Are we witnessing the rise of ransomware as a service?
Over the course of this year, DarkSide, a group of Russian hackers got the attention of the U.S. Department of State.
In May 2021, DarkSide was responsible for a ransomware attack on Colonial Pipeline, extorting $5M for not leaking data they had on the Pipeline’s network. This is considered to be one of the major ransomware attacks on the U.S. infrastructure to this date.
What we know about the DarkSide is that they:
- Operate as Ransomware as a service (Raas)
- Get their ransom in Bitcoin
- The U.S. Department of State issued an award of $10M for information that would lead to finding the group’s leaders.
What makes Raas service concerning? Will the use of Bitcoin lead to DarkSide’s downfall?
How come the U.S. Department of State got involved in this case?
Let’s find out.
What makes ransomware as a service especially dangerous?
Ransomware as a service (Raas) is a strain of ransomware attacks that gives common people tools to conduct cyber attacks.
Similar to other types of ransomware, the perpetrator uses malware to obtain access to a victim’s network. Once they grant access to sensitive data – they demand ransom.
Raas works as software that’s dubbed affiliate – meaning users can buy it on underground forums and use it to create ransomware attacks.
What makes this dangerous?
You don’t have to be a hacker to extort companies with Raas. Anyone, even people with little to no skill can purchase an affiliate and target someone with a ransomware attack.
The Pipeline attack has been the result of ransomware as a service attack. Someone purchased the affiliate and used it to attack the Pipeline.
This could be a sign that DarkSide is losing control over its services. Or that they are getting the blame for the attack they aren’t responsible for. Namely, they claim that they aren’t political and their ransomware attacks are exclusively for monetary purposes. In the past, DarkSide claimed that they don’t target governments, hospitals, and non-profit organizations.
Why does the DarkSide group want Bitcoin for ransomware?
The DarkSide group trades their services exclusively for Bitcoin. Over the years, Bitcoin has become a default currency for illegal activities.
Many people associate the popularity of cryptocurrencies such as Bitcoin with payment for illicit activities of the dark web. It’s thought of as an untraceable and anonymous form of payment.
In reality, Bitcoin transactions are transparent. According to Bitcoin’s official site:
“All Bitcoin transactions are public, traceable, and permanently stored in the Bitcoin network.”
This already allowed the FBI to seize $2.3 million worth of cryptocurrency back from DarkGroup in June 2021.
It’s estimated that DarkSide already received $90 million worth of Bitcoin from its various victims (including the Pipeline).
Why is the reward issued by the U.S. Department of State so high?
As of November 2021, the U.S. Department of State stated that they offer $10 million for information that could identify the DarkSide leaders.
For the FBI, information is a currency more valuable than Bitcoin, but they reserve hefty rewards only for the major cases. The DarkSide group has been a part of several high-profile ransomware cases that occurred this year, but the FBI hasn’t gotten involved until the Pipeline attack. This ransomware attack got the attention of the U.S. Department of state because it targeted one of the critical energy infrastructures in the U.S.
If they hadn’t attacked the pipeline, it’s likely government wouldn’t be that focused on their activity. However, DarkSide group are Russian cybercriminals who target their rivals – meaning mostly wealthy USA companies. Besides the Pipeline, they also targeted Brenntag (a German chemical distribution company) and Toshiba Tec. Corp.
Russia doesn’t interfere with their activity because DarkSide doesn’t target Russian companies so as to avoid Russian law enforcement.
If the U.S. doesn’t use its resources to bring them to justice, it’s possible that no one else will.
Raas democratize cyber attacks
Ransomware attacks are dangerous and bring long-lasting harm to their targets – both their reputations and finances. That’s why victims usually get out their Bitcoin wallets and pay the demanded ransom.
Complying to hacker’s terms is a double-edged sword. Targets might regain access to their data and sweep the incident under the carpet. While paying the ransom, they also financially empower groups or criminals and give them resources to attack other businesses and organizations.
Raas attacks that fall in the wrong hands (if we can even claim that there are right people for being criminals) are especially dangerous because they democratize cyber attacks – giving anyone the means to demand ransom.
The heavy involvement of the U.S. Department of State in this case and traceability of Bitcoin transactions is likely to bring DarkSide activity to end and send a message to similar organizations that operate using Raas. But then again, only time will tell.