The attention that the ransomware attack on the Colonial Pipeline has drawn from law enforcement and security researchers has not been great for the operators of the DarkSide ransomware or other groups, causing some to shut down altogether and others to prohibit affiliates from attacking specific targets. The motivation for making these decisions is clear--to reduce some of the heat on cybercrime groups--but researchers say not to put too much faith in seemingly altruistic moves by criminals.
Both law enforcement and the security research community were well aware of the DarkSide ransomware operation long before the Colonial Pipeline attack. The group had not been very quiet about its activities, maintaining a public Tor site that listed victims, as many other groups do now. But the high-profile nature of the Colonial Pipeline attack in early May put the group in a different focus, drawing attention not just from the FBI, but from the White House, as well. That attention and subsequent actions against some of the DarkSide infrastructure, including takedowns of command-and-control servers, caused the operators to shut down the service. DarkSide, like many other ransomware schemes, operates as a ransomware-as-a-service setup, with the controllers of the actual ransomware recruiting affiliates on underground forums to actually deliver the malware and collect payments from victims. The affiliates are supposed to get 75 percent of ransoms up to $500,000 and 90 percent of higher ransoms.
But in the aftermath of the Colonial Pipeline attack, the DarkSide shutdown left some of its affiliates in the lutch, awaiting payments for services rendered that likely will never come. On the Russian-language underground forum XSS.is, an administrator is essentially hearing claims by spurned affiliates who say Darksupp, the alleged DarkSide operator, owes them money. Darksupp had apparently escrowed nearly $1 million in Bitcoin with the forum, and the administrator is soliciting claims from “plaintiffs” in a thread called People’s Court, asking for people who feel they’re owed ransom percentages to submit proof.
“It’s a dispute resolution service and the admin will confirm some claims and deny others,” said John Hammond, a senior security researcher at Huntress Labs.
Whether the claims themselves or the dispute process are real is an open question, given that forum operators know that security researchers and law enforcement routinely monitor those sites. The same can be said for the legitimacy of ransomware operators’ public declarations of intent to shut down or limit their targeting.
"It’s become such an industry and they don’t care about the carnage they’re causing.”
“We've seen not just the fact that some ransomware or some forums are no longer allowing ransomware to be advertised, but we've also seen some ransomware as a service offerings prior to them being taken offline, state that they were going to kind of change the approval process for the victims that the ransomware would be deployed on. And that was kind of a code of conduct or like a code of ethics that some ransomware as a service offerings already did have, for example, not targeting hospitals or government or nonprofit organizations or education organizations,” Kimberly Goody, cyber crime analyst at FireEye, said during a recent podcast interview with Decipher.
“And presumably the reason for that is that they want to decrease the likelihood that they are going to come across law enforcement's radar. I mean, the fact of the matter is, if you target a hospital versus some Fortune 500 corporation, law enforcement might care a little bit more.”
Hammond said it’s prudent to take any of the claims from ransomware operators with a grain of salt, especially in the wake of high-profile incidents. Cybercriminals are dishonest by nature, regardless of any protestations of it just being a business, so believing their public self-serving statements is likely to end in disappointment.
“I’m very much in the camp of thinking this is a temporary pull back. We’ve totally thrown a spotlight on ransomware-as-a-service and I have to think that in any of these groups, it’s not just one dude. It’s very likely a group or syndicate. They’ll change names and come back,” said Hammond.
“What’s to say that it’s not one person or a small group behind the twenty-eight or thirty ransomware groups? It’s become such an industry and they don’t care about the carnage they’re causing.”