Remember the Dark Side comics? Well, the DarkSide criminal hacking group is no laughing matter. The DarkSide Ransomware gang claims they are creating a distributed storage system in Iran to store and leak data stolen from victims. DarkSide is operated as a Ransomware-as-a-Service (RaaS) where developers control programming the ransomware software and payment site, and affiliates are recruited to hack businesses and encrypt their devices.
DarkSide is the latest ransomware criminal gang to announce that it has launched an affiliate program as part of its bid to maximize revenue. Recently, the operators behind DarkSide have used the platforms of XSS and Exploit two major, Russian-language cybercrime forums to announce the details of the gang's new affiliate program, Israeli cyberthreat intelligence monitoring firm Kela reports. "The share paid to affiliates is 10% to 25%, depending on the size of the ransom."
Figure 1. Gary Larsen
What is an Affiliate Program? An affiliate program is an agreement in which a business pays another business or influencer ("the affiliate") a commission for sending traffic and/or sales their way. This can be achieved through web content, social media, or product integration, now to include ransomware. Ransomware operators provide crypto-locking malware code to third parties. Each affiliate receives a version of code with their unique ID embedded. For every victim that pays a ransom, the affiliate shares the take with the ransomware operator. For example, the affiliate program run by Sodinokibi, aka REvil as of last year was giving 30% of every ransom payment to an affiliate, rising to 40% after three successful ransom payments.
DarkSide's terms and conditions differ. "They stated that their average payments to their affiliates are about $400,000 and the share paid to affiliates is 10% to 25%, depending on the size of the ransom," Kela says, noting that DarkSide claims the average ransom it receives is between $1.6 million and $4 million.
Ransomware affiliate programs are in use by many threat actor groups. Victoria Kivilevich, a threat intelligence analyst at Kela, says some of the more famous "big game" ransomware operators running affiliate programs as well as blogs for leaking stolen data include these groups:
- Sodinokibi, aka REvil;
- Suncrypt - now apparently retired.
Other ransomware operations some active, some now defunct that have run affiliate programs include Chimera, CryLock, Exorcist, Gretta, Makop, Thanos and Zeppelin, Victoria stated.
Running an affiliate program offers a number of benefits. The ransomware operator handles the technical side, including "product updates." Once the operator has built all required infrastructure, typically including a self-service portal for victims to pay they can, in theory, scale to handle as many affiliates as they want. This crowdsourcing model can give them the ability to realize much greater profits, especially compared to trying to attack victims themselves. Affiliates do not need to build and maintain their own malware and infrastructure. This will allow many more new attackers to join the affiliate program(s).
Other benefits include the ability of the operation to attract technical/technology specialists in talents such as network penetration who can focus on amassing victims while leaving tech support and customer service to the operator(s). Since these operations are so profitable, expert talent appears to be easy to recruit.
The disadvantages of participation in an affiliate program can sometimes outweigh the benefits, such as “damaging” a hacker group’s reputation. If an affiliate does something bad, that reflects on the operator, as DarkSide has noted in one of its posts. “For example, when an affiliate of Suncrypt attacked hospitals, you could see Suncrypt writing: 'A new affiliate locked it unknowingly, and for this, he was punished! Hospitals, government, airports, etc., we do not attack,'" Victoria noted.
Both DoppelPaymer and Maze ransomware gangs made similar promises, relating to the health sector, during the start of the Covid-19 pandemic. Other ransomware attackers have not been so forgiving, such as NetWalker, which hit UCSF and successfully extracted a $1.14 million ransom, and it remains to be seen if DarkSide is good for its word on this promise. "We take our reputation very seriously," the DarkSide operators said, adding that if ransoms are paid, "all guarantees will be fulfilled." These guarantees appear to relate to the now-standard practice of exfiltrating data before encrypting networks. DarkSide said it would guarantee to decrypt one test file, provide support with decryption after payment and delete all uploaded data from the Dark Web stores.
This may sound familiar, that is because it has been standard operating procedure (SOP). While DarkSide claims to be new, and the specific ransomware attacks appear to be so, the methodology is tried and tested. It has been suggested that there are similarities in the malware itself that link DarkSide to REvil, and GandCrab before them. This is not proof that the highly successful REvil operators are evolving into something new, but the links are interesting to note. The customized "Welcome to the Dark Side" ransom notes that DarkSide uses appear to be based upon REvil templates. REvil also opened a Dark Web auction house specifically to auction off data stolen from high-profile "clients" as they called them.
Relying on affiliates also means that the ransomware operation may be inadvertently recruiting undercover security researchers or law enforcement agents who might collect more intelligence about their activities. More competitors or the fear of getting caught are major concerns. Who can you trust in a forum full of hackers? (Ha!)
The DarkSide program increases risks for all organizations. The operators say that the crypto-locking malware that DarkSide provides to affiliates can encrypt both Windows and Linux files. Researchers at Russian security firm Kaspersky recently determined that RansomEXX ransomware also can crypto-lock Linux files. Similar to many types of malware, DarkSide is designed so it cannot infect PCs that are in one of the member states of the post-Soviet Commonwealth of the Independent States, which includes Russia and 11 other nations.
As proof of its success to date, DarkSide has deposited 20 bitcoins, worth about $315,000 with the XSS forum. Victoria says this is "a common method ransomware gangs will use to show that their operation generates plenty of profit." Operating as many other ransomware operations, the gang maintains a leak site, where it names and shames victims and can post samples of stolen data to try to force victims to pay. In an attempt to boost profits, the gang has posted that it is looking for initial access brokers that can give it access to U.S. businesses with annual revenue of at least $400 million. Consistently following their business plan, with ransomware, criminal innovation in a nonstop drive-by attacker to maximize profits appears to be paying off at victims' expense.
"DarkSide is aiming for big targets," Vitoria says, adding that it is the first time she has seen "ransomware operators offering initial access brokers the opportunity to directly trade with them" rather than attempting to rely on "affiliates or other middlemen."
Red Sky Alliance has been as analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941