ArrowArtboardCreated with Sketch.Title ChevronTitle ChevronIcon FacebookIcon LinkedinIcon Mail ContactPath LayerIcon MailPositive ArrowIcon PrintIcon Twitter

DarkSide ransomware model adds corporate veneer to cybercrime

Colonial Pipeline hack highlights evolution of data extortion

PALO ALTO, U.S. -- The recent ransomware attack on a major U.S. fuel pipeline was enabled by an organization offering the hacking equivalent of "software as a service."

The group, known as DarkSide, specializes in developing tools provided to outside partners that actually carry out attacks -- a model dubbed "ransomware as a service." It has given itself many of the trappings of a legitimate business, down to providing a support phone number for victims.

"Our goal is to make money and not creating problems for society," the group said in a statement Monday on the Colonial Pipeline hack.

"We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment [sic] and look for other ... motives," the post said, alluding to speculation that the group has ties to state actors such as former Soviet bloc countries.

DarkSide is a relative newcomer to the scene, whose ransomware made its first confirmed appearance last August, according to Boston-based cybersecurity company Cybereason. The code not only encrypts data on the targeted system -- rendering it inaccessible to users -- but also sends it to the attacker, who can threaten to release it publicly for added leverage.

"The hacker behind [ransomware as a service] has usually established a sizable botnet which includes a large number of compromised computers, called bots, under the command of the hacker," said Chin-Tser Huang, a professor of computer science at the University of South Carolina and an expert on information security.

"The hacker can rent its bots to interested criminals to launch a large-scale attack on the target companies to maximize the damage and increase the chance of getting the ransom," Huang said.

DarkSide and other ransomware providers make powerful and potentially lucrative malware available to people without the in-depth technical knowledge needed to write their own code.

Clifford Neuman, associate professor of computer science practice at the University of Southern California, likened this to the older dynamic between malware developers and the "script kiddies" who would acquire their tools for attacks on targets of opportunity.

"'Ransomware as a service' is the next step in this progression, allowing the developers of the tools to obtain an ongoing revenue stream, while aiding and abetting the criminal activities of the so-called partners," Neuman said.

Anne Neuberg, deputy national security adviser for cyber and emerging technologies, addresses the Colonial Pipeline outage at a White House briefing.   © Reuters

DarkSide ransomware has been used against victims in English-speaking countries, but the group appears to avoid attacks in former Soviet states by screening based on language, according to Cybereason. It has published stolen data from more than 40 victims on its website. Ransom demands typically range from $200,000 to $2 million.

DarkSide has said it limits its targets to major companies, while barring attacks on hospitals, schools and nonprofit organizations. The group has set up a help desk to facilitate negotiations with victims, and says it donates part of its proceeds to charitable causes, apparently seeking to create a veneer of legitimacy.

Monday's statement signaled regret over the disruption to a major fuel artery, which runs from Texas to New York and provides energy needs for much of the East Coast. "From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future," the group said.

Yet its tools are growing more sophisticated. The group recently announced the release of DarkSide 2.0, featuring even faster encryption capabilities.

Anne Neuberger, deputy national security adviser for cyber and emerging technologies, expressed concern about the DarkSide ransomware in a news conference Monday.

"It's a new and very troubling variant where it's essentially provided as a service and the proceeds are split" between the perpetrators and developers, she said.

As the emergence of groups like DarkSide promotes broader use of ransomware as a tactic, payments to ransomware cryptocurrency accounts more than quadrupled last year to $350 million, according to data from blockchain analysis company Chainalysis.

Research firm Gartner estimates that spending on information security will grow by an average of 8.7% per year from 2020 to 2025 to $213.7 billion as businesses scramble to bolster their cybercrime defenses, continuing the game of whack-a-mole between hackers and their targets.

Sponsored Content

About Sponsored Content This content was commissioned by Nikkei's Global Business Bureau.

Nikkei Asian Review, now known as Nikkei Asia, will be the voice of the Asian Century.

Celebrate our next chapter
Free access for everyone - Sep. 30

Find out more