DarkSide ransomware is a relatively new ransomware strain that threat actors have been utilizing to target numerous businesses, resulting in the encryption and theft of sensitive data as well as threats to make it publicly available if a ransom demand is not met.
The form of ransomware has been active since August 2020 and was used in a hack against Georgia-based Colonial Pipeline, causing a severe gasoline supply disruption along the United States East Coast. The virus is provided as a service to various hackers via an affiliate scheme and, like other well-known ransomware threats, utilizes double extortion, combining file encryption with data theft, and is distributed on infiltrated networks by manual hacking tactics. Recent reports state that the threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the REvil RaaS [ransomware-as-a-service] group.
As mentioned, DarkSide ransomware typically targets high-revenue businesses. With time, several other DarkSide victims have been discovered through incident response engagements and posts on the DarkSide blog. The majority of the victims were situated in the United States and worked in a variety of industries, including financial services, legal, manufacturing, professional services, retail, and technology.
DarkSide and its associates deliver ransomware using the same human-operated approach as other popular ransomware organizations that have plagued businesses in recent years. This implies that attackers acquire access to networks by several mechanisms, including stolen credentials followed by manual hacking techniques and lateral movement utilizing a range of system administration or penetration testing tools.
The objective is to map the network to identify crucial servers, elevate privileges, get domain administrator credentials, disable and remove backups, exfiltrate sensitive data, and then spread the ransomware to as many systems as possible at once. This deliberate and precise technique is far more effective and difficult to fight against than ransomware programs that spread automatically over networks by utilizing built-in routines that may fail and trip detection measures.
Read: How to identify sensitive data on our blog for more information.
To get a footing, each DarkSide affiliate may use a different strategy. These techniques are similar to those used by other ransomware groups: purchasing stolen credentials from underground markets, performing brute-force password guessing or credential stuffing attacks, purchasing access to machines infected with botnet malware such as Dridex, TrickBot, or Zloader, and so on. It also happens by sending emails with malicious attachments that include a lightweight malware loader.
The DarkSide ransomware encrypts victims’ data with Salsa20 and RSA-1024 and is said to have a Linux variant. When installed on Windows, the virus examines the system’s language setting and, if it is the language of a nation in the former Soviet Bloc or its area of influence, it avoids encrypting the data. This is typical of malware created by groups who are based in the region and who want to avoid attracting the attention of local authorities by not hitting local organizations.
According to Cybereason researchers, the virus then disables services with the following names: vss, sql, svc, memtas, mepocs, sophos, veeam, or backup. These include backup procedures, such as the Windows Volume Shadow Copy Service (VSS), or security solutions. It then proceeds to identify ongoing processes and ends them so that it can decrypt the files they were accessing. It also employs a PowerShell command to remove any existing volume shadow copies that may be utilized to recover files.
DarkSide ransomware generates a unique ID for each victim and appends it to the file extension of the encrypted files. The ransom payments might range from a few hundred thousand dollars to millions of dollars, based on the assailants’ assessment of the victim’s size and yearly income.
Implementing software solutions such as SecurityShield helps to continuously scan servers or provides an endpoint to search for flaws in software design. It discovers vulnerabilities, assesses their impact, classifies them, identifies risks they pose, and then generates a prioritized risk response remediation plan to fix them and more. SecurityShield-DWS continuously monitors the dark web and alerts you upon finding compromised data, while SecurityShield-DLP help in understanding where sensitive data resides and prevents it from getting into the wrong hands.