The DarkSide ransomware gang announced its existence in August 2020. Less than a year later, the gang announced that they were ceasing operations, and shut down in May 2021, making it a short-lived yet extremely destructive criminal project that caused—amongst other high profile attacks—significant business interruptions to one of the biggest oil companies in the world.
While it was the May 2021 Colonial Pipeline attack that brought the name DarkSide into the global public discourse, security experts and criminal justice authorities have assessed DarkSide’s level of sophistication as high. This has led threat intelligence analysts to hypothesize that the DarkSide gang was made up of veteran cyber criminals undergoing a rebranding, and warns that we may soon see the DarkSide criminals appear in the cyber threat landscape under a new name.
Being aware of such a possibility, in November 2021, the US government declared that it is offering a USD 10 Million bounty for anyone who successfully reports the names of any DarkSide members.
Companies in Asia should view DarkSide as a dormant threat that could awaken at any time, ready to strike, and should learn from past attacks to prepare themselves.
Who is DarkSide?
DarkSide is the name of a cyber criminal group believed to be based in Eastern Europe and run by former affiliates of other ransomware gangs who decided to come up with their own brand of malware.
The attackers use highly sophisticated ransomware techniques against large for-profit organizations, encrypting their data under threat of publishing it on the open web. In exchange for a decryption key, DarkSide demanded ransom payments between USD 200,000 and USD 2 Million.
DarkSide presents itself as an "enterprise" gang due to its professional-looking website and attempts to partner with journalists and decryption companies. One key element of DarkSide’s branding is its mostly-consistent provocative public persona, presenting itself as a champion of the working people. In line with this, DarkSide firmly stated that they do not target the government, education, healthcare, funeral and non-profit sectors, and only aimed at making money from larger independent corporations.
This was reinforced by a Twitter post shared by DarkSide stating “Our goal is to make money, and not to create problems for society.” In a dark web post, the group posted receipts for donations of BTC 0.88 (then worth USD 10,000) each to Children International and to the The Water Project dated October 2020.
DarkSide conducts its activities according to a Ransomware as a Service (RaaS) business model, whereby the group provides third-party clients with the tools to carry out a ransomware attack, receiving commission as part of the extorted sum. Based on forum advertisements, the RaaS operators take 25% for ransom fees less than USD 500,000 but this decreases to 10% for ransom fees greater than USD 5 Million.
DarkSide promotes its ransomware by offering the option to publish victim data in stages—which may put additional pressure on victims to pay the ransom—and flaunting that their go-to data leak website receives “stable visits and media coverage.”
DarkSide adheres to the practice of double extortion, which involves demanding separate sums for both a digital key needed to unlock any files and servers, and a separate ransom in exchange for a promise to destroy any data stolen from the victim.
How does DarkSide Ransomware work?
DarkSide ransomware penetrates a company’s network and spreads across active endpoints within minutes, encrypting all information on the infected endpoints rendering it irrecoverable unless the ransom is paid.
Unlike other ransomware types that access computers through phishing links and email attachments, DarkSide’s sophisticated ransomware leverages backdoors in a network—akin to Palo Alto’s CVE-2019-1579 and Microsoft Exchange vulnerabilities—and compromised organization connections. By infecting one company first and then spreading across to third-party partners, an unauthenticated attacker is able to execute malicious code remotely and carry out a breach.
DarkSide ransomware variants use the Silent Night botnet—also known as Zloader—for delivery. Zloader is a variant of the Zeus financial malware that has been targeting banks since 2006 and works as a first-stage Trojan loader that infects a victim's peripheral domain. Once a foothold is established, the Cobalt Strike red teaming tool is used to spread and deploy DarkSide ransomware.
After being downloaded onto network endpoints, DarkSide ransomware proceeds to encrypt files. It does this by using the Salsa20 encryptor, which is equipped with a custom matrix and RSA-1024 encryption algorithms. Salsa20 is a rapid encryptor that is near impossible to halt once it is in the network. DarkSide ransomware then kills processes that contain file unlocking capabilities and generates the following wallpaper:
Once the endpoint is encrypted and the message is displayed, users have a few days to pay out the ransom. When requested, DarkSide affiliates can provide “proof of life” by decrypting a small portion of the data to prove that they indeed have a working decryption key.
Perhaps the most notable event involving DarkSide is the May 2021 attack on Colonial Pipeline, which caused the shut down of the conduit that transports gasoline from Texas to the northeast of the United States, causing massive petrol shortages for consumers as well as disruptions on oil-dependent supply chains. On a given day, Colonial Pipeline carries 2.5 Million barrels of gasoline, diesel, heating oil, and jet fuel on its 5,500-mile route, providing nearly half of the East Coast’s fuel supply.
Colonial was able to use data backups to partially restore operations within a week from the attack, but the national average price for a gallon of petrol had pushed past USD 3 for the first time in almost a decade. President Joe Biden declared a State of National Emergency due to the attack and Colonial Pipeline eventually paid the Bitcoin equivalent of USD 4.4 Million to receive a decryption key and prevent its data from being publicly disclosed.
DarkSide's blog activity and Bitcoin wallet show that the group’s ransomware variants were highly active aside from the famous Colonial incident. In fact, cryptocurrency security firm Elliptic stated that a Bitcoin wallet opened by DarkSide in March 2021 had received USD 17.5 Million from 21 Bitcoin wallets (including the Colonial Pipeline ransom). In total, Darkside received over USD 90 Million in ransom payments from at least 47 victims.
How to Prevent a DarkSide attack?
Whilst DarkSide is currently a dormant threat, the gang’s members are likely still active in the cyber crime scene and are predicted to re-emerge with new ransomware variants in the near future. Protecting yourself from ransomware through proper cyber hygiene including regular offline backups, tightened security configurations, recurring patching, and installing a powerful EDR tool, are all proven strategies to bolster your cyber defences.
On top of this, preparing an incident response plan in collaboration with a specialist team like Blackpanda is crucial to minimize response time and losses in the event of a ransomware attack. As Asia’s premier Digital Forensics and Incident Response provider, we support our clients through best-in-class services like regular compromise assessments, tabletop exercises, and the creation of bespoke incident response plans.
To learn more about our ransomware preparation services, or to report a breach, contact Blackpanda via our website or email us at firstname.lastname@example.org.