< Back to Searchlight Blog

Is all press good press? DarkSide, Colonial Pipeline and Ransomware-as-a-Service

Published on 20 May 2021 by Louise

This article explores the darknet structures and relationships sustaining the ransomware ecosystem, and enquires whether consequences of the DarkSide attack against Colonial Pipeline will have an effect on the continued growth of this lucrative cybercriminal enterprise.

On May 7, 2021, one of the largest oil pipelines in the US, providing 45% of the East Coast's fuel supply, ceased operations following the encryption of its internal network. It took five days (and a $4.4 million ransom payment) for Colonial Pipeline to resume service, during which time its plight dominated the headlines of major news outlets around the globe. Ransomware attacks have long occupied the pages of cybersecurity publications, with an average of over 24 new victims per month for 2021 so far. However, this assault on a critical infrastructure system (CIS) led to such a level of sustained and high-profile coverage - and FBI investigation - as to elicit a damage-control statement posted on the darknet PR site of the assumed perpetrators, DarkSide. The DarkSide Leaks portal - along with the rest of their online presence - has since vanished, with explanatory theories ranging from law enforcement bust to self-imposed exile (or exit scam). Despite this hasty retreat, it remains to be seen whether DarkSide or their colleagues will suffer losses from their increased infamy. This article outlines the darknet structures and relationships that sustain the ransomware ecosystem, and how they continue to push growth in this area of cybercrime.

Distribution of active ransomware gangs according to number of posts on darknet PR portals Distribution of active ransomware gangs according to number of posts on darknet PR portals (Data courtesy of Cerberus)

Ransomware Operators: Common Traits and Techniques

Searchlight's darknet intelligence platform Cerberus currently indexes the PR sites of over a dozen different ransomware operators. Whilst varied in terms of size and noteriety, these groups tend to share at least some characteristics or techniques, some of which are detailed below:

  • Big game hunting - most ransomware operators select victims according to two main criteria. The first is based on opportunity; ransomware operators or their affiliates will target low-hanging fruit by surveilling different company networks and identifying those with vulnerabilities, such as misconfigurations or outdated internet-facing services such as VPNs. Once a target is identified, research is conducted to ascertain their yearly turnover and general financial health. Though ransomware operators often spin "big-game hunting" as an altruistic consideration, ensuring they do not harm small businesses, the primary motivation is probably self-interest; companies with large profits are more likely to pay large ransoms.

  • Russo-affinity - A common theme among a number of ransomware operators regards their links to Russia. Whilst most analyses fall short of suggesting outright state sponsorship, groups such as DarkSide have been open about preferring to hire partners who are native Russian speakers. This is coupled with the fact that ransomware operators often prohibit attacks against companies operating in the Commonwealth of Independent States (Russia and other former members of the Soviet Union), sometimes by rendering the malware inoperable when a Russian language pack is detected on the target computer. Several groups including DarkSide are thought to be operating out of either Eastern Europe or Russia, likely due to the region's suspected toleration, sometimes co-option, of cybercrime.

  • Avoiding the public sector - Another component of ransomware operators' faux-benevolence is their claimed aversion to launching attacks against public sector organisations, such as healthcare or educational bodies. Again, this is likely less aimed at minimising social harm than minimising scrutiny from governments and law enforcement organisations. It should also be noted that this principle is not universal, with some ransomware strains - such as Pysa and Conti - being regularly deployed against universities, schools, and healthcare services.

  • Double extortion - A fairly recent addition to the ransomware attack repertoire is the rising use of double-extortion tactics as a method of maximising chances of ransom payment. This is achieved by copying and exfiltrating the victim's data before encrypting it. This way, even if a victim organisation has access to backups to restore their data, the risk of having that data leaked online provides a secondary incentive to pay up. Other variations include only exfiltrating the data (as was likely the case in the Accellion hack) or double encryption (whereby two separate ransomware strains are deployed).

