An analytics firm identified the bitcoin wallet used by the ransomware group behind the Colonial Pipeline attack and the massive payments received from victims.

The gang’s wallet received a 75 BTC (bitcoin) payment, or roughly $5 million, made by Colonial Pipeline on May 8 following the cyberattack on its operations, according to a report from blockchain analytics firm Elliptic.

The Colonial Pipeline shutdown led to widespread fuel shortages in the U.S. and has been described as the worst cyberattack on critical U.S. infrastructure to date. DarkSide, which the FBI confirmed as being behind the attacks, is believed to have originated in Eastern Europe, likely Russia. The group's ransomware was first spotted in August 2020.

Motorists use gas pumps at a refueling station on May 12, 2021 in Benson, North Carolina. Most stations in the area along I-95 were without fuel following the Colonial Pipeline hack. 

The firm also tracked a ransomware bitcoin payment made by Brenntag, a large chemical distribution company in Germany, totaling roughly $ 4.4 million.

The group's wallet has been active since March 4, 2021, and has received 57 payments from 21 different wallets, according to Elliptic.

In total, the DarkSide wallet received Bitcoin transactions since March totaling $17.5 million, Elliptic said. The firm said the majority of the payment was moved out the wallet on May 9.

A portion of the payments was sent to a small group of exchanges. One exchange was identified as Hydra, "the world’s largest darknet marketplace, servicing customers in Russia and neighboring countries," according to Elliptic.

Hydra offers "cash-out services" along with narcotics, hacking tools and fake IDs, the report said.

"These allow Bitcoin to be converted into gift vouchers, prepaid debit cards or cash Rubles. If you’re a Russian cybercriminal and you want to cash-out your crypto, then Hydra is an attractive option," Elliptic said.

Massive payments

DarkSide, which has since claimed it would cease operations, brought in a cool $90 million in just nine months from an estimated 47 victims, according to another report from Elliptic.

So far, 99 organizations have been infected with the DarkSide ransomware, "suggesting that approximately 47% of victims paid a ransom, and that the average payment was $1.9 million," Elliptic said, citing a tweet by DarkTracer.

Because of the large sums paid out by victims, ransomware has evolved into a big business that mirrors traditional business models.

DarkSide is a prime example of Ransomware as a Service (RaaS), Elliptic said, echoing longstanding legitimate models such as SaaS or Software as a Service.

"In this operating model, the malware is created by the ransomware developer, while the ransomware affiliate is responsible for infecting the target computer system and negotiating the ransom payment with the victim organization," Elliptic said.

"This new business model has revolutionized ransomware, opening it up to those who do not have the technical capability to create malware, but are willing and able to infiltrate a target organization," according to the analytics firm.