With lots of charity, affiliate program and press releases
The ransomware are certainly not new: it is a cyber attack that encrypts data of the users involved and forces them to pay a ransom in exchange for the possibility of this data being “released”. In recent years the attacks have become of a “double” type and in addition to the blackmail for unlocking, a payment is also required so that a copy of this data is not publicly released on the network or sold to competing companies.
In 2020 alone this market generated over 18 million in revenues due to redemptions paid , also due to the increase in remote work that led users to use devices not always properly controlled by companies and for the wide use of remote computer management systems, one of the points that is most often used to start attacks.
Recently, the case of the Colonial Pipeline, the largest pipeline in the United States, which paid (by their own admission) 4.4 million dollars in ransom bitcoins, after hackers blocked the computers that managed the fuel, became famous. causing a blockage and temporarily increasing the cost of the carburetor nte in the country (enough to lead the government to issue a declaration of emergency in 18 states).
In this specific case it was the ransomware Darkside . It is a Raas , or a Ransomware as a service , which is essentially sold as a service to third-party companies to then carry out the attacks directly. Those who manage Darkside require a share between 10 and 25% of the proceeds due to any redemption paid. But Darkside isn't just the name of the software – it's also the name of the entire organization behind it. Structured just like one of the companies that are then affected by these attacks.
Darkside, which obviously operates only in the darknet, releases press releases and provides updates to the companies that buy their services. software over time and also assistance via a support chat.
FireEye it also shows us an image of the affiliate panel (which can only be accessed after confirmation by Darkside following some interviews). New affiliates are often convinced with promos, just like those for the purchase of a smartphone or a toy.
As absurd as it may seem, however, Darkside has moral principles that they guide in carrying out their actions. As EmiSoft points out there is a list of categories towards which it is forbidden to use their ransomware :
- Hospitals
- Nursing homes
- Private clinics
- Companies that participate in the distribution or develop the vaccine for Covid19
- Morgues
- Crematoriums
- Schools
- Universities
- Municipalities and bodies of state
- Non-profit organizations
Darkside doesn't want to annoy those who are probably its neighbors. When you try to activate the ramsomware on devices set to a certain language it will do no action. What are these languages?
- Russian
- Ukrainian
- Belarusian
- Tajik
- Armenian – Armenia
- Azerbaijani ( Latin)
- Georgian
- Kazakh
- Kyrgyzstan (Cyrillic)
- Turkmen
- Uzbek (Latin)
- Tartarus
- Romanian – Moldovan
- Russian – Moldovan
- Azerbaijani (Cyrillic)
- Uzbek (Cyrillic)
- Arabs – Syria
And like all the great companies also Darkside makes donations. In October 2020, he announced that he had donated $ 10,000 in bitcon to Children International and The Water Project. In their blog post they made it known that “no matter how bad you think about us, we are happy to help change someone's life”. Since obtaining funds from illicit actions is illegal it is very likely that these donations have been refused or refunded.