A crime forum is holding a quasi-judicial proceeding against the makers of DarkSide, the ransomware that shut down Colonial Pipeline two weeks ago, to hear claims from former affiliates who say the makers skipped town without paying. Or, at least that’s what members of crime forum XSS.is want us all to believe.
A Russian-speaking person using the handle “darksupp” took to XSS.is in November to recruit affiliates for DarkSide, researchers at security firm FireEye said recently. At the time, DarkSide was the new ransomware-as-a-service on the block, and it was in search of business partners.
Since then, DarkSide has cashed in spectacularly. According to newly released figures from cryptocurrency tracking firm Chainalysis, DarkSide netted at least $60 million in its first seven months, with $46 million of it coming in the first three months of this year.
DarkSide made another $10 million this month, with $5 million coming from Colonial Pipeline and $4.4 million from Chemical distribution company Brenntag. Last week, DarkSide suddenly went dark. A post attributed to darksupp said his group had lost control of infrastructure and its considerable holding of bitcoin.
“At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked,” the post stated. “The hosting support service doesn’t provide any information except ‘at the request of law enforcement authorities.’ In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.”
DarkSide hasn’t been heard from since.
Under the terms of the deal struck on XSS, DarkSide pays affiliates 75 percent of ransoms that are less than $500,000. The cut rises to 90 percent for ransoms higher than $5 million. But according to multiple DarkSide affiliates on XSS, the RaaS provider has absconded without honoring its commitments. The affiliates have been asking to be reimbursed from a deposit, balance about $900,000, that DarkSide was required to make with XSS.
Here are three such posts. Notice judicial terms such as “plaintiff” and “defendant.”
It’s not surprising that XSS organizers would police their site in precisely the way seen in these discussions. After all, the cybercrime economy is booming, but for XSS to cash in, the forum has to be viewed as operating on a level playing field. Ultimately, though, it’s impossible to know if these proceedings are for real or just an act.
“This is a community of cybercriminals who know their forum is being monitored by LE, security companies and the press,” Brett Callow, threat analyst with security firm Emsisoft, said. “It’s highly likely that some communications are made solely to confuse issues. Smoke and mirrors.”
With DarkSide disrupting gasoline supply for huge swaths of the US two weeks ago, the FBI will no doubt bring the full force of its might on this enterprise if it gets the chance. DarkSide owners are no doubt feeling the heat, even if the ransomware court proceedings are just an act.