkSideDarkSidePurposeRansomware as a serviceRegionEastern EuropeOfficial languageRussianDarkSide itself claims to be apolitical 7 Contents 1 Targets 2 Mechanism of attack 3 Business model 4 History and attacks 4 1 2020 4 1 1 August to October 4 2 2020 to 2021 4 2 1 December to May 4 3 2021 4 3 1 May 5 ReferencesTargets EditDarkSide is believed to be based in Eastern Europe likely Russia but unlike other hacking groups responsible for high profile cyberattacks it is not believed to be directly state sponsored i e operated by Russian intelligence services 3 8 DarkSide avoids targets in certain geographic locations by checking their system language settings In addition to the languages of the 12 current former or founding CIS countries the exclusion list contains Syrian Arabic 9 Experts state that the group is one of the many for profit ransomware groups that have proliferated and thrived in Russia with at least the implicit sanction of the Russian authorities who allow the activity to occur so long as it attacks foreign targets 8 The language check feature can be disabled when an instance of ransomware is built One such version was observed in May 2021 10 Additionally DarkSide does not target healthcare centers schools and non profit organizations 11 Ransomware code used by DarkSide resembles ransomware software used by REvil a different hacking group REvil s code is not publicly available suggesting that DarkSide is an offshoot of REvil 12 or a partner of REvil 4 DarkSide and REvil use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States CIS country 13 According to Trend Micro Research data the United States is by far DarkSide s most targeted country at more than 500 detections followed by France Belgium and Canada 13 Of 25 countries observed by McAfee the most affected by DarkSide attacks in terms of number of devices impacted per million devices are Israel 1573 28 Malaysia 130 99 Belgium 106 93 Chile 103 97 Italy 95 91 Turkey 66 82 Austria 61 19 Ukraine 56 09 Peru 26 94 the U S 24 67 14 As of June 2021 DarkSide has only published data from one company the amount of data published exceeds 200 GB 15 Mechanism of attack EditThis section needs expansion You can help by adding to it June 2021 The DarkSide ransomware initially bypasses UAC using the CMSTPLUA COM interface 15 The software then checks the system s location and language to avoid machines in former Soviet countries the list of languages that are excluded are Russian Ukrainian Belarusian Tajik Armenian Azerbaijani Georgian Kazakh Kyrgyz Turkmen Uzbek Tatar Moldovan Romanian and Syrian Arabic 15 The software then creates a file named LOG userid TXT which serves as a log file 15 The software deletes files in the recycle bin one by one uninstalls certain security and backup software programs and terminates processes to allow access to user data files 15 During the encryption process proper a user ID is generated based on a MAC address and appear appended to filenames and file data is encrypted with Salsa20 and a randomly generated matrix key which encrypted with a hardcoded RSA key is itself appended to the file 15 However the software avoids encrypting certain folders files and filetypes 15 Finally the ransomware leaves behind a ransom note titled README userid TXT which directs the user to access a site with Tor this site then prompts the user to verify their identity and to make a payment using Bitcoin or Monero 15 Business model EditDarkSide uses intermediary hackers 26c3weq affiliates 16 It uses ransomware as a service 4 5 6 a model in which DarkSide grants its affiliate subscribers who are screened via an interview access to ransomware developed by DarkSide in return for giving DarkSide a share of the ransom payments apparently 25 for ransom payments under US 500 000 and 10 for ransom payments over US 5 million 4 Affiliates are given access to an administration panel on which they create builds for specific victims The panel allows some degree of customization for each ransomware build Cybersecurity firm Mandiant a subsidiary of FireEye has documented five clusters of threat activity that may represent different affiliates of the DarkSide RaaS platform and has described three of them referred to as UNC2628 UNC2659 and UNC2465 10 History and attacks Edit2020 Edit August to October Edit The group was first noticed in August 2020 15 Cybersecurity company Kaspersky described the group as an enterprise due to its professional looking website and attempts to partner with journalists and decryption companies 2 The group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals schools non profits and governments 6 The group has sought to foster a Robin Hood image claiming that they donated some of their ransom proceeds to charity 1 17 In a darkweb post the group posted receipts for donations of BTC 0 88 then worth US 10 000 each to Children International and to The Water Project dated to October 13 2020 Children International stated that it will not keep the money 18 19 2020 to 2021 Edit December to May Edit From December 2020 to May 2021 ransoms demanded by the group ranged from US 200 000 to US 2 million 15 12 DarkSide attacked U S oil and gas infrastructure on four occasions 8 DarkSide ransomware hit the IT managed services provider CompuCom in March 2021 costing over US 20 million in restoration expenses it also attacked Canadian Discount Car and Truck Rentals 20 and Toshiba Tec Corp a unit of Toshiba Corp 21 DarkSide extorted money from the German company Brenntag 16 The cryptocurrency security firm Elliptic stated that a Bitcoin wallet opened by DarkSide in March 2021 had received US 17 5 million from 21 Bitcoin wallets including