The DarkSide ransomware that infected the IT network of the Colonial Pipeline Company last week has not been on the scene for even a year yet, but in that time it has grown into one of the premiere ransomware-as-a-service threats, with an affiliate network comprising several distinct threat actors and a streamlined, professional backend infrastructure to provide custom malware, support, and payment assistance. Although DarkSide had stayed out of the public eye until recently, the attack on Colonial Pipeline has brought unwanted attention from law enforcement and the U.S. government, attention that will likely be quite bad for business.
The attack on Colonial Pipeline, which controls and distributes the lion’s share of fuel in the southeast and mid-Atlantic, hit the company’s IT infrastructure on Friday, but the staff was able to disconnect affected systems before the ransomware could spread to its operational technology (OT) network. That quick action likely prevented a much more damaging incident, though it also necessitated the shutdown of the fuel pipeline for precautionary reasons. Some of the feeder lines have come back online, and Biden administration officials said Tuesday that the company is planning to make a decision by the end of the day Wednesday on whether to restart the mainlines. The FBI is heading the investigation into the attack, and President Joe Biden said Monday that he plans to put more pressure on ransomware actors, both domestically and internationally.
“The FBI is engaged to assess and address this attack. It’s a criminal act, obviously. My administration takes this very seriously. We have efforts underway with the FBI and Department of Justice to disrupt and prosecute ransomware criminals. My admin will be pursuing a global effort of ransomware attacks by transnational criminals, who often use global money laundering networks to carry them out,” Biden said.
The Department of Justice has indicted a number of alleged ransomware actors in recent years, including some in North Korea and Russia, and the federal government has also taken down some of the payment and technical infrastructure used by ransomware operators. But most of those moves have had little effect, as the people involved are foreign nationals and are unlikely to actually be prosecuted in the U.S. The Department of the Treasury has sanctioned people and groups associated with ransomware operations, as well, putting financial pressure on them.
Ransomware operations are optimized to make money, and to do so as quickly and efficiently as possible. Intense public attention on their actions is generally suboptimal, and the Colonial Pipeline incident has dragged the DarkSide operation out into the light for all to see.
“There has been a refined focus for many parts of the U.S. government to track this down. There is always the question of what does the pointy end of the spear look like when you’re dealing with actors most likely from a country that protects them,” said James Shank, senior security evangelist and architect at Team Cymru, a threat intelligence firm.
“There are a lot of good signs that I see from how the U.S. is responding. It’s very clear the White House is engaged.”
“It might be true that this was accidental and they didn’t anticipate this was going to rise to the level of the White House having press briefings on it."
Researchers have been following DarkSide since it first emerged in August 2020 and then began studying it more closely when the affiliate program launched three months later via an advertisement from an actor known as “darksupp” on an underground forum. Partners who join the affiliate network keep 25 percent of their ransom earnings for any payments less than $500,000, with the fees decreasing as the ransom increases, according to a detailed new report on DarkSide by FireEye Mandiant, which has investigated many DarkSide incidents.
“In addition to providing builds of DARKSIDE ransomware, the operators of this service also maintain a blog accessible via TOR. The actors use this site to publicize victims in an attempt to pressure these organizations into paying for the non-release of stolen data. A recent update to their underground forum advertisement also indicates that actors may attempt to DDoS victim organizations,” the report says.
“DARKSIDE RaaS affiliates are required to pass an interview after which they are provided access to an administration panel. Within this panel, affiliates can perform various actions such as creating a ransomware build, specifying content for the DARKSIDE blog, managing victims, and contacting support.”
The RaaS model that the DarkSide creators have honed and refined has been in use for several years and has proven to be very profitable for many ransomware developers. It’s a simple idea at its core: A developer (or team of developers) creates a new strain of ransomware, and then rents it out to partners or affiliates who deploy it against target organizations. The affiliates then pay the developers a certain percentage of whatever ransoms they collect and move on to the next target. Other ransomware variants that have employed this model include REvil and Babuk, and some of the threat actors that have been known to deploy DarkSide have also used one or the other of those variants. Researchers at Flashpoint said there is likely some direct connection between REvil and DarkSide.
“The design of the ransom note, wallpaper, file encryption extension and details, and inner workings bear similarities to REvil ransomware, which is of Russian origin and has an extensive affiliate program. This shows the evolution path of this ransomware and ties it to other Russian-origin ransomware families,” an analysis by Flashpoint published Tuesday says.
Like other RaaS operations, DarkSide is not just one group but has several separate components. The threat actors deploying it use a variety of techniques and tools in their intrusions, including several different initial access methods. While phishing remains a popular method, groups deploying DarkSide also have used password spraying against VPNs, and at least one group used an exploit for a vulnerability in the SonicWall SSL VPN that was a zero day at the time, according to Mandiant’s research. DarkSide operators are supposed to be prohibited by the developers from targeting organizations such as hospitals, government agencies, and schools, likely as a way to avoid attracting attention. The Colonial Pipeline doesn’t fall into any of those specific categories, but critical infrastructure attacks do tend to draw attention, and given the level of preparation and care involved in most DarkSide operations, it may have been a mistake, if not an accident.
“It might be true that this was accidental and they didn’t anticipate this was going to rise to the level of the White House having press briefings on it. This is going to shine an uncomfortable light on them,” Shank said.
“But it’s difficult to think it was completely unwitting. They get a feel for their target and how much they can pay. I don’t necessarily think it was a total surprise.”