Cybercriminals are doing press releases

… and unlike 99% of press releases these actually tell you something and are worth reading

DarkSide is a Russian based ransomware group which on May 7th 2021 shut down the East Coast US fuel pipeline network owned by Colonial Pipeline. The group’s ransomware was used to lock up the pipeline network with damaging consequences for economic activity in serval US states. DarkSide are the classic crime as a service (CaaS) outfit, renting their capacity to clients and offering service support to victims to make paying the ransom easier. CaaS is a business model where the crime group provides the tools to engage in ransomware attacks, such as the hacking and encryption system and cashing out services. Its clients take the risk and the group take a cut of the profit.

The attack was the culmination in a growing series of infrastructure attacks. They issued a statement clarifying that it is not involved with the Russian government. They were very keen to say they were motivated by money rather than politics:

’We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.

Our goal is to make money, and not creating problems for society.

From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences for the future’. 10/5/2021

The group seems keen to start at least appearing like it is limiting its operators to less ethically and politically charged targets. The Bleeping Computer article linked below shows the extent to which an international CaaS operator has to operate in a tricky geopolitcal climate. It attempted to shift its hosting operations to Iran in 2020. However that create a problem for it. The companies who would pay the ransom and the outfits that negotiate payments such as Coveware would then be guilty of violating US led sanctions against Iran. No profit! That may explain why they are so keen to distance themselves from the Russian government and to assert that they will limit their operations. The latter statement just reasserts a claim they made in 2020 however so there may be more chaff than anything else here. The outfit does have an interest in targeting organisations who can pay and so this seems like a fairly rational response to embarrassment caused by misbehaving clients and an attempt to protect its business model.

https://www.bleepingcomputer.com/news/security/darkside-ransomware-will-now-vet-targets-after-pipeline-cyberattack/