The DarkSide hackers that closed the Colonial Pipeline have bagged more than $90 million in Bitcoin ransom payments from 47 victims and have infected at least 99 companies in the last year.
Blockchain analytics firm Elliptic said DarkSide’s Bitcoin wallet received millions of dollars worth of ransom payments in the nine months between October last year and last week when the wallet shut down.
Roughly half of all organizations targeted by the cybercriminal gang paid ransom money with the average payment being around $1.9 million, Elliptic said.
Dark web intelligence firm DarkTracer has identified 99 organizations that were infected with Darkside including fashion label Guess and car firm Toshiba. It is not clear which companies paid the hackers ransom money.
Officials labeled it the most disruptive cyberattack on US energy infrastructure in history.
The issues continue to rumble on, with the company admitting network issues are now preventing shippers planning upcoming shipments of fuel even after the pipeline resumed service.
The FBI named DarkSide as being behind the attack and Colonial reportedly bowed to the hacker’s demands, paying a $5 million ransom in exchange for a decryption key to restore access to its servers.
The DarkSide hackers that closed the Colonial Pipeline have bagged more than $90 million in Bitcoin ransom payments from 47 victims and have infected at least 99 companies in the last year including Guess and Toshiba
Elliptic said on Friday it had identified the Bitcoin wallet used by DarkSide to collect ransom payments from victims of its cyber attacks and that it showed a 75 Bitcoin payment had been made by Colonial Pipeline on May 8.
The company said in a blog post Tuesday that it had used blockchain analysis to examine all wallets used by the cybercriminal gang over the past nine months.
It found 47 payments made by separate wallets to those used by the hackers.
DarkSide bagged the most ransom money in February when it got more than $20 million in payments from 11 victims.
May was set to be another record month, Elliptic said, with around 7 payments totaling almost $15 million before the gang reportedly shut down its operations on May 13 and its wallet was emptied.
DarkTracer identified dozens of organizations infected with Darkside malware prior to the attack on Colonial.
The dark web intelligence firm published its intelligence report on ransomware gangs on Twitter this week, showing a list of 2,203 victims attacked by 34 different gangs.
A total of 99 of these companies fell foul to DarkSide attacks.
This indicates that almost half – 47 percent – of victims paid a ransom to DarkSide and the average payment was $1.9 million.
Companies hacked by DarkSide in the last year include fashion brand Guess and car giant Toshiba France, according to DarkTracer’s database.
Guess was targeted in February 2021 and Toshiba in May, according to the database.
Toshiba’s French subsidiary announced last week its Toshiba Tec Corp unit – which makes barcode printers and is valued at $2.3 billion – had been hacked by DarkSide.
Of the more than $90 million identified, $15.5 million went to DarkSide’s developer and the remaining $74.7 million went to its affiliates, Elliptic said
DailyMail.com contacted Guess and Toshiba for comment.
The company said only a minimal amount of work data had been lost.
DarkTracer’s database also shows that the hackers targeted companies across a range of industries and sectors including car rental company Discountcar.com, plastic supplier Piedmont Plastics, California-based finance company Oak Valley Community Bank and Guernsey-based ferry company Condor Ferries.
It is not clear which organizations paid ransom money to DarkSide. There is no indication any of these companies did so.
Elliptic said the total ransom money accrued by DarkSide could be even larger as there may be other payments its analysis has not yet uncovered.
Of the more than $90 million identified, $15.5 million went to DarkSide’s developer and the remaining $74.7 million went to its affiliates, Elliptic said.
This is because DarkSide operates what is called a ‘Ransomware as a Service (RaaS) business model.
RaaS means there is a ransomware developer who creates the harmful malware and then sells it to others known as ransomware affiliates.
The ransomware affiliates then use the malware to carry out the attacks on the target systems.
Dark web intelligence firm DarkTracer found companies including fashion brand Guess and car giant Toshiba France were victims of DarkSide in recent months
Guess was targeted in February 2021 and Toshiba in May, according to the database
The affiliates also deal with negotiating the ransom payment with the victim.
This hacking model benefits both parties. The affiliate is able to cash in on hacking without having the technical expertise to create the malware in the first place.
Meanwhile, the developer is able to take a hands off approach with the hacking of the target but still get a cut of the ransom money.
