“We created DarkSide because we didn’t find the perfect product for us,” reads the launch announcement. “Now we have it.” It’s a line that could come out of any number of VC-friendly pitch decks, but DarkSide is no startup. It’s the latest strain of ransomware built to shake down big-game targets for millions—with attacks that are couched in an uncanny air of professionalism.
Guaranteed turnaround times. Real-time chat support. Brand awareness. As ransomware becomes big business, its purveyors have embraced the tropes of legitimate enterprises, down to corporate responsibility pledges. In that same “press release,” posted to the operators’ site on the dark web on August 10 and first reported by cybersecurity news site Bleeping Computer, the DarkSide hackers pinky-swear not to attack hospitals, schools, nonprofits, or government targets.
“The groups are increasingly becoming ruthlessly efficient,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “They have more of a chance of success the easier they make life for their victims—or the easier they make it to pay them.”
The rise of the buttoned-up ransomware hacker has been gradual and widespread, and is partly a function of success breeding success. The more resources these groups have, the more they can allocate toward streamlining their services. In 2019 ransomware attacks potentially grabbed at least $7.5 billion from victims in the US alone, according to Emsisoft.
The group behind DarkSide isn’t the first to wear a patina of professionalism. REvil ransomware, which predates and shares some characteristics with DarkSide, has long offered chat support and assures victims that “its [sic] just a business. We absolutely do not care about you and your deals, except getting benefits.” The developers of Maze ransomware have long been thought to operate under an affiliate model, in which they get a cut of whatever hackers glean from attacks that use their product.
One particularly illustrative exchange published by Reuters in July shows just how cordial these interactions can be, at least superficially. When Ragnar Locker ransomware hackers struck the travel company CWT, a chipper representative at the other end of the support line broke down what services the ransom payment would render, offered a 20 percent discount for timely payment, and kept the chat window functional after handing over the decryption keys in case CWT needed any troubleshooting. “It’s a pleasure to deal with professionals,” wrote the Ragnar agent as the conversation wound down. They might as well have been discussing a denim refund at Madewell.
“Even many of the very early ransomware operators have been sensitive to providing ‘good customer service’ and responsive communication via dedicated chat systems or email, and reasonable guarantees that payment would lead to victims receiving the tools necessary to decrypt impacted files and systems,” says Jeremy Kennelly, manager of analysis at Mandiant Threat Intelligence.
In addition to swearing off hospitals—a traditionally popular ransomware target, but more of a minefield in a pandemic—DarkSide also claims that it only attacks those who can afford to pay. “Before any attack, we carefully analyze your accountancy and determine how much you can pay based on your net income,” the press release reads.
That sort of operational sophistication has also become more widespread in recent years. Mandiant has spotted an actor associated with Maze looking to hire someone to scan networks full-time to identify companies and figure out their finances. “We also have seen specialized tools seemingly developed to aid in quickly discovering company revenues,” said Kimberly Goody, senior manager of analysis at Mandiant Threat Intelligence, in an interview last month. “Earlier in July, an actor advertised a domain checker that would output information about a company from ZoomInfo, including its listed revenue, number of employees, and address.”
In other words, DarkSide isn’t doing anything new, but it does provide a tidy distillation of how ransomware groups have adopted a slickly professional veneer. At the same time, its name hints at the increasingly retaliatory steps that those same hackers have begun to take when their victims don’t pay up.
Carrots and Sticks
The politesse of DarkSide quite obviously belies the criminal activity in which it partakes, and like other major ransomware groups, its operators have escalated beyond simply encrypting a victim’s files. To better ensure payment, they also steal that data and hold it hostage, threatening to make it public should the target attempt to restore their systems on their own.
DarkSide maintains a data leak site on the dark web, where it lists not only victims but the size of the haul and what sort of documents and information it comprises. If the victim doesn’t pay, the DarkSide hackers say they’ll keep the stolen trove online for at least six months. This week they posted their first entry, claiming they had obtained 200 gigabytes of data comprising HR, finance, payroll, and more internal departments from Canadian real estate firm Brookfield Residential.
It’s a variation on a familiar threat, one that ransomware attackers are all too ready to follow through on. In May the REvil hackers demanded $42 million from entertainment law firm Grubman Shire Meiselas & Sacks, leaking 2.4 GB of Lady Gaga’s legal documents to back up their claim. (REvil has gone so far as to auction off its stolen data troves on the dark web.) The NetWalker ransomware gang includes a countdown clock on its data leak site, adding a dash of drama. The Pysa ransomware organization refers to its victims as “partners” on its site, advertising the sort of data you can find in the leaks like earnest hype men. One such entry concludes: “17 GB of great information that won’t leave you indifferent.”
“It’s the carrot and the stick,” says Callow, who notes that recently attackers have taken the additional step of threatening to proactively notify the media, competitors, and government regulators about sensitive data they’ve stolen if the victim doesn’t pay promptly. “They’re not just threatening to publish the data, they’re threatening to weaponize it.”
In a roundabout way, that overture of affable competence helps reinforce the seriousness of those threats. “Ransomware attacks are not just encryption exercises but more so exercises in delivering fear,” says Ed Cabrera, chief cybersecurity officer at Trend Micro. “The more victims believe their attackers are professionals, the more likely they will believe their underlying messages like, ‘It’s useless to fight us, just pay’ or ‘Trust us, you’ll get your data back because we do this for a living.’”
It’s an unvirtuous cycle—ransomware groups make more money, so they invest more in their operations, so they can hit bigger targets, so they make more money, and so on. And there’s no reason to think it will abate any time soon. Even well-resourced companies have inevitable holes in their security setups. Most of the major operators live outside of the US, so law enforcement has little recourse. The last major legal action against an alleged ransomware kingpin came in December, when the Department of Justice indicted the Russian head of the Evil Corp hacking group. They’re the ones, security analysts believe, who shut down Garmin in July.
More Great WIRED Stories
- The furious hunt for the MAGA bomber
- How Bloomberg’s digital army is still fighting for Democrats
- Tips to make remote learning work for your children
- “Real” programming is an elitist myth
- AI magic makes century-old films look new
- ?️ Listen to Get WIRED, our new podcast about how the future is realized. Catch the latest episodes and subscribe to the ? newsletter to keep up with all our shows
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers