The hacker group blamed for this weekend’s ransomware attack on the Colonial petroleum pipeline has insisted it only wanted to make money and regretted “creating problems for society”.
In a statement posted on Monday, the criminal group known as DarkSide said it was “apolitical” and attempted to deflect blame for the attack on to “partners” that had used its ransomware technology.
The FBI on Monday named DarkSide as the perpetrator of a giant hack that has taken a key US oil pipeline offline for three days, threatening to drive up fuel prices and forcing the US government to bring in emergency powers to keep supplies flowing.
“The FBI confirms that the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks,” the agency said in a statement. “We continue to work with the company and our government partners on the investigation.”
Ransomware attacks involve hackers taking control of an organisation’s data or software systems, locking out the owners using encryption until a payment is made.
“Our goal is to make money, and not creating problems for society,” DarkSide said, adding that it would “check each company that our partners want to encrypt to avoid social consequences in the future”.
DarkSide emerged as one of the leading ransomware outfits last August, and is believed to be run from Russia by an experienced team of online criminals. Silicon Valley-based cyber security company CrowdStrike has traced DarkSide’s origins to the criminal hacking group known as Carbon Spider, which “dramatically overhauled their operations” last year to focus on the fast-growing field of ransomware.
“We are a new product on the market, but that does not mean that we have no experience and we came from nowhere,” DarkSide has said previously.
Brett Callow, an analyst at the cyber security group Emsisoft, said: “DarkSide doesn’t eat in Russia. It checks the language used by the system and, if it’s Russian, it quits without encrypting.”
He added that the group rented out its services on the dark web. “DarkSide is a ransomware-as-a-service operation. I assume the attack on Colonial was carried out by an affiliate and the group is concerned about the level of attention it has attracted.”
In a sign of how ransomware has become a professionalised industry, DarkSide operates its own “press office” and claims to have an ethical approach to choosing its targets. DarkSide’s website claims that “based on our principles”, it will hold off from attacking medical institutions such as hospitals, care homes and vaccine developers; the providers of funeral services; schools and universities; non-profits and governmental organisations.
That stands in contrast to the rest of the ransomware industry, for whom healthcare providers and the public sector are among the largest targets. Colonial Pipeline is a private company owned by investors including Shell, KKR and Koch Capital.
IT security firm Kaspersky said DarkSide aimed to “generate as much online buzz as possible”.
“More media attention could lead to more widespread fear of DarkSide, potentially meaning a greater chance the next victim will decide just to pay instead of causing trouble,” Kaspersky researcher Roman Dedenok said in a recent blog post.
Its previous targets reportedly include property group Brookfield, Discountcar.com, a Canadian subsidiary of car rental group Enterprise, and CompuCom, a US-based IT support provider owned by the parent company of Office Depot.
Arete, which provides incident response services to victims of cyber crime, has found that DarkSide most commonly targets professional services and manufacturing companies, with its ransom demands ranging between $3m and $10m, though the security news site Bleeping Computer has found evidence of smaller ransoms in the hundreds of thousands of dollars too.
In an email interview with security blog DataBreaches.net, a DarkSide representative calling themselves “DarkSupp” said that the outfit researched how much their target might be able to pay — for instance, by looking at their insurance coverage — before deciding how much ransom to demand.
“We only attack companies that can pay the requested amount,” DarkSide has said previously. “We do not want to kill your business.”
According to screenshots from one victim published by Bleeping Computer, DarkSide sends each target a clear list of instructions entitled “Welcome to Dark”. Specific details and samples of the stolen data are presented and victims are warned that these will be automatically published online for at least six months if they refuse to pay. This technique of both locking victims out of their systems and also threatening to embarrass them by making the stolen data public is known as “double extortion”.
The DarkSide hackers also try to reassure their victims that they will play by their own rules, saying: “We value our reputation. If we do not do our work and liabilities, nobody will pay us.” It even offers to provide technical support, “in case of problems” using the decryption tool that their victims receive when they pay up.
#techFT brings you news, comment and analysis on the big companies, technologies and issues shaping this fastest moving of sectors from specialists based around the world. Click here to get #techFT in your inbox.
Ransomware attacks jumped 62 per cent last year, according to firewall developer SonicWall, including more than 200m hits in the US. That was partly driven by the pandemic, as businesses forced to flee the office grappled with the task of securing their remote employees, as well as the rise of bitcoin, through which many hackers demand payment. A recent survey by insurance group Hiscox found that more than half of those targeted by ransomware pay up.
Additional reporting by James Politi in Washington