The FBI says a group called DarkSide was behind the ransomware attack that forced Colonial Pipeline to shut down its operations last week. DarkSide is believed to have roots in Eastern Europe, possibly Russia, and is fairly new. But like a lot of these ransomware groups, it’s pretty PR-savvy. It’s got a mailing list, press releases and a hotline for victims.
It’s a topic for “Quality Assurance,” where we take a second look at a big tech story. I spoke with Brian Krebs, an investigative journalist for Krebs on Security. He wrote a story this week walking through a DarkSide negotiation with another recent victim who wanted reassurance that if they pay the ransom, the hackers will actually give them their data back and won’t sell it or share it with anyone. During the exchange the hacker says, basically: Ask around. The following is an edited transcript of our conversation.
Brian Krebs: Well, in general, ransomware groups need to maintain a reputation. And they try very hard to excel at things like customer service. And they do talk about their victims as customers, which is galling, but that’s the way they look at it. And they’re available 24/7 if you want to talk to them. If you pay them, they may even give you a report on how they broke in and what you need to do to fix your stuff.
Amy Scott: It’s so weird. On one hand, these are seemingly some of the least trustworthy people. But on the other hand, they’re kind of asking these “customers” to trust them: “We will do what we say.” How do they build that trust?
Krebs: Well, through a mix of coercion and threats. In practical terms, these contracts that they cobble together with the ransomware people, they’re not worth the pixels they’re displayed on. And I think a great many cases, the victims are kind of over a barrel. The bad guys are going, “Hey, we got all your data, and here, we’ll prove it. And we’ll publish it all if you don’t pay in the next 72 hours” or whatever. And if you decide not to pay in 72 hours, the ransom doubles. So there’s all these things designed to just overwhelm the victim and fill them with a sense of resignation.
Tinder’s relationship with AIJun 8, 2023
AI’s sense of humor is no laughing matterJun 7, 2023
Regulating generative AI will be challengingJun 6, 2023
Scott: So DarkSide has another reputation to consider, which is it runs on a franchise model, right? It’s recruiting other hackers to use this tool. And they want to be seen as effective, right?
Krebs: Yeah, within reason. So one of the interesting things about the response of the DarkSide group to this whole thing has been, I think they kind of felt maybe like they bit off a little more than they were willing to chew with [Colonial Pipeline]. You had President Biden actually talking about it in his executive order with the cybersecurity stuff, calling it out. I mean, I think that’s not for nothing, right? So these guys are probably like, “Ah, we might not have wanted to do this.” They put out a statement and said, “We’re apolitical, we don’t want to be in the middle of political fights between countries.” Yet, at the same time, their ransomware won’t install on any computers if it detects that you’re using a keyboard that’s in Russian or Ukrainian or about a dozen other languages. So they’re very aware of the geopolitical ramifications of this. And the reason they do that, that prohibition, is so that people in their own backyard aren’t getting hacked by their stuff, and they’re not having the local police coming after them. And that’s fascinating.
Scott: It’s interesting that they talk about their ethics — “We’re bad guys, but we’re not really bad guys. I mean, we’re not going to attack a nursing home.” How common is it for cybercriminals to kind of protect their brand in this way?
Krebs: So it’s very common for cybercriminal organizations to do things that tend to try to make them look better in the cybercriminal underground. And also, obviously, as a form of marketing. But they’re also saying, “Hey, we’re giving back. We’re not 100% greedy, we’re giving back.” So they’ll do things like donate to charities, they’ll donate to children’s funds and they’ll post proof of it. And it’s really about creating loyalty with other cybercriminals.
Related links: More insight from Amy Scott
Brian’s story has screenshots showing messages between DarkSide and an increasingly panicked victim of ransomware. The unnamed company eventually agreed to pay $12 million to recover its data and prevent it from being published. And that’s, of course, why hackers do this.
Though initial reports said Colonial Pipeline had no intention of paying a ransom in that attack, Bloomberg reports that the company, in fact, paid nearly $5 million. In exchange, Colonial received a decrypting tool that was apparently so slow that the company had to rely on its own backups to restore its system. The FBI, by the way, discourages victims from paying ransom, saying it only encourages more theft and there’s no guarantee you’ll get what you pay for.
In other words, you can’t trust them.