Secret chats show how cybergang became a ransomware powerhouse

MOSCOW — Just weeks before the ransomware gang known as DarkSide attacked the owner of a major U.S. pipeline, disrupting gasoline and jet fuel deliveries up and down the East Coast of the United States, the group was turning the screws on a small, family-owned publisher based in the Midwest.

Working with a hacker who went by the name of Woris, DarkSide launched a series of attacks meant to shut down the websites of the publisher, which works mainly with clients in primary school education, if it refused to meet a $1.75 million ransom demand. It even threatened to contact the company’s clients to falsely warn them that it had obtained information the gang said could be used by pedophiles to make fake identification cards that would allow them to enter schools.

Woris thought this last ploy was a particularly nice touch.

“I laughed to the depth of my soul about the leaked IDs possibly being used by pedophiles to enter the school,” he said in Russian in a secret chat with DarkSide obtained by the New York Times. “I didn’t think it would scare them that much.”

DarkSide’s attack on the pipeline owner, Georgia-based Colonial Pipeline, did not just thrust the gang onto the international stage. It also cast a spotlight on a rapidly expanding criminal industry based primarily in Russia that has morphed from a specialty demanding highly sophisticated hacking skills into a conveyor-beltlike process. Now even small-time criminal syndicates and hackers with mediocre computer capabilities can pose a potential national security threat.

Where once criminals had to play psychological games to trick people into handing over bank passwords and have the technical know-how to siphon money out of secure personal accounts, now virtually anyone can obtain ransomware off the shelf and load it into a compromised computer system using tricks picked up from YouTube tutorials or with the help of groups like DarkSide.

“Any doofus can be a cybercriminal now,” said Sergei Pavlovich, a former hacker who served 10 years in prison in his native Belarus for cybercrimes. “The intellectual barrier to entry has gotten extremely low.”

A glimpse into DarkSide’s secret communications in the months leading up to the Colonial Pipeline attack reveals a criminal operation on the rise, pulling in millions of dollars in ransom payments each month.

DarkSide offers what is known as “ransomware as a service,” in which a malware developer charges a user fee to so-called affiliates like Woris, who may not have the technical skills to actually create ransomware but are still capable of breaking into a victim’s computer systems.

DarkSide’s services include providing technical support for hackers, negotiating with targets like the publishing company, processing payments, and devising tailored pressure campaigns through blackmail and other means, such as secondary hacks to crash websites. DarkSide’s user fees operated on a sliding scale: 25% for any ransoms less than $500,000 down to 10% for ransoms over $5 million, according to the computer security firm, FireEye.

As a startup operation, DarkSide had to contend with growing pains, it appears. In the chat with someone from the group’s customer support, Woris complained that the gang’s ransomware platform was difficult to use, costing him time and money as he worked with DarkSide to extort cash from the U.S. publishing company.

“I don’t even understand how to conduct business on your platform,” he complained in an exchange sometime in March. “We’re spending so much time when there are things to do. I understand that you don’t give a crap. If not us, others will bring you payment. It’s quantity not quality.”

The Times gained access to the internal “dashboard” that DarkSide customers used to organize and carry out ransom attacks. The login information was provided to the Times by a cybercriminal through an intermediary. The Times is withholding the name of the company involved in the attack to avoid additional reprisals from the hackers.

Access to the DarkSide dashboard offered an extraordinary glimpse into the internal workings of a Russian-speaking gang that has become the face of global cybercrime. Cast in stark black and white, the dashboard gave users access to DarkSide’s list of targets as well as a running ticker of profits and a connection to the group’s customer support staff, with whom affiliates could craft strategies for squeezing their victims.

The dashboard was still operational as of May 20, when a Times reporter logged in, even though DarkSide had released a statement a week earlier saying it was shutting down. A customer support employee responded almost immediately to a chat request sent from Woris’ account by the Times reporter. But when the reporter identified himself as a journalist, the account was immediately blocked.