A new report from blockchain analytics firm Elliptic has found that the Darkside ransomware group, which has been in the news for its recent attack on the Colonial Pipeline, brought in $90 million in Bitcoin from an estimated 47 victims.
In a blog post on Tuesday, Elliptic co-founder and chief scientist Tom Robinson said the $90 million in ransom payments came from 47 different wallets over the last nine months, indicating that almost half of DarkSide victims paid a ransom. At least 99 organizations have reported being attacked by DarkSide, according to data from DarkTracer.
The figures mean that on average, victims of the group paid about $1.9 million in ransoms, with the peak coming in February. The group brought in more than $20 million in Bitcoin that month and were on track to beat their record in May before they allegedly shut down their operations following the outcry over the Colonial attack.
Elliptic’s research showed that DarkSide’s developers have designed a detailed framework for how ransoms are split.
DarkSide and other ransomware groups have pioneered the ransomware-as-a-service model, where the developers of the malware can effectively outsource the actual hacking and infecting of a target and then split whatever ransom comes in. The practice has democratized ransomware use, allowing less experienced cybercriminals to get in on the scam without any of the technical know-how.
Robinson wrote that the developers of DarkSide take a 25% cut of all ransoms that are less than $500,000 and a 10% cut of ransoms that are more than $5 million. He said it was clear to see how the ransoms were split among different Bitcoin wallets on the blockchain.
The “developer” behind DarkSide has brought in at least $15.5 million while the other $74.7 million has gone to subcontractors or affiliates, according to Robinson.
Elliptic is able to track the money all the way to unregulated cryptoasset exchanges, where the Bitcoin is exchanged for other cryptocurrencies.
While the group made a public show of disbanding last week following increased scrutiny from U.S. law enforcement, many cybersecurity experts were sceptical, noting that it is commonplace for ransomware gangs to close shop only to resurface months later under a new name.