Under this arrangement, the affiliate takes a much larger chunk than the developer.
DarkSide’s developer was taking 25 percent for ransoms less than $500,000, reducing to 10 percent of the money when the ransom was greater than $5 million, Elliptic reported.
Based on this, the reported $5 million ransom money paid by Colonial Pipeline was split with the developer taking $500,000 and the affiliate or affiliates bagging the other $4.5 million.
Most ransom money paid to DarkSide was then sent to cryptoasset exchanges, reported Elliptic.
This is where the cryptocurrency can be swapped for standard currencies such as US dollars.
While many cryptoasset exchanges are legal and comply with regulations around money laundering, Elliptic found that most of DarkSide’s payments were sent to exchanges where regulations are not enforced.
Colonial Pipeline had been condemned by national security experts and members of Congress for reportedly paying $5 million ransom to DarkSide last week
An Exxon station in DC is seen out of gas after the cyberattack crippled the biggest fuel pipeline in the country. On Tuesday, 70% of DC gas stations were still dry
Elliptic said DarkSide’s bitcoin wallet contained $5.3 million worth of Bitcoin last week before its wallet was emptied and it ceased operations.
It is not clear if the hackers drained the funds or if it was seized by the US government.
US cyber security firm Recorded Future said that Darkside had admitted in a web post that it lost access to certain servers used for its blog and for ransom payments.
Colonial Pipeline had been condemned by national security experts and members of Congress for reportedly paying $5 million ransom to DarkSide last week.
The FBI discourages companies and individuals from meeting criminal ransom demands, saying that it encourages further attacks.
The White House refused to comment on whether or not a ransom was paid.
DarkSide, which is believed to be based in Russia or Eastern Europe with ties to Russia, has not directly taken credit for the attack.
Biden last week said the criminal hacking gang was believed to be based in Russia but said the FBI does not believe Russian President Vladimir Putin was directly involved.
Meanwhile, the trouble isn’t yet over for Colonial Pipeline.
On Tuesday the organization said it was having network issues preventing shippers from planning upcoming shipments of fuel.
The disruption was caused by efforts by the company to harden its system as it restores service following the cyberattack, and was not the result of a reinfection of its network, Colonial said Tuesday.
Colonial restored flow to its network last week, but experienced new disruptions on Tuesday
The company did not say when the issue would be fixed, but said it was still delivering products that had already been scheduled by shippers.
The company blamed ‘the hardening efforts that are ongoing and part of our restoration process.’
Colonial Pipeline was taken offline on May 7, in a ransomware attack that forced the carrier of 45 percent of fuel to the East Coast to shut its entire network.
The hack sparked concerns of a national fuel crisis with thousands of gas stations running out of fuel and motorists racing to fill up their cars.
As of Tuesday, more than 10,600 filling stations were still without fuel, according to tracking firm GasBuddy, down from more than 16,000 at the peak last week.
A staggering 70 percent of gas stations in Washington DC were still without fuel, down from 90 percent over the weekend, as were nearly half in North Carolina, according to GasBuddy.
In South Carolina, 43 percent of gas stations were dry, followed by 38 percent in Georgia and 27 percent in Virginia.
The national average price of gas dropped slightly on Tuesday to $3.043, after breaking $3 for the first time since 2014, according to the AAA Gas Price Index.
Joe Biden has vowed to put in measures to strengthen the US’s cybersecurity defenses following the record attack.
Other organizations infected by DarkSide malware:
Kilpatrick Townsend & Stockton
T.E.D. COM GMBH
IRLE DEUZ GmbH
Oak Valley Community Bank
Home Hardware Stores
Stone Pigman Walther Wittmann, LLC
Jacoby and Jacoby
Mirion Technologies Inc.
Schiller DuCanto and Fleck
Bock and Hatch
Swift Real Estate Partners LLC – Finance, Hr, Statment, Internal Information, other.
Abu Issa Holding LLC
OMV System France
STAAB and KOLLEGEN
HEUSSEN Rechtsanwaltsgesellschaft mbH
I-D Foods Corporation
Kens Foods Inc.
Certilman Balin Adler & Hyman
JST Global, Acme-Hardesty
Cuddy & Feder LLP
Hunt and Walsh
Baker & Taylor
BTU International, Inc.
All American Asphalt
Irving Materials, Inc.