the Colonial Pipeline ransom indicating the number of ransoms received over the course of a few months 16 Elliptic s analysis showed that in total Darkside received over 90 million in ransom payments from at least 47 victims The average ransom payment was 1 9 million 22 2021 Edit May Edit The Federal Bureau of Investigation identified DarkSide as the perpetrator of the Colonial Pipeline ransomware attack a cyberattack on May 7 2021 perpetrated by malicious code that led to a voluntary shutdown of the main pipeline supplying 45 of fuel to the East Coast of the United States 3 12 23 The attack was described as the worst cyberattack to date on U S critical infrastructure 1 DarkSide successfully extorted about 75 Bitcoin almost US 5 million from Colonial Pipeline 16 U S officials are investigating whether the attack was purely criminal or took place with the involvement of the Russian government or another state sponsor 12 Following the attack DarkSide posted a statement claiming that We are apolitical we do not participate in geopolitics Our goal is to make money and not creating problems for society 12 In May 2021 the FBI and Cybersecurity and Infrastructure Security Agency issued a joint alert urging the owners and operators of critical infrastructure to take certain steps to reduce their vulnerability to DarkSide ransomware and ransomware in general 6 On 14 May 2021 in a Russian language statement obtained by the cybersecurity firms Recorded Future FireEye and Intel 471 and reported by the Wall Street Journal and The New York Times DarkSide said that due to the pressure from the U S it was shutting down operations closing the gang s affiliate program the intermediary hackers that DarkSide works with to hack 16 24 The specific pressure referred to was not clear but the preceding day U S President Joe Biden suggested that the U S would take action against DarkSide to disrupt their ability to operate 16 DarkSide claimed that it had lost access to its payment server blog and funds withdrawn to an unspecified account 16 Cybersecurity experts cautioned that DarkSide s claim to have disbanded might be a ruse to deflect scrutiny 16 and possibly allow the gang to resume hacking activities under a different name 24 It is common for cybercriminal networks to shut down revive and rebrand in this way 16 Agence France Presse reporters discovered that the Recorded Future report which detailed the loss of DarkSide servers and funds was retweeted by the Twitter account of the 780th Military Intelligence Brigade a US Army Cyberwarfare group involved in offensive operations 25 References Edit a b c Who are DarkSide the Robin Hood criminal gang blamed for shutting down one of the biggest fuel pipelines www abc net au May 9 2021 Retrieved May 10 2021 a b Dedenok Roman May 10 2021 DarkSide leaks shows how ransomware is becoming an industry Kaspersky Daily AO Kaspersky Lab a b c Dustin Volz U S Blames Criminal Group in Colonial Pipeline Hack Wall Street Journal May 10 2021 a b c d e Charlie Osborne Researchers track down five affiliates of DarkSide ransomware service ZDNet May 12 2021 a b Chris Nuttall DarkSide s ransomware as a service Financial Times May 10 2021 a b c d Alert AA21 131A DarkSide Ransomware Best Practices for Preventing Business Disruption from Ransomware Attacks Cybersecurity and Infrastructure Security Agency Federal Bureau of Investigation May 11 2021 last revised May 12 2021 Javers Eamon May 10 2021 Here s the hacking group responsible for the Colonial Pipeline shutdown CNBC Retrieved May 21 2021 a b c Nicolas Rivero Hacking collective DarkSide are state sanctioned pirates Quartz May 10 2021 Cybereason vs DarkSide Ransomware Cybereason April 1 2021 a b Shining a Light on DARKSIDE Ransomware Operations Mandiant Muncaster Phil March 12 2021 Darkside 2 0 Ransomware Promises Fastest Ever Encryption Speeds Infosecurity Magazine Retrieved May 21 2021 a b c d e David E Sanger amp Nicole Perlroth F B I Identifies Group Behind Pipeline Hack New York Times May 10 2021 a b What We Know About the DarkSide Ransomware and the US Pipeline Attack Trend Micro Research May 14 2021 Threat Profile DarkSide Ransomware MVISION Insights McAfee a b c d e f g h i j Case study Darkside Ransomware does not attack hospitals schools and governments Acronis Retrieved May 15 2021 a b c d e f g h i Michael Schwirtz amp Nicole Perlroth DarkSide Blamed for Gas Pipeline Attack Says It Is Shutting Down New York Times May 14 2021 Mysterious Robin Hood hackers donating stolen money BBC News October 19 2020 Retrieved May 10 2021 Cybereason vs DarkSide Ransomware www cybereason com April 1 2021 Archived from the original on April 1 2021 Retrieved June 10 2021 Tidy Joe October 19 2020 Mysterious Robin Hood hackers donating stolen money BBC News Retrieved June 10 2021 Immanni Manikanta March 28 2021 Ransomware Attack on CompuCom Costs Over 20 Million in Restoration Expenses TechDator Retrieved May 14 2021 Benoit Overstraeten amp Makiko Yamazaki Toshiba unit hacked by DarkSide conglomerate to undergo strategic review Reuters May 14 2021 DarkSide Ransomware has Netted Over 90 million in Bitcoin Elliptic Retrieved May 20 2021 Ellen Nakashima Yeganeh Torbati amp Will Englund Ransomware attack leads to shutdown of major U S pipeline system Washington Post May 8 2021 a b Robert McMillan amp Dustin Volz Colonial Pipeline Hacker DarkSide Says It Will Shut Operations Wall Street Journal May 14 2021 Servers of Colonial Pipeline hacker Darkside forced down security firm AFP Retrieved May 25 2021 Retrieved from https en wikipedia org w index php title DarkSide hacker group amp oldid 1152853216, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.