What is DarkSide ransomware, and how can you protect yourself from it?

When you think of hackers, the first thing that comes to mind is a shady room piled to the ceiling with beeping monitors and a bunch of people in dark hoodies drinking enormous amounts of energy drinks while writing mile-long code. But this picture is far from the truth. DarkSide is not just a group of people in a poorly lit room. It could be anyone in the world. DarkSide is people using ransomware developed by DarkSide to hack large companies.

DarkSide ransomware operated as RaaS, in other words, “ransomware-as-a-service.” By encrypting and stealing sensitive information from giant corporations, DarkSide asked for ransoms in Bitcoin and other cryptocurrencies. Furthermore, they established a well-working platform and offered real-time chat support, just like a legit corporation. Besides other cybercriminal hubs, DarkSide ran an affiliate program, providing tools and know-how to other cybercriminals. After every successful ransom, DarkSide would take its share of money, about 30% in fact.

Practices like spear phishing attacks and lookalike emails stuffed with malicious software are left aside. The DarkSide ransomware group operated like real corporate suits and left all the dirty work to the hackers. Once hackers exploited weaknesses in remote desktop protocols (RDP) and gained initial access to computer networks in organizations, DarkSide stepped in. Step-by-step unlocking administrative privileges, they gathered sensitive data and other essential information. After collecting and analyzing the stolen data, DarkSide employed a “double extortion” attack, where all the sensitive data was encrypted and downloaded, meaning the victim couldn’t reach their information. Furthermore, the DarkSide ransomware group threatened to expose the information on their Darkside Leaks website if the ransom was not paid in the given time.

A DarkSide cyber attack can be divided into two stages: the early stealth stage and the main attack, where ransomware is deployed. These stages are crafted to the most minor details, especially at the beginning of the crime. During the early reconnaissance stage, hackers snoop around the target’s system to ensure they can set up many possible attack vectors and evade potential detection. After the entry is successful, the techniques are standard.

Stealth tactics:

• Taking control over TOR.
• Node avoidance if EDR is running.
• Leaving riskier and noisier actions for later stages.
• Employment of a customized code and connection host.
• Setting up obfuscation techniques such as encoding and dynamic library loading.
• Deleting file logs in order to leave no footprint.

Later stages of the attack:

• Harvesting credentials stored in files, memory, and on domain controllers.
• Utilizing file shares to distribute attack tools and store file archives.
• Gaining sharing permissions for easy file harvesting.
• Deleting backups, including all shadow copies.
• Deployment of the customized ransomware.

In an ideal world, organizations should invest in proper cybersecurity, but the reality is far from perfect. Most keep their virtual doors wide enough for hackers to slip through. Some of the common areas that DarkSide ransomware exploits include:

• Direct connection with remote desktop protocol.
• Lack of two-factor authentication.
• Improperly configured and outdated firewalls.
• Weak passwords.

From its launch in the early 2020s, the DarkSide group has made over $90 million in Bitcoin ransom payments from various attacks. The DarkSide ransomware group is responsible for 99 ransomware incidents, but the numbers may be slightly higher. Here are a few cases that made headlines worldwide.

Colonial pipeline ransomware attack

Despite being the largest fuel pipeline operator in the U.S., Colonial Pipeline didn’t have reliable cybersecurity measures, shame on it, and thus became an easy target for the DarkSide ransomware group. After a major ransomware attack in 2021, Colonial Pipeline had to shut down major systems, and halted pipeline operations and IT systems for further investigations. The cost was high because shutting down 5,500 miles of pipeline, which carries 45% of the East Coast’s fuel supplies, wasn’t easy. The U.S. President declared a state of emergency, and after a few days, company executives decided to pay the $4.4 million ransom.

The Toshiba ransomware breach

Toshiba is a multi-billion Japanese tech giant that provides a vast array of services and products, like industrial and social infrastructure systems, escalators, elevators, and even printers, or IT solutions.

An official statement by the organization stated that the ransomware attack conducted by DarkSide was local, and limited to just one part of Europe. As a result, only small amounts of crucial data were stolen and encrypted. Luckily, DarkSide hackers didn’t crack down on the access to customer information. Despite that, Toshiba had to close networks between Japan and Europe to prevent further exploitation. Fortunately, Toshiba didn’t pay any ransom to DarkSide but had to halt its operations and launch an investigation, resulting in indirect monetary loss by the company.

The Brenntag ransomware attack

At the beginning of May 2021, Brenntag received hard-to-swallow news from DarkSide. The world-leading German chemical distribution company had been hacked!

During the attack, DarkSide claimed to have encrypted crucial devices and stolen about 150GB of unencrypted files. To prove it, they posted screenshots and various data descriptions on their DarkSide Leaks website. The attackers demanded a $7.5 million bitcoin ransom. However, the company paid a smaller $4.4 million ransom after some negotiations. After paying the ransom, the company received decryption keys and successfully secured the information from going public.

Like all ransomware attacks, DarkSide ransomware carries similar threats to companies and individuals alike. What separates DarkSide ransomware is its ability to “live off the land” (LOTL), a term meaning that intruders can exploit legitimate software in the network’s system and perform malicious activities that cause more damage than other attacks. Some common risks that DarkSide ransomware caries are listed below:

• Data encryption and data loss
• Reputation damage via information exposure
• Password stealing
• Operational disruptions
• Financial losses
• Continued cyber threat
• Intellectual property theft
• Regulatory and Legal Consequences
• Various supply chain impacts
• IT and security costs

The phenomenon of hacking groups is flourishing, and cases like DarkSide ransomware prove that the ransomware-as-a-service model is growing. Huge cybercrime profits speak for themselves, and selling ransomware to cybercriminals works. It’s a hard pill to swallow for large businesses. Today, investing in a cybersecurity strategy is not just a luxury anymore – it’s a must. There are some critical points for medium and small companies to consider in terms of cybersecurity:

• Reliable data backups: Most ransomware attacks encrypt sensitive data and force organizations to pay a considerable ransom to regain access. Creating periodical data backups can minimize the damage caused by such attacks.
• Organizational awareness training: In more primitive ransomware attacks, social engineering and email phishing attacks are conducted. Implementing a strong password policy and training employees to recognize known malicious IP addresses and act accordingly could improve the cyber safety of the business.
• Patch management program: In most cases, ransomware exploits system vulnerabilities, such as outdated security patches in the organization’s network system. Frequent security patch updates are a must.
• Multi-factor authentication: The human factor is still one of the weakest links in cybersecurity. Implementing MFA can reduce the risk of breached passwords and user credentials.
• Endpoint security: Ransomware like DarkSide can gain access to companies’ systems in numerous ways. A reliable endpoint security equipped with anti-malware protection properties can detect ransomware in the early stages and minimize or eliminate the damage completely.