“These guys provide the marketing, the people who handle customer success, as well as the actual ransomware,” said Mark Arena, chief executive officer of the cybersecurity firm Intel 471, which tracks DarkSide. “Fortune 500 CEOs would be impressed with the efficiency of the business model.”
That model has helped the group rack up scores of victims beginning late last summer, ranging from oil field services companies to law firms to banks.
An unpublished analysis by BAE Systems Applied Intelligence found that most DarkSide victims were U.S. companies, but the hackers also hit firms in Europe, South Africa and Brazil. The report noted that affiliates are asked not to attack targets within the borders of the Commonwealth of Independent States, a group of nations that includes Russia and much of the former Soviet Union, possibly indicating the hackers’ home base.
Data posted to the group’s dark web page suggest that victims included Dixie Group Inc., a major U.S. manufacturer of carpets and rugs; the farm products supplier Carolina Eastern Inc.; and Paslin Co., a Michigan company that makes welding machinery for the auto industry. Representatives for the three companies didn’t immediately respond to a request for comment, but the Dixie Group in April disclosed a ransomware hack.
None of those garnered the kind of attention that has resulted from the attack on Colonial Pipeline, which operates more than 5,000 miles of pipeline that ship gasoline and jet fuel from Houston up the East Coast to the area around New York City.
There is some evidence that DarkSide did not intend for the hack to have so great an impact. The group’s operators released a statement Monday saying that they had no interest in geopolitics, and weren’t even in control of which companies get attacked using their platform.
That could very well be true, said Adrian Nish, head of cyber for BAE Systems Applied Intelligence. “The traditional affiliate model is like a distributor in business,” he said. “You build the tools but then scale up by getting a whole lot of people to use your tools and services.”
In DarkSide’s case, that includes not just the actual ransomware used to encrypt data on a victims’ computers, but also services like making calls to those victims and also hosting a website where sensitive data stolen during attacks can be posted. Ransom demands easily reach into the millions of dollars for large companies, and DarkSide takes a 10% to 25% cut off the top of any payment, according to Intel 471’s Arena.
He said Intel 471 analysts were able to observe a negotiation between DarkSide and a large U.S. victim over several days in January. The hackers began by demanding $30 million, which would double if payment wasn’t made by a defined date. The hackers also threatened to release sensitive data stolen from the company unless it paid, providing samples to validate the threat.