The DarkSide Ransomware Gang

The New York Times has a long story on the DarkSide ransomware gang.

A glimpse into DarkSide’s secret communications in the months leading up to the Colonial Pipeline attack reveals a criminal operation on the rise, pulling in millions of dollars in ransom payments each month.

DarkSide offers what is known as “ransomware as a service,” in which a malware developer charges a user fee to so-called affiliates like Woris, who may not have the technical skills to actually create ransomware but are still capable of breaking into a victim’s computer systems.

DarkSide’s services include providing technical support for hackers, negotiating with targets like the publishing company, processing payments, and devising tailored pressure campaigns through blackmail and other means, such as secondary hacks to crash websites. DarkSide’s user fees operated on a sliding scale: 25 percent for any ransoms less than $500,000 down to 10 percent for ransoms over $5 million, according to the computer security firm, FireEye.

Tags: , , , ,

Posted on June 2, 2021 at 9:09 AM22 Comments

Comments

Hedo June 2, 2021 1:22 PM

#!
WOW, whaddaya know, RaaS (Ransomware as a Service).
Well, hey, after all, we’re in the year of our Lord 2021 so
c’mon peeps – get with the program.
After all, in the free market economy, the price and
the quality of the offered services should determine
who gets the best and most contracts as there seem to be
plenty of “competition” out there (within the “industry”).
!#

echo June 2, 2021 1:24 PM

DarkSide? Why that name? Do they think it makes them sound snappy and edgy like, uh I don’t know, Laserface? snicker

“The intellectual barrier to entry has gotten extremely low.”

That’s not the goal they think it is.

Cast in stark black and white, the dashboard gave users access to DarkSide’s list of targets as well as a running ticker of profits and a connection to the group’s customer support staff, with whom affiliates could craft strategies for squeezing their victims.

Ooh scary.

The DarkSide software not only locks victims’ computer systems, it also steals proprietary data, allowing affiliates to demand payment not only for unlocking the systems but also for refraining from releasing sensitive company information publicly.

Try me. Anything really condfidential never goes anywhere near anything with a plug in it. In fact most of the stuff on my systems people would pay to keep it secret. Putin wouldn’t like half my material getting ut as it deals with human rights issues Russia especially is guilty of.

Clive Robinson June 2, 2021 5:37 PM

@ ALL,

The quote from Vladimir Putin about not breaking Russian law, whilst true does not mean they have not broken the law.

The bit from Vlad about Americans is rather dumb though.

Vlad under Russian Presidential authority had something like 23 people in the UK Assassinated. So I assume he has also given such orders for Russian citizens to go out and kill others in other Soverign Nations whos jurisdictions Russian law does not apply.

I wonder how Vlad and those Russian Crooks would feel, if another Soverign Nation adopted Russia’s assassination policy against the Russian Crooks?

To make it legal under existing US doctrine all that has to happen is for Ransomware or similar to be declared “terrorism” and as Vlad has flapped his gums arguably it’s “State Sponsored Terrorism”. As we know the US has no qualms about killing even diplomats on peace missions if they believe they were previously involved with State Sponsored Terrorism…

Something perhaps those Russian Crooks and politicians who shield them should think about. Likewise US politicians, after all if those who commit what is regarded as terrorism under state protection feel they can not be protected by the state any longer, then maybe they would consider other occupations.

Just something for people to consider.

echo June 2, 2021 9:03 PM

I was going to return to this topic and pick up where I left off. Clive saved me the bother of writing up what I had in mind. I did wonder about going over the structures and methods of DarkSide (Laserface lol) but I’m not an intelligence analyst nor do I have access to the kind of expert opinion I want to hear nor do I have access to anything beyond the article so anything I might say falls very firmly under speculation. So I began reading the Russian constitution. Oh, Lord. I’m glad I’m not a Russian lawyer. It’s a bit of an akward document.

The Russian constitution does ramble on a bit and quite a lot caught my eye as I skimmed through it. Sadly too much. I have zero idea of Russian law let alone case law but from a plain reading of the text I have some quibbles with whether the Putin regime is or isn’t following the law of the land.

There are human rights issues in Russia some of which have been instigated by Putin hiself in direct contravention of the Russian constitution. Some of this is by pushing through law. Some of it is by applying pressure on various agencies.

Before I got fed up with reading through the Russian constitution one last item caught my eye. Are DarkSide paying their taxes? Presumably the Russian authorities are okay with services rendered for blackmail?

I snipped the vast bulk of everything I was copy-pasting because it was growing to the length of a book. The two articles I settled on sum up most of what I was listing.

Article 55

1. The listing in the Constitution of the Russian Federation of the fundamental rights and freedoms shall not be interpreted as a rejection or derogation of other universally recognized human rights and freedoms.

