Secret Chats Show How Cybergang Became a Ransomware Powerhouse

MOSCOW — Just weeks before the ransomware gang known as DarkSide attacked the owner of a major American pipeline, disrupting gasoline and jet fuel deliveries up and down the East Coast of the United States, the group was turning the screws on a small, family-owned publisher based in the American Midwest.

Working with a hacker who went by the name of Woris, DarkSide launched a series of attacks meant to shut down the websites of the publisher, which works mainly with clients in primary school education, if it refused to meet a $1.75 million ransom demand. It even threatened to contact the company’s clients to falsely warn them that it had obtained information the gang said could be used by pedophiles to make fake identification cards that would allow them to enter schools.

Woris thought this last ploy was a particularly nice touch.

“I laughed to the depth of my soul about the leaked IDs possibly being used by pedophiles to enter the school,” he said in Russian in a secret chat with DarkSide obtained by The New York Times. “I didn’t think it would scare them that much.”

DarkSide’s attack on the pipeline owner, Georgia-based Colonial Pipeline, did not just thrust the gang onto the international stage. It also cast a spotlight on a rapidly expanding criminal industry based primarily in Russia that has morphed from a specialty demanding highly sophisticated hacking skills into a conveyor-belt-like process. Now, even small-time criminal syndicates and hackers with mediocre computer capabilities can pose a potential national security threat.

Where once criminals had to play psychological games to trick people into handing over bank passwords and have the technical know-how to siphon money out of secure personal accounts, now virtually anyone can obtain ransomware off the shelf and load it into a compromised computer system using tricks picked up from YouTube tutorials or with the help of groups like DarkSide.

“Any doofus can be a cybercriminal now,” said Sergei A. Pavlovich, a former hacker who served 10 years in prison in his native Belarus for cybercrimes. “The intellectual barrier to entry has gotten extremely low.”

A glimpse into DarkSide’s secret communications in the months leading up to the Colonial Pipeline attack reveals a criminal operation on the rise, pulling in millions of dollars in ransom payments each month.

DarkSide offers what is known as “ransomware as a service,” in which a malware developer charges a user fee to so-called affiliates like Woris, who may not have the technical skills to actually create ransomware but are still capable of breaking into a victim’s computer systems.

DarkSide’s services include providing technical support for hackers, negotiating with targets like the publishing company, processing payments, and devising tailored pressure campaigns through blackmail and other means, such as secondary hacks to crash websites. DarkSide’s user fees operated on a sliding scale: 25 percent for any ransoms less than $500,000 down to 10 percent for ransoms over $5 million, according to the computer security firm, FireEye.

As a start-up operation, DarkSide had to contend with growing pains, it appears. In the chat with someone from the group’s customer support, Woris complained that the gang’s ransomware platform was difficult to use, costing him time and money as he worked with DarkSide to extort cash from the American publishing company.

“I don’t even understand how to conduct business on your platform,” he complained in an exchange sometime in March. “We’re spending so much time when there are things to do. I understand that you don’t give a crap. If not us, others will bring you payment. It’s quantity not quality.”

The Times gained access to the internal “dashboard” that DarkSide customers used to organize and carry out ransom attacks. The login information was provided to The Times by a cybercriminal through an intermediary. The Times is withholding the name of the company involved in the attack to avoid additional reprisals from the hackers.

Access to the DarkSide dashboard offered an extraordinary glimpse into the internal workings of a Russian-speaking gang that has become the face of global cybercrime. Cast in stark black and white, the dashboard gave users access to DarkSide’s list of targets as well as a running ticker of profits and a connection to the group’s customer support staff, with whom affiliates could craft strategies for squeezing their victims.

The dashboard was still operational as of May 20, when a Times reporter logged in, even though DarkSide had released a statement a week earlier saying it was shutting down. A customer support employee responded almost immediately to a chat request sent from Woris’s account by the Times reporter. But when the reporter identified himself as a journalist the account was immediately blocked.

Even before the attack on Colonial Pipeline, DarkSide’s business was booming. According to the cybersecurity firm Elliptic, which has studied DarkSide’s Bitcoin wallets, the gang has received about $15.5 million in Bitcoin since October 2020, with another $75 million going to affiliates.

The serious profits for such a young criminal gang — DarkSide was established only last August, according to computer security researchers — underscore how the Russian-language cybercriminal underground has mushroomed in recent years. That growth has been abetted by the rise of cryptocurrencies like Bitcoin that have made the need for old-school money mules, who sometimes had to smuggle cash across borders physically, practically obsolete.

In just a couple of years, cybersecurity experts say, ransomware has developed into a tightly organized, highly compartmentalized business. There are certain hackers who break into computer systems and others whose job is to take control of them. There are tech support specialists and experts in money laundering. Many criminal gangs even have official spokespeople who do media relations and outreach.

In many ways, the organizational structure of the Russian ransomware industry mimics franchises, like McDonald’s or Hertz, that lower barriers to entry and allow for easy duplication of proven business practices and techniques. Access to DarkSide’s dashboard was all that was needed to set up shop as an affiliate of DarkSide and, if desired, download a working version of the ransomware used in th
e attack on Colonial Pipeline.

While The Times did not acquire that software, the publishing company offered a window into what it was like to be the victim of an attack by DarkSide ransomware.

The first thing the victim sees on the screen is a ransom letter with instructions and gentle threats.

“Welcome to DarkSide,” the letter says in English, before explaining that the victim’s computers and servers had been encrypted and any backups deleted.

To decrypt the information, victims are directed to a website where they must enter a special pass key. The letter makes clear that they can call on a tech support team if they should run into any problems.

“!!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself,” the letter says. “We WILL NOT be able to RESTORE them.”

The DarkSide software not only locks victims’ computer systems, it also steals proprietary data, allowing affiliates to demand payment not only for unlocking the systems but also for refraining from releasing sensitive company information publicly.

In the chat log viewed by The Times, a DarkSide customer support employee boasted to Woris that he had been involved in more than 300 ransom attacks and tried to put him at ease.

“We’re just as interested in the proceeds as you are,” the employee said.

Together, they hatched the plan to put the squeeze on the publishing company, a nearly century-old, family-owned business with only a few hundred employees.

In addition to shutting down the company’s computer systems and issuing the pedophile threat, Woris and DarkSide’s technical support drafted a blackmail letter to be sent to school officials and parents who were the company’s clients.

“Dear school staff and parent,” the letter went, “have nothing personal against you, it is only business.” (A spokesman for the company said that no clients were ever contacted by DarkSide, but several employees were.)

On top of this, using a new service that DarkSide introduced in April, they planned to shut down the company’s websites with so-called DDOS attacks, in which hackers overload a company’s network with fake requests.

Negotiations over the ransom with DarkSide lasted for 22 days and were carried out over email or on the gang’s blog with a hacker or hackers who spoke only in mangled English, said the company’s spokesman. Negotiations broke down sometime in March over the company’s refusal to pay the $1.75 million ransom. DarkSide, it seems, was livid and threatened to leak news of the ransomware attack to the…

Read More:Secret Chats Show How Cybergang Became a Ransomware Powerhouse

Leave a Reply

Your email address will not be published. Required fields are marked *