DarkSide ransomware is part of a growing underground industry
https://www.saoso.org/forum/events-in-your-city/new-mcconnell-s-biggest-concern-at-the-time-was-two-upcoming-senate-runoff-elections-in-the-peach-stateWASHINGTON - The FBI said on Monday that a ransomware attack that disrupted a major pipeline in the United States last week originated from a product developed by the Darkside criminal group.
Hackers who created malware that infiltrated Colonial Pipeline, which supplies 45 percent of the East Coast's gasoline, diesel and jet fuel, are selling an easy-to-use toolkit to customers hoping to enter the ransomware business - a growing industry that now allows almost anyone to make money from The victims have their files encrypted and taken hostage.
"Gone are the days of a masked hacker ..." said Lior Dave, CEO and co-founder of Cybereason. "It's not dark anymore, it's a real business.… When there is a financial drive, there are bad people who will finance it."
Photo showing the Houston Colonial pipeline facility in Pasadena, Texas (east of Houston) taken on May 10, 2021 (Francois Picard / AFP via Getty Images)
Colony pipeline facility in Pasadena, Texas. (Getty Images)
Div and his colleagues have been monitoring the spread of DarkSide ransomware since late last summer, and according to Div, they have successfully prevented attacks that have used the tool on many occasions. "It came almost out of nowhere," he recalls, "becoming very active and very aggressive."
While Colonial Pipeline announced on Monday that it had shielded most of its systems from the impact of intrusion and was slowly returning parts of the pipeline to the internet, the days-long disruption of fuel deliveries to much of the country highlighted the growing growth. The impact of ransomware in the real world. But at the same time, it shines a spotlight on the criminals behind the growing ransomware industry who, as Lev suggested, may not appreciate the interest of the US government, because it is "bad for business."
DarkSide, a relatively new ransomware tool, is being sold by hackers who claim to "have earned millions of dollars by partnering with other well-known crypto lock tools", creating a "perfect product" based on years of experience, according to the published group's press release. In August 2020.
According to Lev, since offering buyers a full-service, easy-to-deploy ransomware tool requires significant funding, expertise, and resources, the criminal group is clearly sophisticated, not unlike a startup staffed by experts. While the hacking group's website has been down on Tuesday for a while, it clearly has a very professional process, he told Yahoo News. "We know for sure these are the people who have been there and do that. You can see that in speed, quality [attacks]. In order to develop something like this, you need a list of developers, and you have to pay them well." The company will need to hire experts to make sure the ransomware tool works at all times. "This isn't two people in a garage," said Lev.
Holding tanks are seen in an aerial photograph at Colonial Pipeline's Dorsey Junction Station in Woodbine, Maryland, U.S. May 10, 2021. (Drone Base/Reuters)
Holding tanks at Colonial Pipeline’s Dorsey Junction Station in Woodbine, Md. (Reuters)
While the product itself is fairly new, ransomware has become an increasingly popular and profitable enterprise for criminals and nation-states alike over recent years. By August 2020, just a couple of months after millions of people around the world began working from home amid the coronavirus pandemic, DarkSide had launched its operations on the dark web, but it is far from the only threat. According to recent remarks by Homeland Security Secretary Alejandro Mayorkas, ransomware attacks have increased by 300 percent over the past year, costing victims more than $350 million. North Korean hackers, in an effort to evade harsh sanctions on the isolated kingdom, have deployed their own ransomware and other digital attacks to pilfer over $1 billion in recent years, according to a Justice Department indictment unsealed in February.
While Liv said he doesn’t keep specific statistics about the number of companies offering ransomware as a service at any given time, he did explain that his company saw a huge uptick in the sale of ransomware tools as people began working from home during the pandemic, unprotected by corporate networks and security tools.
Ransomware as a service, according to cybersecurity researchers who have analyzed the industry, is a popular new business model in which professional hackers, rather than going after targets themselves, sell access to their malicious digital tools to customers. This model “gives everyone, even people without much technical knowledge, the ability to launch ransomware attacks just by signing up for a service,” explained cybersecurity firm CrowdStrike in a blog post in January.
According to cybersecurity firm Digital Shadows, DarkSide is “hardly innovating” in the methods it uses to compromise its targets, making use of well-known vulnerabilities, though the group “has a highly targeted approach” in selecting victims, according to the researchers.
Additionally, the group that sells DarkSide has put on a professional veneer, publishing press releases, providing victim service communication portals and establishing corporate principles, including not attacking hospitals, schools and universities, nonprofits or government agencies. The group also promises to provide a good-faith example of its ability to decrypt files to demonstrate trust, and has even made attempts to donate anonymous digital currency to various charities, though those groups have refused the funds based on their criminal origins.
Secretary of Homeland Security Alejandro Mayorkas briefs reporters on the cyber attack on the Colonial Pipeline and the U.S. response during the daily press briefing at the White House on May 11, 2021 in Washington, DC. (Drew Angerer/Getty Images)
Homeland Security Secretary Alejandro Mayorkas briefs reporters on the cyberattack on the Colonial Pipeline and the U.S. response on Tuesday. (Getty Images)
The criminal group has been described as something of a “Robin Hood,” though its list of prohibited targets notably excludes companies that fall under the banner of critical infrastructure, despite their importance to the functioning of everyday society.
According to Liv, the hackers’ attempt at appearing like “the good guy" is driven purely by the desire for profit, because “by generating trust, saying they’re not the bad guys, the probability you’re going to pay them is higher.” He analyzed an announcement made after the pipeline attack, in which the group promised to investigate its customer for targeting critical infrastructure, as part of the same style of reputation management rather than genuine concern. Ultimately, he concluded, the criminal group is likely actually quite familiar with its customers, because it is sharing profits with them.
Researchers have concluded the veteran hackers are based in Eastern Europe, partially based on the fact that the malware does not work when a device’s keyboard is set up for a variety of languages spoken in former Soviet bloc countries, including Russian, Ukrainian and Armenian.
https://jsfiddle.net/jimmyn/zj6xp4r3/