Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Security Researchers Dive Into DarkSide Ransomware

Following the ransomware attack that impacted the pipeline operated by Georgia-based Colonial Pipeline, security firms are providing detailed information on the cybercriminal gang behind the attack.

Following the ransomware attack that impacted the pipeline operated by Georgia-based Colonial Pipeline, security firms are providing detailed information on the cybercriminal gang behind the attack.

The pipeline is said to carry roughly 45% of the fuel consumed on the East Coast, with the attack considered the most disruptive cyberattack to date on critical U.S. infrastructure.

The incident was quickly associated with the cybercriminal gang known as DarkSide, which has been active since August 2020.

In January 2021, Bitdefender released a decryptor for the DarkSide ransomware, to help victims restore their files without paying the ransom. However, the hackers took steps to ensure that the decryptor no longer works.

DarkSide functions as a ransomware-as-a-service (RaaS), where affiliates help deliver the malware in exchange for a percentage of the amount the victim pays in ransom. At least five Russian-speaking affiliates have been identified to date, security researchers with FireEye’s Mandiant team reveal.

The RaaS features the typical characteristics of any ransomware enterprise: after the target systems have been compromised, data is encrypted and exfiltrated for extortion purposes, and the victim is provided with means of contacting the attackers to receive details on the payment request and to negotiate the ransom.

The profit is shared with the affiliates, which are provided access to an administrative panel only after passing an interview, and which can perform various actions, including breaching organizations and helping with ransomware deployment. The affiliate receives up to 25% from payments of up to $500,000, or 10% for payments above $5 million.

Unlike other similar enterprises out there, the DarkSide gang maintains a blog on the Tor network, where they boast about compromised organizations, likely in an attempt to pressure them into paying the ransom, FireEye notes. The threat actor might also engage in distributed denial-of-service (DDoS) attacks against victims unwilling to pay.

Advertisement. Scroll to continue reading.

Victims are also provided with the possibility to directly negotiate the ransom payment with the attackers. In one incident, the attackers demanded a $30 million ransom, but the victim got it down to $11 million after negotiations and also received assurances that all of the stolen data would be deleted and that its network would not be hit again, investigative journalist Brian Krebs reports.

To date, DarkSide has been used in attacks targeting tens of organizations in the financial services, technology, legal, manufacturing, retail, and professional services sectors.

Security researchers with cybercrime intelligence firm Intel 471 say that, for initial access, the threat actors use access credentials purchased on underground forums, brute-force attacks, and spam email campaigns or botnets for malware delivery. At least one zero-day vulnerability was used in such attacks.

Post-exploitation tools employed in DarkSide attacks may include Cobalt Strike, Metasploit, BloodHound, Mimikatz, F-Secure Labs’ Custom Command and Control (C3) framework, TeamViewer, the SMOKEDHAM backdoor, and the NGROK utility.

FireEye has analyzed the attacks associated with three of the DarkSide affiliates, revealing that, while one of them would deploy the ransomware only three days after the initial compromise, a more established adversary (active since April 2019) tends to lurk in the compromised networks for months before making a similar move.

“We believe that threat actors have become more proficient at conducting multifaceted extortion operations and that this success has directly contributed to the rapid increase in the number of high-impact ransomware incidents over the past few years. Ransomware operators have incorporated additional extortion tactics designed to increase the likelihood that victims will acquiesce to paying the ransom prices,” FireEye notes.

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released an alert to provide information on the best practices organizations should adopt to prevent falling victim to DarkSide ransomware attacks.

Some of these include multi-factor authentication, robust network segmentation between IT and OT networks, regular testing, the implementation of backups (which should be isolated), restricted access, and unauthorized execution prevention.

Related: Colonial Pipeline Struggles to Restart After Ransomware Attack

Related: Ransomware Gangs Get More Aggressive Against Law Enforcement

Related: Ransomware Gang Threatens Release of DC Police Records

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.