The DarkSide ransomware group responsible for the recent cyberattack that forced the US energy firm Colonial Pipeline’s to shut down its fuel distribution pipeline, received a total of $90 million in Bitcoin ransom payment before the gang shut down their operation last week.
According to the blockchain analytics firm Elliptic, DarkSide's Bitcoin wallet received $90 million from 47 Bitcoin payments in the last nine months. DarkTracer’s research shows that 99 organizations have been infected with the DarkSide malware suggesting that approximately 47% of victims paid a ransom, and that the average payment was $1.9 million
DarkSide operates what’s known as a “ransomware as a service” (RaaS) business model, which means the hackers develop and market ransomware tools and sell them to other threat actors who then carry out attacks.
“Any ransom payment made by a victim is then split between the affiliate and the developer. In the case of DarkSide, the developer reportedly takes 25% for ransoms less than $500,000, but this decreases to 10% for ransoms greater than $5 million … In total, the DarkSide developer has received bitcoins worth $15.5 million (17%), with the remaining $74.7 million (83%) going to the various affiliates,” Elliptic said.
Elliptic also said it had identified the Bitcoin wallet used by DarkSide to collect ransom payments from victims of its ransomware campaigns and that it showed a 75 Bitcoin payment had been made by Colonial Pipeline on May 8.
February was the most profitable month in the last nine months for DarkSide when the hackers got over $20 million in ransomware payments from 11 victims. May was set to be another record month, Elliptic said, with around 7 payments totaling almost $15 million before the gang reportedly lost control over its public infrastructure and all funds from their wallet were transferred to an unknown address. The group then reportedly shut down their operations on May 13.