DarkSide is a ransomware gang that quickly made waves in the cybersecurity world with a range of high-profile attacks. After first notifying the world of their operations in an August 2020 dark web press release, the gang’s members have drawn attention by landing some big paydays. This article assesses DarkSide’s operations and highlights four high-profile attacks carried out by the gang.
DarkSide: Operations and Ransomware Analysis
Like most of today’s most well-known ransomware gangs, DarkSide operates a Ransomware as a Service (RaaS) model in which affiliates that help spread the group’s malicious code receive a cut of the commission from any ransom payment. The group’s members are believed to be based in Russia
Double extortion is another feature of DarkSide’s operations that is shared by several other ransomware gangs. A leak site operates as an outlet for publishing victims’ stolen data if they refuse to pay the required ransom. The potential reputational hit from having sensitive customer data published online often serves as the impetus for victims to pay up. This method of extortion pairs with the traditional ransomware extortion in which victims need to pay a sum of money to remove the encryption from affected systems.
The gang targets large companies that can afford substantial payouts. Interestingly, and in contrast to a gang like Conti, DarkSide has publicly announced an unwillingness to target organizations such as hospitals, schools, and non-profits. DarkSide’s minor demonstration of something resembling empathy indicates a line drawn by the gang between pursuing profit above all and garnering a worse reputation for targeting vulnerable sectors.
As far as the technical details of DarkSide attacks go, they can be quite sophisticated. Typically, threat actors gain an initial foothold in victims’ networks by exploiting remote access technology, such as remote desktop protocol (RDP). This initial foothold starts from either a password compromise enabling log in to a remote access account or by exploiting a vulnerability in the underlying software.
The next phase is command and control using an RDP client routed through the Tor web browser to maintain stealth, as the Tor browser makes it hard to distinguish between malicious and normal web traffic. Using the RDP client, threat actors then seek to move laterally to compromise other hosts, such as servers, especially those lacking detection and response capabilities.
Reconnaissance and credential harvesting are the next steps in the process. Hackers on compromised servers use tools to gather information about users, their credentials, and their privileges. From this information, credential harvesting tools dump password information for user accounts. Privilege escalation comes from hackers using harvested passwords to access administrative accounts.
Data mining and extraction complete the data exfiltration stage while PowerShell scripts delete shadow copies of files so that data can’t be restored from those copies. Finally, ransomware payloads are delivered along with unique executables and extensions that evade endpoint antivirus solutions. Victims are met with an ID they can use to access DarkSide’s website and make the requested ransom payment.
High-Profile DarkSide Attacks
The Colonial Pipeline is a 5,500-mile pipeline spanning from its origin in Houston to the Port of New York and New Jersey. The pipeline’s operator, Colonial Pipeline Company, earned $1.3 billion in 2020 alone.
In May 2021, DarkSide set the pipeline in its sights and managed to infiltrate Colonial Pipeline’s IT network using VPN account credentials stolen in a previous data breach. What followed was one of 2021’s biggest cybersecurity stories. Colonial Pipeline engaged in emergency procedures to contain the attack, which meant shutting down the normal operations that ensure a smooth supply of gasoline, diesel, and jet fuel.
After six days of operational disruption and a degree of chaos at filling stations, the pipeline resumed normal operations. DarkSide received a ransom payment in Bitcoin worth $4.4 million. The FBI has since helped to partially recover $2.3 million worth of Bitcoin by obtaining the private key for the gang’s ransom account.
CompuCom is a US-based technology company that provides end-to-end managed services. CompuCom was acquired for $1 billion in 2017 by Office Depot. In March 2021, the company became the latest victim of a DarkSide ransomware attack that impacted its service delivery for up to 16 days.
Details remain sketchy about the initial infiltration of CompuCom’s network. However, a company FAQ about the incident confirmed the use of Cobalt Strike, a common penetration testing tool, to conduct stealthy command and control operations.
CompuCom estimated the total cost of this attack at $28 million. These costs include lost revenue of between $5 million and $8 million due to service disruptions.
Toshiba Tec Group
Toshiba Tec Corp is a strong-performing business unit belonging to the Japanese multinational conglomerate with a $2.3 billion valuation. This incident went a little bit under the radar because it happened right around the time of the Colonial Pipeline attack.
An official company comment mentioned that the extent of the attack was limited to some European regions. Containment and backup measures were enacted to limit the ability of the ransomware to spread. A Reuters report indicated that the threat actors managed to exfiltrate up to 740 gigabytes of data, some of which was sensitive.
Coinciding with the Colonial Pipeline incident, the targeting of two high-revenue organizations so close in time to each other demonstrates the scale of DarkSide’s operations. One senior malware analyst pointed out that, “there are around 30 groups within DarkSide that are attempting to hack companies all the time”.
The Future of DarkSide
The governmental intervention and skyrocketing publicity brought about by the Colonial Pipeline attack led to the gang’s May 2021 announcement that it was ceasing operations. The heat from law enforcement resulted in an unnamed government seizing the group’s servers and other infrastructure.
As is often the case, the spotlight from law enforcement doesn’t necessarily mean the end of a ransomware gang’s operations. A new operation named BlackMatter emerged just under two months later carrying the hallmarks of DarkSide’s encryption methods. This unique encryption algorithm was not widely used by other ransomware gangs.
Security researchers also speculate that the similarities in the color palette and language used on the BlackMatter website further identify this new operation as a rebranding of DarkSide. It’s worth keeping an eye on future cyber attacks conducted by BlackMatter to see whether the victim profile also matches that of DarkSide.
Tips for Preventing DarkSide Attacks
The following actions can help to prevent your organization from becoming the next victim of a ransomware gang like DarkSide:
- Deploy an API-based email security solution to detect and remediate advanced phishing attacks
- Avoid exposing ports to the public Internet for remote desktop connections
- For anyone connecting to the network using remote access technology, put multifactor authentication in place so that hacking passwords isn’t enough to gain a foothold
- Have a lockout policy in place that locks users out from their remote access or VPN accounts after a certain number of incorrect password attempts
- Establish a patch management policy that ensures all software and operating systems are kept up to date with the latest security fixes
- Get comprehensive endpoint detection and response across your entire endpoint inventory; not just some of your endpoints
- Regularly back up important data and store this data in an isolated location offline and disconnected from your network
To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today.