Weeks before the cybergang known as DarkSide attacked a major U.S. pipeline owner, disrupting gasoline and jet fuel delivery across the nation’s east coast, the group lobbied a small family-owned publisher of the Midwest.
Working with a hacker who served Woris, DarkSide launched a series of attacks aimed at blocking the websites of the publisher, which works primarily with primary education clients, if it did not pay a ransom of US $ 1.75 million.
He even threatened to contact the company’s customers to falsely report that he had obtained information that the gang said could be used by pedophiles to fabricate fake ID cards to enter schools. Woris found this last plot particularly interesting. “Laugh in his heart at the leaked identities used by pedophiles,” he said in Russian during a secret conversation with DarkSide obtained by The New York Times. “I didn’t think it would scare them that much.”
DarkSide’s attack on the owner of the Colonial Pipeline in Georgia not only projected the gang onto the international stage, but also shed light on a growing criminal industry, based primarily in Russia, which has grown from a technical from invasion to sophisticated computers to an assembly line. . Today, even small groups and hackers with poor computing capabilities can pose a threat to national security.
Previously, criminals had to play mind games to convince people to hand over bank passwords and have the knowledge to extract money from secure personal accounts. Now virtually anyone can get “ransomware” (extortion software) and load it onto a compromised computer system using hints from YouTube tutorials or with the help of groups like DarkSide.
“Any idiot can be a cybercriminal today,” says Sergei Pavlovich, who spent ten years in prison in his native Belarus for Internet crimes. “The intellectual barrier to entry was very low.”
A look at DarkSide’s secret communications in the months leading up to the Colonial Pipeline attack reveals a criminal operation on the rise, extracting millions of dollars in ransom every month. DarkSide offers what is called ‘ransomware as a service’, in which a malware developer charges so-called affiliates like Woris, who may not have the capabilities to actually create ransomware. , but are capable of hacking into the computer system. of a victim.
DarkSide’s services include technical support for hackers, negotiating with targets such as the publisher, processing payments, and creating bespoke pressure campaigns through blackmail and other means such as hacks. secondary to cripple websites.
DarkSide’s user fees worked on a descending scale: 25% for any redemptions under $ 500,000 (R $ 2.6 million) to 10% for redemptions over $ 5 million (R $ 26.1 million). of R $), according to the computer security company FireEye.
As a bootstrap operation, DarkSide has had to deal with growing problems, it seems. In a conversation with a group customer service member, Woris complained that the ransomware platform was difficult to use, costing him time and money while working with DarkSide. to extort money from the American publisher. “I don’t understand how to do business on your platform,” he complained in a dialogue in March. “We’re wasting a lot of time. And there are other things to do. I understand that you don’t care. If it’s not us, the others will give you money. It’s the quantity, not the quality. “
The New York Times had access to the internal “control panel” that DarkSide clients used to organize and engage in extortion. The information was provided by a criminal through an intermediary. The newspaper keeps the name of the company involved in the attack to avoid retaliation from hackers.
Access to the DarkSide dashboard offered extraordinary insight into the workings of a Russian-speaking gang and became the face of global cybercrime. Designed in black and white, the dashboard provides access to the DarkSide results list, as well as a real-time profit marker and customer support connection, with which affiliates could strategize to lobby. the victims.
The panel was still operating on May 20 when a reporter logged in, although DarkSide released a statement a week earlier saying it was shutting down. A customer service employee responded almost immediately to a chat request sent from the journalist’s Woris account. But when he identified himself as a journalist, the account was immediately blocked.
Even before the Colonial Pipeline attack, DarkSide’s business was booming. According to cybersecurity firm Elliptic, which has studied DarkSide’s bitcoin wallets, the gang has received around $ 15.5 million (R $ 81 million) in bitcoins since October 2020, with an additional $ 75 million ($ 391 million). R $). 0.8 million) going to affiliates. The high profits of such a young criminal gang – DarkSide was founded last August, according to researchers in the computer security industry – underlines how much the Russian-speaking underworld has proliferated in recent years.
This growth was made possible by the rise of cryptocurrencies such as bitcoin, which made the need for “mules” to transport traditional money, which sometimes had to be smuggled across physical borders, virtually obsolete. . Within a few years, according to cybersecurity experts, ransomware has become a highly organized and compartmentalized business.
There are hackers who break into computer systems and others whose job it is to gain control. There are experts in technology support and money laundering. Many criminal gangs even have official spokespersons who communicate with the media and contacts.
In many ways, the organizational structure of the Russian ransomware industry mimics franchises like McDonald’s or Hertz, which lower barriers to entry and allow easy duplication of proven business practices and techniques. Access to the DarkSide control panel was all that was needed to start a business as a gang affiliate, and if you wanted to download a working version of the ransomware used in the Colonial Pipeline attack.
The New York Times did not acquire this software, but the publisher offered a glimpse of what it is like to be the victim of a DarkSide attack. The first thing the victim sees on the screen is a letter demanding a ransom, with instructions and slight threats. “Welcome to DarkSide,” the letter reads, before explaining that the victim’s computers and servers have been encrypted and all backups have been deleted.
To decrypt the information, victims are directed to a website where they must enter a special password. The letter makes it clear that they can call a technical support team if there is a problem. “!!! DANGER !!! DO NOT MODIFY or try to RECOVER the files yourself,” the letter read. “WE CANNOT RESTORE THEM!”
DarkSide’s software not only locks down victims’ computer systems, it steals proprietary data, allowing affiliates to request payment to unlock the system and also not disclose sensitive company information. In the conversation seen by the newspaper, a DarkSide customer service employee bragged to Woris about his involvement in more than 300 extortion attacks and tried to reassure him. “We are as interested in the income as you are,” said the manager.
Together, they draw up the plan to put pressure on the publisher, a nearly century-old family business with a few hundred employees. The rescue negotiations with DarkSide lasted 22 days and were conducted via email or the gang’s blog with one or more hackers who spoke poor English, the company spokesperson said. Negotiations began in March due to the publisher’s refusal to pay the ransom of US $ 1.75 million (R $ 9.14 million). DarkSide, it seems, was furious and threatened to divulge the news of the extortion attack to the media.
“Ignoring this is a really bad strategy for you guys. You don’t have a lot of time,” DarkSide wrote in an email. “After two days, we’ll release your blog to the public and send this news to the mainstream media. And everyone will see your catastrophic data breach.”
Despite the forced tactics, DarkSide had a certain moral orientation. In a list of rules posted on the sign, the group said any attack on educational, medical or government targets was prohibited.
Another important rule adopted by DarkSide, along with most other Russian cybercrime groups, highlights a reality of cybercrime in the modern age. Anyone living in the Commonwealth of Independent States, a meeting of the former Soviet republics, is immune to attack.
Cyber security experts say the “do not work on .ru” rule, a reference to the Russian national domain suffix, has become standard practice among the Russian-speaking hacker community to avoid involvement with the country’s police. Russian authorities have made it clear that they will rarely prosecute cybercriminals for outrageous attacks and other cybercrimes outside of Russia.
As a result, Russia has become a global hub for such attacks, experts say. Cybersecurity firm Recorded Future tracks around 25 ransomware groups, of which around 15 – including the first five – are believed to be headquartered in Russia or elsewhere in the former Soviet Union, company intelligence expert Dmitry Smilianets said. .
This month, DarkSide’s support team attempted to respond to blocked parts of the system, which the group attributed, without evidence, to American pressure. In an article from May 8, the day after the Colonial Attack was published, the DarkSide team seemed to expect some sympathy from their affiliates.
“Now there is the option to tip support on ‘payments’,” the post read. “It’s optional, but support will be happy :).” Days after the FBI publicly identified DarkSide as the culprit, Woris, who still had not received payment from the publisher, turned to customer service, apparently concerned. “Hello, how are you?” He wrote. “They took them the wrong way.”
This was the last communication Woris had with DarkSide. A few days later, a message appeared on the control panel stating that the group was not shutting down exactly, as it had said before, but was selling its information so that other hackers could get into the lucrative business of ransomware.
“The price is negotiable,” DarkSide wrote. “With a similar partnership program, it is possible to generate profits of US $ 5 million (R $ 26.1 million) per month.”