What is DarkSide? Russian hacker behind Colonial Pipeline ransomware attack didn't want 'problems for society'
The operator of US' largest fuel pipeline, Colonial Pipeline, fell victim to a cybersecurity attack on Friday, May 7, that involved ransomware, forcing it to temporarily shut down all pipeline operations. The Russian hacker group that broke into the operator's network later declared, "Our goal is to make money, and not creating problems for society."
The DarkSide hacker group which is behind the Colonial Pipeline attack were identified on Sunday, May 9, by the FBI. Though it is a relatively new group, cybersecurity analysts already know enough about them to determine just how dangerous they are.
Gas stations from Florida to Atlanta and Virginia closed their pumps due to a fuel shortage brought on by the Colonial Pipeline hack and a state of emergency was declared by the governor of North Carolina. American Airlines was adding stops to two of its long-haul flights from its Charlotte, North Carolina hub, as an effort to conserve fuel in areas where it could run short. The 5,500 mile Colonial Pipeline was shut down on Friday evening, May 7, by the company when the ransomware attack was seemingly launched by Russia-based cybercriminal group, DarkSide.
Around 12 other organizations were also affected by the attack. Newt Gingrich, the former Speaker of the House, called for those responsible to be executed. He also insisted on legislation to elevate cyberattacks to the same level as terror attacks. The pipeline supplies 45 percent of all the East Coast's fuel needs, including Atlanta's airport — the world's busiest by passenger traffic. The pipeline also serves 90 US military installations and 26 oil refineries. On May 10 evening, motorists were beginning to report shortages at gas stations.
What is DarkSide?
DarkSide is a ransomware program that started attacking organizations around the world in August 2020. Originally discovered by MalwareHunterTeam, DarkSide ransomware is described as a high-risk ransomware-type virus that seems to be operated by former affiliates of other ransomware campaigns. According to Bleeping Computer, the people behind DarkSide stated: "We are a new product on the market, but that does not mean that we have no experience and we came from nowhere. We received millions of dollars profit by partnering with other well-known crypto lockers. We created DarkSide because we didn’t find the perfect product for us. Now we have it." The group also said, "If you would meet us on the street – you would never realize that we are cyberpests, because we are the same normal people like everyone else. Many have families and children, the only thing that these circumstances in which we found themselves in our country are. We have no hatred and desire to cause damage, we perceive our business as any other, the ultimate goal of which is profit."
On Monday, May 11, Cybereason provided a new statement from DarkSide’s website that addressed the Colonial Pipeline shutdown. Under the heading: “About the latest news,” DarkSide claimed it’s not political and just wants to make money without causing problems for the society. “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” the statement said. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
DarkSide also maintains that it will donate a portion of its profits to charities, although some of the charities have turned down the contributions. “No matter how bad you think our work is, we are pleased to know that we helped change someone’s life,” the hackers wrote. “Today we sended (sic) the first donations.” Like other similar ransomware that are being utilized in targeted cyberattacks, DarkSide not only encrypts the user’s information but also withdraws data from the affected servers. Moreover, it changes the extension of these files to .DarkSide.
Cybereason found that the group is highly professional, as it also offers a help desk and call in phone number for victims, and has already leaked confidential data of more than 40 victims. It maintains a website called “DarkSide Leaks” that’s modeled on WikiLeaks where the hackers post the private data of companies that they’ve stolen. Typical ransom demands range from $200,000 to $20M, and Cybereason says the hackers gathered detailed intelligence on their victims, learning the size and scope of the company as well as who the key decision-makers are inside the firm.