RaaS and Darknet Forums

One of the key structures that allows ransomware operators to attack corporate networks with such speed and frequency is the Ransomware as a Service (RaaS) model. Ransomware operators act as the purveyors of a product, that being their specific strain of ransomware, and offer it for rent to other darknet actors who can perform the functions required prior to deployment, including initial access to systems, internal reconnaissance, and privilege escalation. In return, they recieve a cut of any ransom payment secured as a result of the attack, with the rest going to the operators. This relationship between operators and affiliates (also referred to as partners) spreads the workload across multiple individuals or groups and thus increases the efficiency of operations and by extension the number of ransoms collected, making it beneficial for both parties.

Despite selling a service, most RaaS business is conducted on darknet hacking forums rather than markets; operators place advertisments in the form of posts, setting out their terms and conditions as well as payment rates. The choice of hacking forums as recruitment pools is understandable given the skills required to compromise company systems and maintain a presence undetected, with some cybercriminals gaining access weeks or months before actual ransomware deployment. Below is a chart breaking down the distribution of conversations about RaaS across several active darknet forums indexed by Cerberus, with XSS and Exploit comprising almost two thirds of all posts on the topic.

chart (Data courtesy of Cerberus)

This reciprocal structure may greatly expand one ransomware's potential reach and takings, but it is not without drawbacks. Despite DarkSide's reportedly rigorous interview and vetting process when accepting new affiliates, the lateral freedom afforded to those selecting and breaching target networks is likely to blame for the inadvertent "act of war" against Colonial Pipeline and subsequent unwanted attention from US authorities. A desire for control and some form of "brand protection" may explain why some ransomware operators opt for a model of closed partnership rather than publicly advertising their wares, or conduct business completely in-house.

The global spotlight afforded to this cybercriminal industry as a result of the DarkSide/Colonial incident has influenced the ecosystem to some degree. The two primary forums used by ransomware operators to recruit affiliates, Exploit and XSS, have issued statements effectively banning the advertisement of such services. Sizeable ransomware outfits REvil and Avaddon have announced unspecified "changes" will be made to their affiliate programmes, likely curtailing the autonomy of their partners in target selection. Smaller enterprises such as Everest and AKO have dispensed of their darknet PR sites entirely, though this does not necessarily suggest a cessation in operations. DarkSide have "gone dark", albeit with the potential to resurface under a different moniker.

The DarkSide/Colonial saga certainly served as a cautionary tale for ransomware operators, not least in highlighting the risk of incurring the FBI's wrath. But it also pushed boundaries, proving that even giant corporations with functioning back-ups - from which Colonial Pipeline had to restore its systems after their purchased decryptor was too sluggish - will pay the demanded ransom, something global law enforcement agencies strongly discourage. With the average ransomware payment jumping 45% in just one quarter to over $220,000, and plenty of darknet forums still willing to host advertisments, it seems RaaS schemes and the problems they create are likely to persist.

Try our Darknet Intelligence/Forensics tool for free, contact enquiries@slcyber.io

Latest News from Searchlight

20 May 2021

Is all press good press? DarkSide, Colonial Pipeline and Ransomware-as-a-Service

This article explores the darknet structures and relationships sustaining the ransomware ecosystem, and enquires whether consequences of the DarkSide attack against Colonial Pipeline will have an effect on the continued growth of this lucrative cybercriminal enterprise.


03 Mar 2021

Zero-day exploit in Accellion FTA leads to data compromise of multiple companies

This article evaluates the recent slew of data breaches suffered by a range of major organisations as a result of vulnerabilities in the soon-to-be-retired Accellion File Transfer Appliance, as well as the implications of suspected involvement by notorious ransomware gang Cl0p.


06 Jan 2021

Covid-19 and the darknet: deceit, disinformation and disruption

Since the beginning of the coronavirus pandemic, darknet actors have exploited the heightened sense of fear and uncertainty for financial and even political gain. In tandem with the much-anticipated rollout of vaccines for the disease in multiple countries worldwide, actors have renewed efforts at Covid-related fraud, disinformation, and cyber-espionage.


02 Dec 2020

The quest for Monero deanonymisation and potential impacts on darknet markets

Monero, often hailed by darknet users as the most private cryptocurrency available, has recently been the subject of efforts by security researchers to deanonymise and trace its transactions. How will Monero's potential traceability affect the illicit trade that occurs on darknet markets?