The DarkSide hacker gang that is reportedly responsible for the devastating Colonial Pipeline attack this weekend is a relatively new group, but cybersecurity analysts already know enough about them to determine just how dangerous they are.
According to Boston-based Cybereason, DarkSide is an organized group of hackers set up along the “ransomware as a service” business model, meaning the DarkSide hackers develop and market ransomware hacking tools, and sell them to other criminals who then carry out attacks. Think of it as the evil twin of a Silicon Valley software start-up.
Bloomberg first reported that DarkSide may be involved in the attack on Colonial Pipeline.
On Monday, Cybereason provided CNBC with a new statement from DarkSide’s website that appears to address the Colonial Pipeline shutdown.
Under a heading, “About the latest news,” DarkSide claimed it’s not political and only wants to make money without causing problems for society.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” the statement said. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Cybereason reports that DarkSide has a perverse desire to appear ethical, even posting its own code of conduct for its customers telling them who and what targets are acceptable to attack. Protected organizations not to be harmed include hospitals, hospices, schools, universities, nonprofit organizations, and government agencies. Also apparently protected are entities based in former Soviet countries. Fair game, then, are all for-profit companies in English speaking countries.
DarkSide also maintains that it will donate a portion of its profits to charities, although some of the charities have turned down the contributions.
“No matter how bad you think our work is, we are pleased to know that we helped change someone’s life,” the hackers wrote. “Today we sended [sic] the first donations.”
Cybereason found that the group is highly professional, offering a help desk and call in phone number for victims, and has already published confidential data on more than 40 victims. It maintains a website called “DarkSide Leaks” that’s modeled on WikiLeaks where the hackers post the private data of companies that they’ve stolen.
They conduct “double extortion,” which means the hackers not only encrypt and lock up the victim’s data, but they also steal data and threaten to make it public on the DarkSide Leaks site if companies don’t pay ransom.
Typical ransom demands range from $200,000 to $20 million, and Cybereason says the hackers gathered detailed intelligence on their victims, learning the size and scope of the company as well as who the key decision-makers are inside the firm.
The hackers continue to expand: Cybereason reports they recently released a new version of their malware: DarkSide 2.0.