“We created DarkSide because we didn’t find the perfect product for us,” reads the launch announcement. “Now we have it.” It’s a line that could come out of any number of VC-friendly pitch decks, but DarkSide is no startup. It’s the latest strain of ransomware built to shake down big-game targets for millions—with attacks that are couched in an uncanny air of professionalism.
Guaranteed turnaround times. Real-time chat support. Brand awareness. As ransomware becomes big business, its purveyors have embraced the tropes of legitimate enterprises, down to corporate responsibility pledges. In that same “press release,” posted to the operators’ site on the dark web on August 10 and first reported by cybersecurity news site Bleeping Computer, the DarkSide hackers pinky-swear not to attack hospitals, schools, nonprofits, or government targets.
“The groups are increasingly becoming ruthlessly efficient,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “They have more of a chance of success the easier they make life for their victims—or the easier they make it to pay them.”
The rise of the buttoned-up ransomware hacker has been gradual and widespread, and is partly a function of success breeding success. The more resources these groups have, the more they can allocate toward streamlining their services. In 2019 ransomware attacks potentially grabbed at least $7.5 billion from victims in the US alone, according to Emsisoft.
The group behind DarkSide isn’t the first to wear a patina of professionalism. REvil ransomware, which predates and shares some characteristics with DarkSide, has long offered chat support and assures victims that “its [sic] just a business. We absolutely do not care about you and your deals, except getting benefits.” The developers of Maze ransomware have long been thought to operate under an affiliate model, in which they get a cut of whatever hackers glean from attacks that use their product.
One particularly illustrative exchange published by Reuters in July shows just how cordial these interactions can be, at least superficially. When Ragnar Locker ransomware hackers struck the travel company CWT, a chipper representative at the other end of the support line broke down what services the ransom payment would render, offered a 20 percent discount for timely payment, and kept the chat window functional after handing over the decryption keys in case CWT needed any troubleshooting. “It’s a pleasure to deal with professionals,” wrote the Ragnar agent as the conversation wound down. They might as well have been discussing a denim refund at Madewell.
“Even many of the very early ransomware operators have been sensitive to providing ‘good customer service’ and responsive communication via dedicated chat systems or email, and reasonable guarantees that payment would lead to victims receiving the tools necessary to decrypt impacted files and systems,” says Jeremy Kennelly, manager of analysis at Mandiant Threat Intelligence.
In addition to swearing off hospitals—a traditionally popular ransomware target, but more of a minefield in a pandemic—DarkSide also claims that it only attacks those who can afford to pay. “Before any attack, we carefully analyze your accountancy and determine how much you can pay based on your net income,” the press release reads.
That sort of operational sophistication has also become more widespread in recent years. Mandiant has spotted an actor associated with Maze looking to hire someone to scan networks full-time to identify companies and figure out their finances. “We also have seen specialized tools seemingly developed to aid in quickly discovering company revenues,” said Kimberly Goody, senior manager of analysis at Mandiant Threat Intelligence, in an interview last month. “Earlier in July, an actor advertised a domain checker that would output information about a company from ZoomInfo, including its listed revenue, number of employees, and address.”
In other words, DarkSide isn’t doing anything new, but it does provide a tidy distillation of how ransomware groups have adopted a slickly professional veneer. At the same time, its name hints at the increasingly retaliatory steps that those same hackers have begun to take when their victims don’t pay up.
Carrots and Sticks
The politesse of DarkSide quite obviously belies the criminal activity in which it partakes, and like other major ransomware groups, its operators have escalated beyond simply encrypting a victim’s files. To better ensure payment, they also steal that data and hold it hostage, threatening to make it public should the target attempt to restore their systems on their own.