DarkSide, the hacker group behind the Colonial Pipeline ransomware attack earlier this month, received $90 million in bitcoin payments following a nine-month ransomware spree, making it one of the most profitable cybercrime groups.
"In total, just over $90 million in bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets," blockchain analytics firm Elliptic said. "According to DarkTracer, 99 organisations have been infected with the DarkSide malware - suggesting that approximately 47% of victims paid a ransom, and that the average payment was $1.9 million."
Of the total $90 million haul, the DarkSide's developer is said to have received $15.5 million in bitcoins, while the remaining $74.7 million was split among its various affiliates. FireEye's research into DarkSide's affiliate program had previously revealed that its creators take a 25% cut for payments under $500,000 and 10% for ransoms above $5 million, with the lion's share of the money going to the recruited partners.
Elliptic co-founder and chief scientist Dr. Tom Robinson said the "split of the ransom payment is very clear to see on the blockchain, with the different shares going to separate Bitcoin wallets controlled by the affiliate and developer."
What's more, an analysis of blockchain transactions uncovered the syndicate had made $17.5 million in the past three months alone, with roughly 10% of the profits coming from payouts made by chemical distribution company Brenntag (nearly $4.4 million) and Colonial Pipeline. The Georgia-headquartered firm said it paid 75 bitcoins ($4.4 million as of May 8) to restore access, CEO Joseph Blount told the Wall Street Journal.
DarkSide, which went operational in August 2020, is just one of many groups that operated as a service provider for other threat actors, or "affiliates," who used its ransomware to extort targets in exchange for a cut of the profits, but not before threatening to release the data — a tactic known as double extortion.
But in a sudden turn of events, the prolific cybercrime cartel last week announced plans to wind up its Ransomware-as-a-Service (RaaS) affiliate program for good, claiming that its servers had been seized by law enforcement. Its bitcoin wallet was also emptied to an unknown account.
The fallout from the biggest known cyberattack on U.S. energy industry is only the latest example of how a spate of ransomware incidents are increasingly affecting the operations of critical infrastructure and emerging a national security threat. The events have also turned the spotlight on implementing necessary strategies to ensure vital functions remain operational in the event of a significant cyber disruption.