In a cybercrime industry first, the Darkside ransomware group is looking at developing a distributed storage system for stolen data. The aim is to make it harder for authorities to take down sites selling stolen data. And make it easier for cybercriminals to download the victims’ data. The rasomware group has also put in place an affiliate program to maximize its profits.
DarkSide is a ransomware group, who is a relatively new player in the cybercrime industry. The group was discovered in August 2020 and runs a Ransomware-as-a-Service (RaaS) operation that uses corporate like methods. In RaaS operations, ransomware operators provide malware to third parties for a portion of victims’ ransom payments. These third parties are essentially ransomware groups’ customers, also known as affiliates.
Like other ransomware groups, such as Netwalker and REvil, DarkSide first exfiltrates data from compromised servers before encrypting it. Unlike other ransomware groups, however, DarkSide has supposedly developed a code of conduct. DarkSide says that it will not attack, or allow its affiliates to attack, hospitals, hospices, schools, not-for-profits and government organizations. It targets only English-speaking countries and avoids countries belonging to the former Soviet Union, which includes Russia and 11 other countries. DarkSide’s malware is designed so that it cannot infect systems in these countries.
Researchers state that the ransomware DarkSide uses and provides its affiliates can encrypt both Windows and Linux files. Like other ransomware groups, the group maintains a leak site on the dark web. The leak site is used to name and shame victims into paying ransoms. It is also used to sell the stolen data to other cybercriminals if victims still refuse to pay the ransom.
This double-extortion strategy of stealing victims’ data before encrypting it and then leaking it was pioneered by Maze. As it proved highly successful, this strategy was then taken up by many other cybercriminal groups. DarkSide is now looking at introducing a new cybercriminal innovation, namely distributed storage systems for stolen files.
Distributed Storage System
Last week DarkSide published an advertisement on two Russian-language cybercrime forums declaring that it intended establishing a distributed storage system. The advertisement explained that this system would be made available to its affiliates to store data stolen from their victims. It also explained that they were looking at setting up the system in Iran. Finally, the advertisement promised the system would store data for six months and that “blocking one server won’t delete data.”
According to KELA, an Israeli-based security firm that first discovered the advertisement, “Such servers in Iran and [other] countries will be harder to discover, block, and cease due to a lack of cooperation from local authorities.” DarkSide claimed that it was looking at setting up the system in Iran and “unrecognized republics” so their infrastructure could not be easily taken down. Consequently, this move seems to be in retaliation to authorities recently taking down sites and botnets operated by cybercriminals.
Furthermore, storing victims’ data on a distributed storage system would make it easier for cybercriminals to access the stolen data. Currently, cybercriminals generally download victims’ files using Tor.
Similarly to the double-extortion strategy, if this new strategy proves successful, other ransomware operators are likely to follow DarkSide’s lead. This would make it harder for law enforcement and other agencies to prevent cybercriminals from leaking sensitive private and corporate data stolen in ransomware attacks.
DarkSide’s Affiliate Program
In addition to looking at implementing a distributed storage system, DarkSide has put in place an affiliate program. The program was introduced in a bid to maximize profits. According to KELA, DarkSide stated “their average payments to their affiliates are about $400,000 and the share paid by affiliates is 10% to 25%, depending on the size of the ransom”. Furthermore, DarkSide claims that the average ransom it receives is between $1.6 million and $4 million.
Affiliate programs have many upsides for both ransomware operator and affiliate. The operator handles the technical side, such as providing malware updates and setting up the required infrastructure. This infrastructure is then scaled up to handle as many affiliates as possible and thus realize much greater profits. Affiliates, on the other hand, get the benefit of not needing to build and maintain their own malware and infrastructure.