He ransomware A group linked to the extortion attempt that has captured fuel delivery on the east coast of the U.S. may be new, but that doesn’t mean its hackers are amateurs.
Who is not exactly behind the disruptive intrusion into Colonial Pipeline has not been officially released and digital attribution can be tricky, especially at the start of an investigation. A former US official and two industry sources have told Reuters that the group Dark side is among the suspects.
Cybersecurity experts who have been tracking DarkSide said it appears to be made up of veteran cybercriminals who focus on making as much money as they can from their targets.
“They’re very new, but they’re very organized,” Lior Div, chief executive of security firm Cybereason, based in Boston, said Sunday.
“Looks like someone who’s been there has done this.”
DarkSide is one of the increasingly professional groups of professionals digital extortionists, with a mailing list, a press center, a hotline for victims and even an alleged code of conduct intended to spin the group as reliable, albeit ruthless, business partners.
Experts like Div said DarkSide was probably made up of ransomware veterans and that it came out of nowhere in the middle of last year and immediately unleashed a wave of digital crime.
“It’s like someone turned on the switch,” said Div, who noted that more than ten customers of his company have struggled with attempts to introduce the group in recent months.
Rescue software works by encrypting victim data; hackers will usually offer the victim a key in exchange for cryptocurrency payments that can reach hundreds of thousands or even millions of dollars. If the victim resists, hackers increasingly threaten to filter confidential data to try to stack the pressure.
DarkSide’s website on the dark web reveals the past crimes of its hackers, states that they previously obtained millions by extortion and that the fact that their software was new “does not mean that we have no experience and that we do not come from nothing. “
The site also features a Hall of Shame-style gallery of filtered data from victims who have not paid payments, advertising stolen documents from more than 80 companies in the United States and Europe.
Reuters was unable to immediately verify the group’s various claims, but one of the most recent victims on its list was Georgia-based carpet maker Dixie Group Inc., which publicly disclosed an attempt at a digital reduction that affected ” parts of its information technology systems’ last month.
A Dixie executive did not immediately return any messages asking for further comments.
Somehow, DarkSide is hard to distinguish from the increasingly crowded field of Internet extortionists. Like many others, it seems to save Russian-speaking, Kazakh-speaking, and Ukrainian-speaking companies, suggesting a link with the former Soviet republics.
It also has a public relations program, as others do, that invites journalists to check their distribution of leaked data and calls for anonymous donations to charity. Even their technical knowledge is nothing special, according to him Georgia Tech computer science student Chuong Dong, who posted an analysis http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware of his programming.
According to Dong, the DarkSide code was “a fairly standard ransomware.”
Div said what sets them apart is the intelligence work they previously do against their goals.
Usually, “they know who the manager is, they know who they’re talking to, they know where the money is, they know who makes the decision,” Div said.
In that regard, Div said the Colonial Pipeline target, with its potentially massive consequences for Americans on the East Coast, could have been a miscalculation.
“It ‘s not good for business for them when the U.S. government gets involved, when the FBI “It’s the last thing they need,” he said.
As for DarkSide, which is not usually shy about publishing press releases and promises registered journalists “quick answers within 24 hours,” the group has remained unusually silent.
The reason is unclear. Requests for comments that Reuters left through its main site and communication center have gone unanswered.