222 Interactions, 2 today
Following the attack on the American gasoline pipeline company Colonial Pipeline, which had its network shut down by hackers, ransomware has become a hot subject in the news again recently. The company allegedly charged DarkSide, a hacker community known by the US government as a “ransomware-as-a-service” (RaaS), approximately $5 million in cryptocurrency to unlock its network.
That could have been a drop in the bucket compared to DarkSide’s total ransomware haul. Elliptic, a blockchain analytics firm, released a study today claiming that DarkSide-affiliated Bitcoin walletswallets have collected more than $90 million in cumulative ransom payments to date.
Following a report from DarkTracer that claims that 99 organizations have been infected with DarkSide’s ransomware, Elliptic found that 47 payments—each from a distinct wallet—had been made to DarkSide’s BitcoinBitcoin wallets. In total, just over $90 million worth of Bitcoin was paid in, and the firm suggests that “further transactions may yet be uncovered, and the figures here should be considered a lower bound.”
DarkSide’s RaaS model involves the company providing the tools for ransomware attacks to so-called “affiliates,” which threaten high-value businesses and try to infect, shut down, and/or steal confidential data from their computer networks. If the associate successfully negotiates and secures a ransom payout, the proceeds are shared between the parties.
According to security firm FireEye, DarkSide would take 25% of a ransomware payment under $5 million, or 10% for sums higher than that. Based on blockchain analysis, Elliptic reports that DarkSide kept about $15.5 million worth of the Bitcoin paid to it and disbursed some $74.7 million worth of Bitcoin to affiliate groups.
In the case of the Colonial Pipeline attack, the firm’s network led to fuel shortages across the Southeast United States. Bloomberg reported last week that Colonial Pipeline made a payment of “nearly $5 million” in “untraceable cryptocurrency” within hours of the attack, although it did not identify the coin. The New York Times later confirmed that the payment was made in Bitcoin.
Elliptic was the first to identify DarkSide’s Bitcoin wallet, and said that it received 75 BTC from Colonial Pipeline on May 8. On that date, according to historical data from Nomics, 75 BTC would have been worth approximately $4.43 million. A similar-sized payment of 78.29 BTC was sent to a DarkSide-affiliated wallet on May 11 by German chemical distributor Brenntag.
DarkSide, which is believed to be based on Eastern Europe or Russia, has reportedly shut down and emptied its Bitcoin wallets in the wake of the high-profile Colonial Pipeline attack, which drew a response from President Biden and the US government. A member of the group claimed to have lost access to many of its servers, and an email sent to DarkSide’s affiliates noted that it was shutting down “due to the pressure of the US.”
Owing to the difficulties of tracing the money back to the hackers, cryptocurrency is often used for ransomware attacks, though some coins, such as the privacy-centric coin Monero, are much more difficult to track than others. Chainalysis, a blockchain data company, estimated last week that more than $81 million in cryptocurrency has been paid out as ransom in 2021, with more than $406 million in documented payments in 2020.