Colonial Pipeline hackers DarkSide received US$90 million in payments: report

Ransomware attacks have hit the headlines in Aotearoa this week with Waikato DHB's systems suffering a 'full outage'.
Ransomware attacks have hit the headlines in Aotearoa this week Photo credit: Getty Images

The hacker group responsible for the ransomware attack on the Colonial Pipeline in the US received US$90 million in bitcoin payments in the last nine months alone, according to reports.

DarkSide, which announced last week it was halting operations after its servers were seized, received a 75 bitcoin payment from the operators of the pipeline shortly before shutting down.

The pipeline is nearly 9000km long and can carry three million barrels of refined oil products per day, around 45 percent of the fuel for the east coast of the US. Its shutdown caused fuel price spikes and shortages.

Blockchain analytics firm Elliptic, the first to identify the bitcoin wallet used by the ransomware group, expanded its analysis to look at other victims and identified 47 out 99 organisations infected by DarkSide's malware paying ransoms totalling US$90m.

DarkSide is an example of Ransomware-as-a-Service (RaaS), wrote Elliptic's co-founder and chief scientist Dr Tom Robinson.

"In this operating model, the malware is created by the ransomware developer, while the ransomware affiliate is responsible for infecting the target computer system and negotiating the ransom payment," he wrote.

"This new business model has revolutionised ransomware, opening it up to those who do not have the technical capability to create malware, but are willing and able to infiltrate a target organisation."

Cyber Intelligence firm Intel 471, in a blog post on its website, indicated that the closing of DarkSide may not be the end of the line.

"A strong caveat should be applied to these developments: it's likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways," the post says.

"A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to 'wash' the cryptocurrency they earn from ransoms."

Ransomware has come into focus in Aotearoa this week after Waikato District Health Board's (DHB) phone and computer system suffered a "full outage", with chief executive Kevin Snee alluding to it being ransomware.

"Health systems cannot afford downtime - it's essential they're available in order to treat people," Brett Callow, a threat analyst with New Zealand-based cybersecurity company Emsisoft, told Newshub.

"The hackers know that and believe it maximises their chances of a payout."

Snee told Stuff that no ransom would be paid.