Darkside 2.0 are a ransomware network from the Russian-speaking Dark Web with a global network of affiliates targeting major corporations.
The intelligence and global cybersecurity community continue to track the situation regarding the Colonial Pipeline, one of the U.S. major oil pipelines affected by a cyberattack.
While the press is speculating about the responsibility for the attack, the FBI and cybersecurity professionals are working on incident containment as it has already started to affect the domestic oil & gas market.
Just recently Joe Biden in a comment outlined that he doesn’t suspect the Russian Government are involved in the Colonial cyber attack (for now) but Russia has a certain level of responsibility for this malicious activity as the operators of Darkside 2.0 have obvious roots in that part of the world according to the information provided by the U.S. intelligence community (IC).
A Kremlin Spokesman Dmitry Peskov responded that Moscow has nothing to do with the incident with the Colonial Pipeline (Read: Peskov denies Russia’s involvement in the cyberattack on the Colonial Pipeline).
Darkside is present only on Russian-speaking underground forums, including Exploit and XSS. In a description, they typically outline they’ll ignore any English-speaking individuals, representatives of law enforcement or any other suspicious actors having no credible reputation on the Dark Web.
Darkside has its own affiliate network. The first information about it was published on November 10, 2020. Around this time they were actively improving their ransomware, adding new features, supporting new platforms and operating systems.
Later, in March 9, 2021, the same actor behind Darkside (known as “darksupp“) created a separate topic in the Dark Web and naming it “Darkside 2.0 – Affiliate Network”.
Both topics are technically about the same project and managed by the same actor, but Darkside 2.0 has more advanced ransomware kits, and its feature set supports both Windows and Linux OS, as well as NAS drives (Synology, OMV).
Darkside 2.0 provides the following ransomware kits for its own affiliates for further distribution.
Windows (written in ASM, SALSA20 + RSA1024 encryption, I/O)
Linux (written in C++, CHACHA20 + RSA4096 encryption, multithreading, including Hyper-threading, the builds support ESXI 5.0+ and customized Linux OS builds)
Admin panel – written in AJAX, allowing to receive Bitcoin, Monero, generate Windows/Linux builds for further distribution
Leak site – to publish stolen data (hack-and-leak) hosted in TOR
CDN system for files storage – space allocation, fast data upload
Based on information from Resecurity, a cybersecurity company from Los Angeles, the affiliate network of Darkside 2.0 may include not just Russian-speaking cybercriminals but Chinese and Iranian, they are supplying access to various enterprise networks and compromised resources for further infection and extortion.
Darkside ransomware developers receive a 10-25% cut, and an affiliate gets 75-90% (based on dynamic rate) of any ransom payments they generate. Darkside 2.0 have stated they pay a 90% flat fee for the first 2 victims to motivate the affiliate to generate more business. The ransomware gang has deposited 23 BTC ($1.2M) on a hacker forum to show the credibility and seriosity of their business in the underground to attract more affiliates.
It is important to note the specifics of ransomware networks involved, not just down to 1 actor (in face of the actual operator) but a large network of affiliates that could be based in different geographies.
“Today’s underground ransomware networks are heavily relying on initial access suppliers and typically it is not the same actors who are actually developing ransomware. Ransomware operators invite them to an affiliate network and pay them a commission for successfully hacked enterprise networks where they have deployed their ransomware. Later, such an affiliate will receive a payout from the network (Darkside 2.0). The key question is who is responsible for the intrusion before the actual Colonial infection,” – said Gene Yoo, CEO of Resecurity, Inc. “Darkside (as a group) are actively advancing their ransomware. For today, the latest known version is v.2.1 is written in ASM (Assembler) and has a compact size of 56KB which makes it ideal for delivery. The actors are working on a Powershell-based version which may confirm they have enough organizational and technical resources” – he added.
It is important to mention that in November 2020 – on Darkside’s early ransomware activity, cybersecurity experts claimed the actors created a distributed storage system in Iran to store and leak data stolen from victims (DarkSide ransomware’s Iranian hosting raises U.S. sanction concerns).
“Such servers in Iran and [other] countries will be harder to discover, block, and cease due to a lack of cooperation from local authorities,” says Victoria Kivilevich, threat intelligence analyst at Israel-based security firm KELA. (Ransomware Operator Promotes Distributed Storage for Stolen Data).
While there are many bulletproof hosting platforms in other countries – such a choice is one of the interesting remarks in Darkside operations outlined by experts.
Later, in April 13, 2021 – Darkside downplayed those claims saying that Iran is just one of the possible locations where they could store stolen data from victims. Highly likely, operators understood it may significantly decrease the payments volumes to them as Iran is one of the OFAC-listed countries and potential victims may be limited in the opportunity to pay them for unlocking.
U.S. Law enforcement organizations along with the U.S. Treasury released guidance for victims of ransomware attacks to prevent any payments to threat actors located in OFAC countries and immediately contact the FBI and USSS. Unfortunately, in practice, not all enterprises follow these recommendations, as at the end of the day their business could be affected, and the timing of returning back to normal operations plays a vital role. Ransomware operators also started using this aspect as a method of extortion – giving a victim a certain amount of time for payment which is typically extremely limited (4-5 days). In one of the recent announcements, from Darkside 2.0 in Dark Web, they announced they able to DDoS the victim for additional pressure.
Critical infrastructure is becoming one of the key targets in modern cyber warfare and geopolitical game. One of the first world-known incidents in that field was Stuxnet, a malicious computer worm that was first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targeted supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. In April 2021 – a new cyberattack was conducted targeting Iran’s nuclear enrichment facility. It is not clear if the recent incident with Colonial could be somehow connected to those events.
Cybercriminals are also following this lead and target industrial companies, first of all, from a commercial perspective. Attacking such targets they may expect a bigger payout and monetize their malicious activity better.
Darkside 2.0 is not the first ransomware group to attack an industrial sector. Just recently, in March 2021 – Royal Dutch Shell was attacked by the Clop ransomware gang as a result of Accelion FTA vulnerability exploitation widely used by attackers to target major enterprises globally.