2. In the Russian Federation no laws shall be adopted cancelling or derogating human rights and freedoms.

3. The rights and freedoms of man and citizen may be limited by the federal law only to such an extent to which it is necessary for the protection of the fundamental principles of the constitutional system, morality, health, the rights and lawful interests of other people, for ensuring defence of the country and security of the State.

[…]

Article 57

Everyone shall be obliged to pay the legally established taxes and dues. Laws introducing new taxes or deteriorating the position of taxpayers may not have retroactive effect.

ADFGVX June 3, 2021 2:00 AM

@Clive Robinson

I wonder how Vlad and those Russian Crooks would feel, if another Soverign Nation adopted Russia’s assassination policy against the Russian Crooks?

Russia’s FSB among other agencies has a secrecy and treason problem with so many Communists, especially of Ashkenazi Jewish ethnicity, politically aligned with the party of Alexei Navalny and other liberal journalists.

The “Russian Crooks” have so completely taken over the judicial system in the whole country, and arranged it to be so totally dominated by petty tyrant jurisdictions of kraya and oblasti, that there is no choice but to wage covert or open warfare against the communist “thieves in law” or “thieves within the law” as the case may be, as these crimes are too serious, too organized, and too pernicious to be prosecuted in any kind of civil or civilian court system.

Vladimir Putin, like his predecessor Boris Yeltsin, has continued Mikhail Gorbachev’s programs of “glasnost” and “perestroika” which officially ended the Cold War.

But there remains a bitter front on on the war against communism, and against the communist culture of excessive alcohol, recreational drugs, and sexual promiscuity.

Winter June 3, 2021 2:50 AM

@ADFGVX
“Vladimir Putin, like his predecessor Boris Yeltsin, has continued Mikhail Gorbachev’s programs of “glasnost” and “perestroika” which officially ended the Cold War.”

Nah, Vlad the Poisoner heads a classic Kleptocracy. All the little kleptocrats in Russia are their to feed the head of the state.

SpaceLifeForm June 3, 2021 5:26 PM

@ ALL, Clive

Attribution is hard. This is a start.

My bolds

https://mobile.reuters.com/article/amp/idUSL2N2NC1SD

Internal guidance sent on Thursday to U.S. attorney’s offices across the country said information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington.

“It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain,” said John Carlin, acting deputy attorney general at the Justice Department.

[I have a name for the chain. It is classified. There are good actors in US Government that have the intel]

echo June 3, 2021 11:13 PM

Being a bit bored I was watching some youtubes and discovered this on Putin’s poisoning campaign. It’s a bit lurid and the both sides whataboutary gets up my nose but watchable enough.

I’m personally really upset by Dawn Sturgess death. She was just an ordinary homeless person trying to have a nice day and something like that happened to her. You simply DO NOT treat people like that.

https://www.youtube.com/watch?v=XpMNoeIuEys
Is Vladimir Putin the mastermind behind Russia’s global web of poisoning? | Under Investigation

Winter June 4, 2021 12:40 AM

@echo
“Is Vladimir Putin the mastermind behind Russia’s global web of poisoning? | Under Investigation”

If it looks like a duck, walks like a duck, and quacks like a duck, then it most likely is a duck.

If all your enemies die, many from poisons not available outside Russia, and the suspects are employees of your secret service, who admit to doing the killings on the phone when they think they are talking to their superiors, giving detailed information about what happened, and even know where the poison was placed, what is there to Investigate?

Of course, there is still the option that Putin is incompetent and Russia and its secret services are ruled by someone else we do not know. Still, as head of state Putin is responsible for what his underlings do.

echo June 4, 2021 9:57 AM

Far right activists, criminality, and indirect connections with Putin. It’s all very “legal”. No direct lines of control and nothing on paper. More nudge nudge wink wink but the goals are the same. Lots of activity hovering on the line of suspicion and prosecutable if someone wanted to make an issue of it but not quite.

https://www.youtube.com/watch?v=u_iLgMy8weA
Putin’s Patriots: Russian money and influence in Australia | Four Corners

There are similar patterns in the UK and US. In the UK there’s plenty of law which can be used as a model to bring civil or criminal proceedings.

A lot of this far right activity in Europe, the UK, US, and now Australia has been documented. I know because I have seen the reports.

The UK has been collapsing down international benchmarks for human rights and corruption. a lot of this is due to the current regime but austerity and years of gutting local government and other agencies of expertise has not helped. It’s removed a lot of checks and balances and counterwights built up over the years.

Winter June 4, 2021 10:14 AM

@echo
“It’s all very “legal”. No direct lines of control and nothing on paper. ”

You have not been following the news. We have names, phone numbers, addresses and spoken confessions of the perpetrators in the Alexei Navalny poisoning.

https://www.schneier.com/blog/archives/2020/12/investigating-the-navalny-poisoning.html

The British even have some of the suspects of other murders and murder attemtps on camera. There are warrants out for the suspects of the murder of Alexander Litvinenko, the polonium being traced to a Russian nuclear power plant.

