New research on ransomware thieves who attacked the colonial pipeline shows how much money they were able to extort during a fairly short criminal frenzy: roughly $ 90 million in about seven months.
DarkSide, which recently announced it was leaving the ransomware game (at least for now), was up and running for less than a year but managed to amass a small fortune through cyber attacks carried out through its “affiliate program,” researchers at Elliptic, a blockchain analytics company specializing in tracking. the criminals.
Like a Ransomware as a Service operator, DarkSide loaned its malware to “affiliate” hackers, who then carried out attacks on targets and negotiated ransoms. This business model, designed to share the profits between “owners and partners” of malware, has successfully targeted dozens of victims, the majority “based in the United States.” write FireEye analysts. In each case, Affiliates received the lion’s share of successfully delivered ransom payments, while DarkSide Operators received some smaller discount..
Elliptic recently analyzed the wallet used by DarkSide in colonial extortion. It had only been operational since March 4, but had received 57 payments from 21 separate wallets, for a total of $ 17.5 million. Of these, at least one came from Colonial himself, who allegedly paid hackers some $ 5 million in Bitcoin in exchange for a less than optimal decryption key.
In fact, DarkSide and its partners operated a network of 47 different wallets, each used to collect ransoms from multiple victims, Elliptical signaled Tuesday. After the money changed hands, it was frequently routed through crypto exchanges where it could be translated into fiat. In other cases, it was sent via Hydra, a popular European darknet marketplace that offers “withdrawal services,” Elliptic researchers write. In total, Affiliates made $ 74.7 million from the attacks, while DarkSide – as a developer – made around $ 15.5 million.
“According to DarkTracer, 99 organizations were infected with the DarkSide malware – suggesting that around 47% of victims paid a ransom and the average payout was $ 1.9 million, ”writes Tom Robinson, co-founder of Elliptic .
The gang suddenly announced early retirement plans last week, claiming that a law enforcement agency seized some of its cryptocurrency, while deactivating much of its infrastructure. DarkSide further claimed it would shut down its “affiliate” program and go underground for the time being.
“There has been speculation that the bitcoins have been seized by the US government – if so, they have not seized most of the ransom payment from Colonial Pipeline,” said Robinson of Elliptic. , noting that wallet on 9 [of] May.”
Researchers from Intel471, the security firm that initially spotted DarkSide’s so-called “retirement plans”, said it was impossible to say whether the gang had indeed suffered a foreclosure of their assets, or whether they were trying simply to defraud his partners with a cut of their loot.
“When law enforcement carries out these ‘pull out’ actions, there is usually a press release or a note posted on the website indicating that the work was carried out by the police,” said an analyst from Intel471. “We currently have no evidence to indicate that the wallet was hacked, nor anything to indicate that law enforcement was involved in the removal of the website or the action of the wallet.”
They added, “These ransomware operators are criminals, so it’s hard to assume they’ll stick with what they say. We believe DarkSide’s announcement is meant to show that operators aim to be quieter about their business to avoid the limelight. “