New research into the ransomware gang who attacked the Colonial Pipeline shows just how much money they were able to extort during a short-lived crime spree: about $90 million in approximately seven months.
DarkSide, which recently announced it was closing down its operations and going underground (at least for now), was operational for less than a year but managed to accrue a small fortune through cyberattacks conducted via its “affiliate program,” say researchers with Elliptic, a blockchain analysis firm that specializes in tracking criminals.
As a Ransomware-as-a-Service operator, DarkSide loaned its malware out to “affiliate” hackers, who then conducted attacks on targets and negotiated ransoms. This business model, designed to share profits between malware “owners and partners,” successfully targeted dozens of victims, a majority of which “were based in the United States,” write FireEye analysts. In each case, affiliates received a lion’s share of successfully delivered ransom payments, while DarkSide operators received a smaller cut.
Elliptic recently analyzed the wallet used by DarkSide in the Colonial extortion. It had only been operational since March 4, yet had received 57 payments from 21 separate wallets—bringing in a total of $17.5 million. Of those, at least one was from Colonial itself, which allegedly paid the hackers some $5 million in Bitcoin in exchange for a less-than-optimal decryptor key.
In fact, DarkSide and its partners operated a network of 47 different wallets, each used to collect ransoms from multiple victims, Elliptic reported Tuesday. After the money changed hands, it was frequently funneled through crypto exchanges where it could be translated into fiat. In other cases, it was sent through Hydra, a popular European darknet marketplace that offers “cash-out services,” Elliptic researchers write. All told, affiliates gained some $74.7 million from the attacks, while DarkSide—as the developer—earned about $15.5 million.
“According to DarkTracer, 99 organisations have been infected with the DarkSide malware - suggesting that approximately 47% of victims paid a ransom, and that the average payment was $1.9 million,” writes Tom Robinson, Elliptic’s co-founder.
The gang abruptly announced early retirement plans last week, claiming that a law enforcement agency had seized some amount of its cryptocurrency, while also disabling large parts of its infrastructure. DarkSide further claimed it would be shuttering its “affiliate” program and going underground for the time being.
“There has been speculation that the bitcoins were seized by the US government—if that is the case they didn’t actually seize most of Colonial Pipeline’s ransom payment,” said Elliptic’s Robinson, noting that “the majority of that was moved out of the wallet on the 9th [of] May.”
Researchers with Intel471, the security firm that initially spotted DarkSide’s alleged “retirement plans,” said that it’s impossible to say whether the gang actually suffered a seizure of its assets, or whether it was just trying to scam its partners out of a cut of their loot.
“When law enforcement executes these ‘takedown’ actions, there is usually a press release or a note posted on the website indicating that work was completed by police,” said an Intel471 analyst. “We currently have no evidence that shows the wallet was hacked, nor anything that indicates law enforcement was involved in the website takedown or wallet action.”
They added: “These ransomware operators are criminals, so it’s hard to assume they will stick to what they say. We believe DarkSide’s announcement is meant to show that the operators are aiming to be less noisy about their activities to avoid the spotlight.”