The hacker group blamed for this weekend’s ransomware attack on the Colonial oil pipeline insisted he only wanted to make money and regretted “creating problems for society”.
In one statement released Monday, the criminal group known as DarkSide said it was “apolitical” and attempted to blame the attack on “partners” who had used its ransomware technology.
FBI named DarkSide on Monday as perpetrator of giant hack that took US oil key offline pipeline for three days, threatening to drive up fuel prices and forcing the U.S. government to put in place emergency powers to keep supplies flowing.
“FBI confirms DarkSide ransomware is responsible for compromising Colonial Pipeline networks,” the agency said in a statement. “We are continuing to work with the company and our government partners on the investigation.”
Ransomware attacks involve hackers taking control of an organization’s data or software systems, locking down owners using encryption until a payment is made.
“Our goal is to make money and not create problems for the company,” DarkSide said, adding that it “would check every business our partners want to cost to avoid social consequences in the future.”
DarkSide emerged as one of the leading ransomware companies last August and is reportedly run from Russia by an experienced team of online criminals. Silicon Valley-based cybersecurity company CrowdStrike traced DarkSide’s origins to the criminal hacking group known as Carbon spider, who “fundamentally overhauled their operations” last year to focus on rapid growth ransomware domain.
“We’re a new product on the market, but that doesn’t mean we don’t have any experience and we came out of nowhere,” DarkSide said previously.
Brett Callow, analyst at cybersecurity group Emsisoft, said: “DarkSide doesn’t eat in Russia. It checks the language used by the system and, if it is Russian, it exits without encryption. “
He added that the group was renting out its services on the dark web. “DarkSide is a ransomware as a service. I’m assuming the attack on Colonial was carried out by an affiliate and the group is concerned about the level of attention it has received.
A sign of how ransomware has become a professionalized industry, DarkSide runs its own “press office” and claims to have an ethical approach in choosing its targets. DarkSide’s website claims that “on the basis of our principles” it will not attack medical institutions such as hospitals, nursing homes and vaccine developers; funeral service providers; schools and universities; non-profit and government organizations.
This contrasts with the rest of the ransomware industry, for which healthcare providers and the public sector are among the biggest targets. Colonial Pipeline is a private company owned by investors, including Shell, KKR and Koch Capital.
Computer security firm Kaspersky said DarkSide aims to “generate as much buzz online as possible.”
“More media attention could lead to a more widespread fear of DarkSide, which potentially means a greater chance that the next victim will decide to just pay instead of causing trouble,” said Roman Dedenok, researcher at Kaspersky in a recent one. blog post.
Its previous goals would include the Brookfield real estate group, Discountcar.com, a Canadian subsidiary of the Enterprise car rental group, and CompuCom, a US-based IT support provider owned by parent company Office Depot.
Arete, which provides incident response services to victims of cybercrime, found that DarkSide most commonly targets professional services and manufacturing companies, with its ransom demands ranging between $ 3 million and $ 10 million, although the site Security Information Bleeping Computer found evidence of ransoms of several hundred thousand dollars as well.
In an email interview with a security blog DataBreaches.net, a DarkSide representative calling themselves “DarkSupp” said the company researched how much their target might be able to pay – for example, by reviewing their insurance coverage – before deciding how much ransom to demand.
“We only attack companies that can pay the requested amount,” DarkSide said previously. “We don’t want to kill your business.”
Based on screenshots of a victim posted by Bleeping computer, DarkSide sends each target a clear list of instructions titled “Welcome to Dark”. Specific details and samples of the stolen data are presented and victims are warned that it will automatically be posted online for at least six months if they refuse to pay. This technique of both excluding victims from their systems and threatening to embarrass them by making the stolen data public is known as “double extortion”.
DarkSide hackers also try to reassure their victims that they will play by their own rules, saying, “We value our reputation. If we don’t do our job and our responsibilities, no one will pay us. He even offers to provide technical support, “in case of problem”, using the decryption tool that their victims receive when they pay.
#techFT brings you news, commentary and analysis on the big companies, technologies and issues shaping this fastest moving industries from specialists around the world. Click here to get #techFT to your inbox.
Ransomware attacks jump 62% last year, says firewall developer Sonicwall, including over 200 million hits in the United States. This was in part due to the pandemic, as companies forced to flee the office grappled with the task of securing their remote workers, as well as the rise of bitcoin, through which many hackers demand payment. A recent survey by insurance group Hiscox found that more than half of those targeted by ransomware were paying.
Additional reporting by James Politi in Washington