The first time many Americans heard of DarkSide — a media-savvy outfit of cyber villains who are attempting to cultivate a Robin Hood-like heroic outlaw image — was when it hacked Colonial Pipeline, which led to the disrupted gasoline supply on the East Coast.
It is unlikely to be Americans’ last encounter with this gang that President Biden said is based in Russia but is not doing dirty work for the Kremlin.
DarkSide is among scores of cybercriminal organizations that span the globe and have goofy names that belie their nefarious and dangerous trade. These denizens of the dark web include state-backed threats such as Cozy Bear in Russia and Hafnium in China, as well as others like Babuk that allegedly hit the D.C. Metropolitan Police Department.
Part of what makes DarkSide stand out is its effort to craft a public image as a vigilante that robs the powerful to benefit the powerless.
“No matter how bad you think our work is, we are pleased to know that we helped change someone’s life,” the group wrote on the dark web as observed by the antivirus software company Emsisoft.
DarkSide published a list of entities it says its operators will not attack, including places such as schools and hospitals, and it has previously announced donations in bitcoin to charities, namely Children International and the Water Project, according to Emsisoft.
Such actions do not make its crimes any less painful for victims, but DarkSide’s tactics include a public relations component designed to recast its cartoonish name as a force for good.
DarkSide uses a ransomware-as-a-service model to extort money from victims. Its malicious software infects a system and then holds data hostage. The group then receives a cut of the ransom payment made by the victims to regain access to their data.
DarkSide raked in upwards of $30 million since it started operating last year, according to a Forbes estimate. The group’s partners get 25% of ransoms under $500,000 and collect 10% of ransoms exceeding $5 million, according to FireEye, the cybersecurity company that has assisted Colonial Pipeline per reports.
On Thursday, there were unconfirmed reports that Colonial Pipeline paid a ransom totaling $5 million. Both a business advisory firm for the company and Mr. Biden declined to comment on the purported payment.
Emsisoft’s Brett Callow said if the pipeline did pay up, that spells bad news for stopping the proliferation of ransomware attacks.
“If organizations didn’t pay, the attacks would stop. It’s as simple as that,” Mr. Callow said in an email. “And ransomware is indeed a massive problem. While high-profile attacks on government and large enterprises get the headlines, it’s small businesses that suffer most. There were more than 23,000 ransomware incidents in the U.S. last year, 7,000 of which involved home users and 16,000 private-sector companies and public organizations.”
Emsisoft estimates those cyber incidents cost between $5 billion and $20 billion when factoring in the cost of business interruptions.
DarkSide is far from the only ransomware family upending Americans’ daily lives.
The Babuk cyberattack on the D.C. police escalated on Thursday with the cyberattackers claiming to post 250 gigabytes of internal files they stole from the police department including data on criminal gangs and human resource files.
“This is kind of part of the formalization of cybercrime,” said Hank Schless, senior manager at information technology security company Lookout. “It’s no longer just a guy sitting in his basement saying, ‘I’m going to hack the D.C. police.’ It’s groups carrying out specific attacks with … repeatable blueprints.”
Mr. Schless said he thought there might prove to be an overlap between the cyberattackers using DarkSide and the ones using Babuk.
Major threats that could cripple a nation in the short term and give long-term advantages to America’s competitors reside outside the U.S. borders, particularly in Russia and China.
The U.S. government identified Cozy Bear, also known as the Russian Foreign Intelligence Service and Advanced Persistent Threat 29, as responsible for the hack of SolarWinds computer network management software. Mr. Biden imposed sanctions on Russia in response to the hack, which compromised nine federal agencies, but the full extent of the damage is yet to be determined.
Cozy Bear’s hack gave it the ability to “spy on or potentially disrupt more than 16,000 computer systems worldwide,” according to a White House fact sheet.
FireEye has assessed the Russian hackers to be one of the “most capable and evolved” threat groups. Its methods have included using cloud storage services and social media sites, including Twitter, to relay commands and extract data, per FireEye.
Russia is not alone in large-scale cyber espionage fixated on the U.S. Hafnium is an emergent threat identified by Microsoft as state-sponsored cyberattackers based in China that successfully hacked Microsoft Exchange servers.
The hack, disclosed in March, gave the hackers access to email accounts and the ability to install malware to ensure long-term access to their targets’ digital environments, according to Microsoft.
Microsoft said Hafnium sought to exfiltrate information from infectious disease researchers, law firms, higher educational institutions, defense contractors, think tanks and non-governmental organizations through the hack, which relied on leased virtual private servers inside the U.S.
Some villains breaching America’s defenses are operating at the direction of foreign adversaries. Others are given safe harbor by foreign foes.
To maintain their criminal enterprise, cyberattackers may choose to make compromises to survive. For example, DarkSide does not encrypt data in its attacks if it detects systems using certain languages, such as Russian, Ukrainian and Belarusian, among several others, according to Mr. Callow.
Deterring nation-states is difficult and the attribution needed to effectively shame cyberattackers is often messy. The federal government is intent on fighting back, however, and Mr. Biden issued a cybersecurity executive order Wednesday seeking to bolster defenses of U.S. digital networks and cloud storage.
The Justice Department recently created a ransomware task force to review the issue with input from its criminal division, national security division and U.S. Attorney offices.
In January, the Justice Department disrupted NetWalker ransomware, which the department said found victims in hospitals, schools and companies. NetWalker also operates on a ransomware-as-a-service model with developers and affiliates.
Delivering a blow to cybercrime, the Justice Department recently indicted Sebastien Vachon-Desjardins, a Canadian national who allegedly netted more than $27.6 million through NetWalker ransomware schemes.
The department also announced seizing more than $450,000 in cryptocurrency from ransomware payments as part of its actions against NetWalker.
Future moves against cyberattackers likely will require international cooperation. The Justice Department, for example, partnered with Bulgaria in the NetWalker investigation.
Mr. Biden on Thursday said his administration is working on international standards to get countries to crack down on cybercriminals within their borders.
• Tom Howell Jr. contributed to this report.