A chat with DarkSide

If you would meet us on the street – you would never realize that we are cyberpests, because we are the same normal people like everyone else. Many have families and children, the only thing that these circumstances in which we found themselves in our country are. We have no hatred and desire to cause damage, we perceive our business as any other, the ultimate goal of which is profit.  — DarkSide In a recent article on BankInfoSecurity, Mathew J. Schwartz reports that ransomware threat actors have been on somewhat of a “charm offensive” since last year, giving interviews to media.  Because this blogger has absolutely no hacking knowledge or skills, I would never try to do an actual technical interview with any threat actor. In fact, given my professional background, I have always been more interested in why and how threat actors make the decisions they make — and how some seem to have absolutely no scruples or ethics about attacking some victims while others appear to develop some sort of ethics code. With those interests in mind,  DataBreaches.net recently interviewed DarkSide operators about their approach to their ransomware operations and changes since they first emerged as DarkSide. In August, 2020, when the ransomware group known as DarkSide introduced themselves via a press release on their web site, they made a point of immediately claiming that although their product might be new, they were not new kids on the block: We are a new product on the market, but that does not mean that we have no experience and we came from nowhere. We received millions of dollars profit by partnering with other well-known cryptolockers. We created DarkSide because we didn’t find the perfect product for us. Now we have it. Their announcement also stated what kinds of entities they did not attack, and that they only attacked companies that could pay the demanded amount — an amount they claim they determine by researching the companies they attack. Their launch announcement was met with skepticism by some and outright scorn or ridicule by others, and Brian Barrett’s description of DarkSide as having a “veneer” of professionalism, was somewhat understandable. But in some respects, DarkSide has proved Barrett wrong.  They actually are more professional in their conduct than some other ransomware groups, even though their conduct is certainly illegal and cruel to victims. And they have not only kept their word about who they will not attack, but they actually expanded the exclusions. So seven months after they announced their launch and then put their heads down and got to work, what, if anything, has changed for them? “Big-Game Hunters” Like other groups such as REvil, Ryuk, and DoppelPaymer, DarkSide is considered a “big-game hunter,” targeting larger corporations that can afford to pay higher ransoms. DarkSide’s dedicated leak site currently lists Guess, the well-known American clothing and fashion accessories retailer. Guess’s revenue last year was estimated at $2.68 billion. DarkSide claims to have exfiltrated more than 200 GB of data, and posted a number of samples as proof. DataBreaches.net does not know how much ransom DarkSide has demanded for the decryption key, but they publicly advise Guess: We recommend using your insurance, which just covers this case. It will bring you four times more than you spend on acquiring such a valuable experience. That statement is consistent with DarkSide’s first press release in which they stated that they were not out to kill companies. It is also consistent with DarkSide’s explaination to DataBreaches.net in the interview recently conducted by email.  [Because of language issues, DarkSide would translate my e-mailed questions into Russian, answer me in Russian, and then translate the answers back into English. With only one exception, that seemed to work fairly decently]. One of the exchanges was: DataBreaches.net (DBN):  Do you ever demand more than what their cyberinsurance policy might cover? DarkSupp: Always before putting the amount of ransom, we study the internal reporting of the company and definitely understand how much they can really pay, all our partners work in the same way and we always remind about it.  Basically, we do not require more than the amount of cyber insurance, but we can not always check the actions of our partners. DBN:  Someone suggested that if companies didn’t have cyberinsurance, ransomware threat actors would lose interest and just go away. Do you think that’s true? DarkSupp:  (no response or comment) From the files on their site, it would appear that Guess was attacked in February. Unlike some groups that reach out to media quickly to get coverage, DarkSide had not reached out about Guess or other victims. When asked about how long they wait and what steps they take, they answered: DarkSupp: We act in stages and notify the press usually already when exactly sure that the company will not pay. As for [Guess and another company DBN had named] – I think the press will see them. DBN: Do you notify the press to punish the companies for not paying or to try to pressure them more — or for both reasons? DarkSupp: For both reasons. DBN: Do you actually call targets on the phone like some others do? Do you ever contact targets’ customers directly like CLOP seems to be doing about the Accellion breach? DarkSupp: Yes, a few weeks ago, we launched a balanced service of the calls to our victims, while we call only our customers, but soon we also want to put pressure on their partners. A few days ago, we launched DDOS of our targets (Layer 5 Layer 7), which significantly increased pressure and has already brought the first results. Exclusions Like some other RaaS groups, DarkSide uses a popular Russian-language forum to advertise or recruit partners and to promote its service and updates to its product. A recent announcement in early March described a number of updates to the features and rates for partners, as well as seeking affiliates.  The announcement also repeated the rules about what was not permissibleDataBreaches.netRead More