All in all, it is sure the poisonings were done by FSB agents under the direction of high ranking officials. If Putin is not directly involved, he is still responsible as these murders were organized under his watch over a period of years.

echo June 4, 2021 10:45 AM

@Winter

You have not been following the news. We have names, phone numbers, addresses and spoken confessions of the perpetrators in the Alexei Navalny poisoning.

I was discussing the general problem. The second youtube covers this more. The first youtube mentioned the poisonings and evidence.

I already had a clue about all this and yes I do follow the news very closely. The point is you have general cases and specific cases. There can be a lot of allegations and nothing direct and even specific case where it’s effectively proven is it’s only proven up to a point and you’re only catching the small fry. Someties it can lead to a big catch. It’s complicated and none linear.

Most of my mind is on case preparation for something else. I’m assuming anyone reading my comments is awake on the job.

Impossibly Stupid June 4, 2021 11:17 AM

@ADFGVX

there is no choice but to wage covert or open warfare against the communist ?thieves in law? or ?thieves within the law? as the case may be, as these crimes are too serious, too organized, and too pernicious

Nonsense. We have a nigh infinite number of options we can explore. Even history has a salient lesson to teach us: Russia’s corrupt brand of “communism” is likely to just collapse by its own actions. Warfare does not appear to be necessary at all; just cut them out of the global supply chain.

The only thing that’s been stopping me from dropping the entirety of Russia (or China or any number of other prominent attackers in my logs) in my firewall is that I’ve wanted to give the “good guys” there a chance to make things right. Perhaps I’ve been too generous. Maybe it’s finally time to admit that those people need to fix their internal politics first, and only then does the world agree to connect with them.

But there remains a bitter front on on the war against communism, and against the communist culture of excessive alcohol, recreational drugs, and sexual promiscuity.

What communist manifesto is that covered in? Because it sounds pretty great. I mean, you’re just “rock and roll music” away from America. Pro tip: if you want to demonize a culture, bring up the things that most people won’t think of as fun.

@Winter

Of course, there is still the option that Putin is incompetent and Russia and its secret services are ruled by someone else we do not know.

What difference does it make? This is why the “attribution is hard” line is misguided. People need to get their thinking straight. Either the actions of the people in charge represent a successful strategy for the future of Russia or they do not. If they do, they will continue to succeed and Russians will win out in the end. If they do not, Russians have the most to lose by allowing things to continue this way. None of us has any say in what the Russians do.

Winter June 4, 2021 12:55 PM

@echo
“There can be a lot of allegations and nothing direct and even specific case where it’s effectively proven is it’s only proven up to a point and you’re only catching the small fry. ”

There have now been several cases where the perpetrators are known well enough to start a trial, with quite a lot of evidence to ask for extradition. In all cases these are people under the command of Putin, as head of the army and state.

And here it is as in the army, the officer is responsible for the behavior of those under their command. And Putin is the head of state and the highest in rank for army and intelligence services. He is legally responsible for whatever those under his command do. You are not catching the small fry. Those in command would stand on trial too if they could be arrested.

echo June 4, 2021 4:54 PM

“Always look on the DarkSide of life,
Lah lah,
Lah lah,
Lah lah lah lah.”

Someone had to say it.

informed, ex LEA June 5, 2021 3:50 PM

I’s time to stop calling Darkside a “criminal gang” and refer them with proper term.

https://www.foxbusiness.com/politics/colonial-pipeline-hack-involves-little-known-dark-secret-gen-jack-keane

Actually those so called “criminal gangs” consist of govt hackers working daily for FSB, SVR etc and on their free time they are allowed to hack any system they want to learn, master their skills and collect money.

This gives Putin a perfect excuse – those are some criminal gangs we don’t know nothing about them, Russia categorically denies any involvement in hacking. It’s the same approach Russia uses in East-Ukraine from the start – those are local separatist there, we know nothing about them, Russia denies categorically any military involvement in Ukraine.

Russia has mastered this kind of lying and takes USA and EU just for bunch of idiots.

So in the nutshell behind the Colonial Pipeline were the same hackers that were involved in “Solorigate”.

Clive Robinson June 5, 2021 4:37 PM

@ informed, ex LEA,

Fox News as a source seriously?

A retired General providing the story serioisly?

The situation is actually rather more complicated than that simplistic mind candy for talking head wanabe’s.

If you thought about basic economics for five minutes you would realise this. Likewise if you knew a little more Russian history.

Most of the people behind Cyber-Crime in Russia are just plain criminals that never ever are employed by the Russian Government, nor would they want to be.

Whilst some are cleaver, most actually are not much more than one trick ponies or script kiddies, that end up paying protection money one way or another to various crime bosses and get some fraction of what they actually pull in, in foreign currency.

Some who have made some money and been able to keep it, have been daft enough to think they can go on nice Western Holidays… Only to discover that Russian protection is not what they thought it was. The rest are waking up to the realisation that they have effectively imprisoned themselves in an environment where they have to pay and pay to more organised crime, extortion, and being inter gang collateral damage.

But Super Power history tells you that both Rusia and the US used proxie wars in other nations, both sponsored terrorism including aircraft hi-jacking in the 60’s and 70’s. As with all “smoke and mirrors games” things move on, and those sucked into them discover that State Protection is fleeting at best as the terrorists hiding in East Germany and other CCCP satellites had to flee as the walls came down. A number who had technical skills rather than just being deranged got used again, this time in places like the Middle East where they trained the next generation to be used abused and discarded in another series of Super Power proxie wars.

And so the “great game” goes on, the most important thing being the “sinister hand” not letting the “dexta hand” of general population know what it was doing.

informed, ex LEA June 5, 2021 5:18 PM

@ mr Clive Robinson

You just don’t know how Russia operates. Nomenklatura and criminality overlaps there, big time. Really high end criminals are mostly ex government and enjoy ex colleagues protection. They provide services to the government, hack “dissidents” etc, do all the dirty work and get protection for that. You either collaborate with the government or you don’t work at all – they just invent some charges on you and you go behind the bars.

Clive Robinson June 5, 2021 6:40 PM

@ informed, ex LEA,

You just don’t know how Russia operates.

You are not “thinking”…

You say,

Really high end criminals are mostly ex government and enjoy ex colleagues protection

Yes I know that is partialy true and have already said as much.

Ask yourself why they are “ex government” and you will see the connection to,

“If you thought about basic economics for five minutes you would realise this. Likewise if you knew a little more Russian history.”

Likewise,

They provide services to the government, hack “dissidents” etc, do all the dirty work and get protection for that.

I’ve already said that with,

“But Super Power history tells you that both Rusia and the US used proxie wars in other nations, both sponsored terrorism including aircraft hi-jacking in the 60’s and 70’s. As with all “smoke and mirrors games” things move on…”

As for,

You either collaborate with the government or you don’t work at all

Actually not true, it’s very rare for the Russian Government to stop people “working” that only happens as the start of a last resort process and then often only with regards “politics”. Rather like the US Gov revoking clearance and chasing people into bankruptcy with nuisance law suits to give the impression to the citizenry that it’s “due process for wrong doing”.

In Russia it’s done a different way, mainly at “arms length” by the criminal gangs as part of their “pay off” to officials. It’s one of the joys of “small government” and “patronage” it gives way way more deniability, especially when non of those involved have ever been anything other than criminals in what some might describe as mafia/triad crime syndicates (which are often not “oligarchs” or very much if abything to do with them).

The rigged court cases are carried out against two sorts of people,

1, Those who have political support.
2, Those far up the civil crime side of the patronage system such as oligarchs to be able to aford to purchase protection against the methods used on those lower down.

Some run abroad and that’s when “accidents happen” currently the UK has had between 20 and 30 such suspicious accidents in the past decade or so. These are carried out directly under Russian Presidential authoriry most are “non obvious” to the majoriry of people in the host nation, thus can be ignored by national government agencies, others are very much designed to send a much broader message to the host nation politicians via the host nation citizen’s as was the “Novichok” nerve agent attack on former Russian double agent Sergei Skripal and his daughter, in Salisbury UK back in March 2018. Likewise the earlier Polonium assassination.

Less well known is counter terrorism detectives in the UK are after three years still looking into the “murder” of retired Russian financial director and Kremlin critic Nikolai Glushkov. Who was not a criminal but business man, he was found dead at his South London home on the morning he was going to a London Court against Putin’s “close friends” where it is almost certain Putin would have been very very embarrassed to put it mildly. Nikolai was “found hanging” in a staged suicide. Why staged? Well the autopsy findings were consistant with strangling by another person, not from hanging (post mortem injuries are usually fairly easy to spot in an autopsy due to the fact blood was not flowing when they were inflicted, there are ways you can reduce the obviousness but a good forensic pathologist can spot many of them from other indicators).

In all three cases the message was sent, but with enough time to alow the assasins to “get out of the UK” back to Putin’s Russia, where as long as Putin remains in power they are probably safe.

For various reasons I have cause to know about the way things work in Russia and lets just say that Russia like the US and China are not going to be on my list of places to go ever again. There may not be much in the way of protection in the UK who’s politicians whore themselves to all three super-powers but you try to avail yourself of what there is, as not all of it answers to politicians, a very sore point with the current UK PM.

Security Sam June 6, 2021 10:30 AM

The DaskSide ransomware gang
Has evolved into a cruel joke
Since we’d given them the rope
Guess who has become the dope.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.