A crime forum is holding a quasi-judicial proceeding against the makers of DarkSide, the ransomware that shut down Colonial Pipeline two weeks ago, to hear claims from former affiliates who say the makers skipped town without paying. Or at least that’s what members of crime forum XSS.is want us all to believe.
A Russian-speaking person using the handle “darksupp” took to XSS.is in November to recruit affiliates for DarkSide, researchers at security firm FireEye said recently. At the time, DarkSide was the new ransomware-as-a-service on the block, and it was in search of business partners.
Since then, DarkSide has cashed in spectacularly. According to newly released figures from cryptocurrency tracking firm Chainalysis, DarkSide netted at least $60 million in its first seven months, with $46 million of it coming in the first three months of this year.
DarkSide made another $10 million this month, with $5 million coming from Colonial Pipeline and $4.4 million from Chemical distribution company Brenntag. Last week, DarkSide suddenly went dark. A post attributed to darksupp said his group had lost control of infrastructure and its considerable holding of bitcoin.
“At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked,” the post stated. “The hosting support service doesn’t provide any information except ‘at the request of law enforcement authorities.’ In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.”
DarkSide hasn’t been heard from since.
Under the terms of the deal struck on XSS, DarkSide pays affiliates 75 percent of ransoms that are less than $500,000. The cut rises to 90 percent for ransoms higher than $5 million. But according to multiple DarkSide affiliates on XSS, the RaaS provider has absconded without honoring its commitments. The affiliates have been asking to be reimbursed from a deposit, balance about $900,000, that DarkSide was required to make with XSS.
Here are three such posts. Notice…