DarkSide Ransomware Affiliate Entities Traced by Security Researchers

The recent cyber attack on Colonial Pipeline caused major commotion in the United States and prompted the involvement of the FBI, among other state services and cyber security companies. In the aftermath of the incident, with Colonial and the security team taken onboard by the fuel supplier still scrambling to restore pipeline operations and let the fuel flow towards the east coast again, other security experts have been examining DarkSide and its affiliated bad actor entities.

DarkSide is a threat actor that usually puts on noble airs and even donates some of the cyber ransom money it receives to charity. Despite the Robin Hood cape DarkSide wants to wear, the group's goals are anything but noble. DarkSide works using a common method in the shady world of malware, called "ransomware as a service" or RaaS for short. Under this model, the top-level entity, in this case DarkSide, licenses out its ransomware toolkit to third parties.

In this way a number of bad actors can do the heavy lifting of distributing the ransomware and figuring out infiltration points and attack vectors. Once the victim has been infected, if they decide to pay up, the third parties who carried out the attack split the ransom money with DarkSide.

Following common, legitimate business practices, it seems DarkSide too takes an increasingly smaller cut the bigger the ransom payout is. ZDNet cites a 25% cut going in DarkSide's pockets with smaller affiliate jobs. The slice the ransomware authors receive decreases to just 10% in case the ransom payment exceeds $5 million.

According to security experts with FireEye, DarkSide even carries out recruitment interviews before they agree to take on a budding hacker as a licensee. If the interview is a success, the aspiring cyber criminal is given access to their personal control panel which they can use to customize their specific payload and manage their victim and payout information, as well as contact DarkSide for support with using the ransomware.

FireEye have identified five separate entities or groups of bad actors who all seem to be linked with DarkSide and are very likely ransomware licensees. Three of the groups were examined in more detail and given the code names of UNC2628, UNC2659 and UNC2465, respectively.

The earliest activity of one of the groups dates back to April of last year. Each group uses slightly different approaches when it comes to infiltration and the exploits and vulnerabilities used to gain access to compromised networks.

UNC2628 is known for abusing stolen VPN credentials to gain access, and generally spends very little time probing around on the network before it moves to encryption.

UNC2659 abused a currently patched vulnerability in a VPN service used by remote workers. This group also seems to steal files before it deploys the ransomware, likely to be able to further threaten leaking the data online if its demands are not met.

UNC2465 uses phishing and a backdoor named Smokedham. Unlike the other two groups, FireEye has data that this particular group gained access to a compromised network several months ahead of starting encryption and deploying the actual ransomware.

The general consensus among researchers is that the groups operating the ever-evolving strains of ransomware will only continue to improve and evolve their methods and tools.

May 13 Update:

It turns out that in contrast to earlier reports that Colonial Pipeline had no intention of paying the DarkSide group any ransom money, the fuel supplier company seems to have been forced to play along and pay a massive ransom of nearly $5 million.

Bloomberg quoted two sources who claimed to have information on the transaction. It even turns out that the payment was made "within hours" of the ransomware hitting Colonial. This only goes to show the incredible potential damage the company would have had to face and the immense pressure of keeping the tap open and fuel flowing towards the American east coast.

Bloomberg further cites a third source that stated that the US government has been made fully aware of the payment.

Disturbingly, it appears that even after the untraceable crypto currency payment went through and the bad actors sent a working decryption tool to Colonial, the tool turned out to be so slow in unscrambling the files that the company kept using its own backups to restore systems to working order.

Fuel supply and normal pipeline operations were restored on Wednesday, May 12, around 5 p.m. ET.

May 12, 2021