May 12, 2021 14:08:00

What is the activity of the criminal group 'Dark Side' that launched a ransomware attack on the oil pipeline?

In recent years, the number of

'ransomware attacks' that infect computers such as companies with malware to restrict access to the system and demand a ransom to lift the restriction is increasing rapidly. Experts explain what the criminal group 'Dark Side' is doing when it attacked the ransomware attack on 'Colonial Pipeline', the largest pipeline operator in the United States on May 9, 2021. I will.

A Closer Look at the DarkSide Ransomware Gang – Krebs on Security
https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/

Shining a Light on DARKSIDE Ransomware Operations | FireEye Inc
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html

DarkSide ransomware will now vet targets after pipeline cyberattack
https://www.bleepingcomputer.com/news/security/darkside-ransomware-will-now-vet-targets-after-pipeline-cyberattack/

On May 9, 2021, Colonial Pipeline, the largest oil transfer pipeline in the United States, announced that it had shut down due to a ransomware attack. The pipeline operated by Colonial Pipeline has a total length of about 5,500 miles (8851 km) and covers 45% of the gasoline and diesel fuel consumed on the east coast of the United States, so it is suitable for the lives of the American oil industry and citizens. It was pointed out that it could have a big impact. It was also reported that the attack was carried out by the cybercriminal group 'Dark Side'.

America's largest oil pipeline shuts down due to ransomware attack, Biden administration declares emergency-GIGAZINE

DarkSide is one of the platforms for a service called 'Ransomware as a Service (RaaS)' that provides ransomware code to other criminal groups, launched in the Russian hacking forum in August 2020. You can find out more about RaaS by reading the following articles.

The black market is growing to make a profit by providing ransomware as a 'service' to criminal groups-GIGAZINE

DarkSide is divided into two groups: 'Ransomware developers and administrators' and 'Ransomware-deployed hired attackers'. If the attacker passes the interview, he will be given access to the management panel, and within this panel he will be able to create ransomware builds, manage attack targets, contact support, and so on.

In the case of an attack, an attacker usually uses ransomware to hack a company, etc., and 'a digital key that decrypts the file or server being attacked' and 'a promise to destroy stolen data' 2 Request a ransom for one. The development / manager negotiates and accepts payments, and the attacker receives 70 to 80% of the ransom.

In addition to developing and providing ransomware, DarkSide also operates a victim posting site that can be accessed via anonymous communication 'Tor'. Attackers can expose victims' names, stolen data, etc. on this site and put pressure on ransom payments. DarkSide also said, 'We have pre-publication information on many companies trading on NASDAQ and other stock exchanges, and if a company refuses to pay the ransom, we will publish that information on the posting site and manipulate the stock price. You can do it. '

In addition, since the beginning of 2021, Dark Side is a 'call service' that can directly pressure victims to pay ransom from the management panel, a new DDoS attack that can be launched whenever an attacker decides that additional pressure is needed. Functions etc. are added. DarkSide wrote on his site, 'Why Choose Us?', 'Victims are well aware that we download a lot of data and pay the ransom to receive the decryption tool. We 'deeply trust' us, so the percentage of victims who pay the ransom is very high and the negotiation time is negligible. '

DarkSide stipulates that the target of attacks is only large companies, and prohibits attacks on education, medical care, public, non-profit organizations, and the Commonwealth of Independent States . The attack on the Colonial Pipeline was an attacker's misselection of the target, and Dark Side said, 'We will review the target before allowing the attacker to attack.' Dark Side also said in a statement, 'We have nothing to do with politics and we are not involved in geopolitics, so we don't have to tie up or look for motivation with any government. Our goal is to make money. Yes, it does not cause any problems to society. '

A group that carried out a cyber attack on an oil pipeline issued a statement that 'the purpose is not to cause problems to society by making money' --GIGAZINE

Experts say, 'Unless you do something about RaaS, it will become more and more sophisticated.' Cybersecurity firm Coveware reported that the total amount paid for ransomware attacks in the third quarter of 2020 (July-September) was $ 233,817, the second quarter. 31% increase from (April-June). In 2020, about 2,400 US-based governments, schools, and medical facilities were damaged.

In order to deal with such ransomware attacks, 19 companies such as Microsoft and McAfee have united to form acountermeasure team . On April 29, 2021, an 81-page report was submitted to the Biden administration requesting that the ransomware attack be designated as a national security threat.