There’s a tendency in some circles to think of cybercrime as, if not unsophisticated, disorganized. Maybe it’s because of the movie Hackers, or maybe it’s because of news coverage, but many of us think of hackers as individual actors, rather than as groups of organized criminals.
We thought we’d dismantle that myth by continuing our coverage of DarkSide, the group that hacked Colonial Pipeline. In this brief study, we’ll investigate how sophisticated hacker groups like DarkSide operate, and why they’re so difficult to stop - even for powerful entities like the United States government.
Longtime followers of our blog will know all about software-as-a-service - but what about ransomware-as-a-service?
That’s what DarkSide offers. They give other criminals the tools they develop, in return for a share of the profits that their “affiliates” reap. This share is said to be ~25% for sums under $500,000 USD, and ~10% for amounts above that.
If this is starting to sound like a business to you, you’re on the right track. It’s an illicit business, but make no mistake - it’s a business nonetheless. They screen and interview potential affiliates to make sure they’re the right match.
They have rules of engagement - so as not to harm their reputation with other potential affiliates. They both encrypt their victims’ data (the ransomware portion of the attack) and steal their data, threatening to post it on their DarkSide Leaks page. So far, when the ransom has been paid, they do as promised and offer decryption and don’t leak the data.
In other words, they’re hackers who are looking for good PR. They know that if they decrypt data and get rid of stolen data, their victims will be more likely to pay the ransom in the future. And by only targeting certain companies, they aim to stay under the nose of federal and other investigations.
We believe the group is stationed in Eastern Europe (probably Russia), and they seem to avoid any targets that would aggravate Russian authorities.
Why is ransomware-as-a-service growing in popularity?
It’s important to understand why DarkSide’s business model is so effective. When you look at the factors which allowed them to breach Colonial Pipeline, it becomes apparent that the company was low-hanging fruit. They did not correctly implement two-factor authentication (2FA) or managed detection and remediation (MDR).
In other words, their security measures weren’t adequate. DarkSide and their affiliate realized they could make millions in ransom money without expending very much effort.
That’s one of the reasons it’s essential for all businesses to implement security measures. If you’re not using 2FA and MDR, or those security measures aren’t properly implemented on your network, it too may be low-hanging fruit. Whether you’re exposed to ransomware-as-a-service or other security threats makes no difference. Hackers are like burglars - if there’s nobody home and the doors are unlocked, they’ll walk right in, regardless of how valuable they think what they’ll find might be.
Does DarkSide still exist?
DarkSide stated that, due to pressure from the U.S. Government, their affiliate program would close down. That was back in May. Today, a new organization called Black Matter has appeared - and cybersecurity experts believe that organization is DarkSide, under a new moniker.
DarkSide? Black Matter? They’re really leaning into the edgy-hacker theme.
These organizations are difficult to deal with because while you can shut down their websites, take their Bitcoin, and otherwise impede their operations, none of it matters if you can’t arrest the hackers. Ransomware is intellectual property - you have to be able to stop it at the source.
Is your business likely to be targeted by a group like DarkSide/Black Matter? Probably not. But if this trend continues, we’ll see more ransomware-as-a-service being offered. And when groups appear who are willing to offer ransomware for lower stakes, any business can become a target.
Realistically, hackers simply want targets they can extort - even if your data isn’t valuable to them, it’s valuable to you, and that’s all they need to know. As criminal hacker organizations continue to develop in sophistication, so too must your security measures. Our IT company in Winnipeg can help you with that.