“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” it said in a statement posted on its website. “Our goal is to make money and not creating problems for society.”

The group seemed somewhat surprised that its actions resulted in closing a major pipeline and suggested that perhaps it would avoid such targets in the future.

“From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future,” the group said, though it was unclear how it defined “moderation.”

DarkSide is a relative newcomer to the ransomware scene, what Ms. Neuberger called “a criminal actor” that hires out its services to the highest bidder, then shares “the proceeds with ransomware developers.” It is essentially a business model in which some of the ill-gotten gains are poured into research and development on more effective forms of ransomware.

The group often portrays itself as a sort of digital Robin Hood, stealing from companies and giving to others. DarkSide says it avoids hacking hospitals, funeral homes and nonprofits, but it takes aim at large corporations, at times donating its proceeds to charities. Most charities have turned down its offers of gifts.

One clue to DarkSide’s origins lies in its code. Private researchers note DarkSide’s ransomware asks victims’ computers for their default language setting, and if it is Russian, the group moves along to other victims. It also seems to avoid victims that speak Ukrainian, Georgian and Belarusian.

Its code bears striking similarities to that used by REvil, a ransomware group that was among the first to offer “ransomware as a service” — essentially hackers for hire — to hold systems hostage with ransomware.

“It appears this was an offshoot that wanted to go into business for themselves,” said Jon DiMaggio, a former intelligence community analyst who is now the chief security strategist of Analyst1. “To get access to REvil’s code, you’d have to have it or steal it because it’s not publicly available.”

DarkSide makes smaller ransom demands than the eight-figure sums that REvil is known for — somewhere from $200,000 to $2 million. It puts a unique key in each ransom note, Mr. DiMaggio said, which suggests that DarkSide tailors attacks to each victim.

“They’re very selective compared to most ransomware groups,” he said.

View Source