DarkSide Ransomware Group Explained

DarkSide is a relatively new ransomware group that has been responsible for high-profile attacks such as the Colonial Pipeline hack in May 2021. This group develops ransomware for use by other hacking groups in very targeted attacks, allowing DarkSide to have a greater reach and providing these other groups with access to sophisticated and actively-maintained ransomware.

Speak to an Expert Learn More

Introduction to DarkSide

First discovered in August 2020, the group is supposedly made up of experienced cybercriminals from various ransomware groups. DarkSide is a recent entrant to the Ransomware as a Service (RaaS) space, where they develop ransomware and sell it to other cybercriminals.

This makes it possible for cybercriminals to specialize in certain areas. The DarkSide group focuses on developing and improving their malware, while their customers specialize in gaining access to target networks and delivering the malware to critical or valuable systems within them.

The DarkSide group made headlines for a ransomware attack against Colonial Pipeline, which transports about half of the fuel to the East Coast of the United States. This attack crippled the pipeline’s operations, causing a complete shutdown for multiple days and causing the US government to announce a state of emergency due to the attack posing a potential national security threat.

How the DarkSide Ransomware Works

The DarkSide ransomware group performs highly-targeted attacks. The group claims to be apolitical and is focused on making money but does not want to cause problems for society. As part of this, the group has published a list of what it considers “acceptable targets” for attack.

Once the DarkSide ransomware gains access to a target environment, it begins by collecting and exfiltrating sensitive and valuable data from the business. This is because DarkSide performs “double extortion” attacks, where victims that do not pay the ransom to decrypt their files are threatened with the exposure of their data unless the demand is met. The DarkSide group maintains a website called DarkSide Leaks where they publish the data of those targets that refuse to pay the ransom.

After stealing the data and encrypting infected computers, the DarkSide group sends a ransom demand tailored to the particular target. Based on the size and resources of the target company, ransom demands can vary from $200,000 to $20 million. To increase their chance of a payoff, the DarkSide group performs in-depth research on a company to identify key decision-makers and to maximize the demanded ransom while ensuring that it is within the target organization’s ability to pay.

As a RaaS vendor, the DarkSide group focuses on improving their malware to make it more effective and more difficult to detect and block. To this end, the group has recently released a version 2.0 of the malware, which is in active use in their attack campaigns.

Managing the Ransomware Threat

The emergence of the DarkSide ransomware group demonstrates the increasing threat of ransomware attacks. A number of different ransomware groups are currently operating, and the RaaS business model makes it possible for groups with sophisticated malware – like DarkSide – to expand their impact by selling access to their ransomware to other cybercrime groups.

With an increasing number of groups gaining access to sophisticated ransomware, ransomware prevention is a crucial component of any organization’s cybersecurity strategy.

Mitigating the threat of ransomware requires implementing certain best practices, such as:

Awareness Training: A high percentage of ransomware is delivered via phishing and other social engineering attacks. Training employees to recognize and properly respond to suspicious emails is essential to mitigating the threat that they pose.
Data Backups: Ransomware is designed to encrypt data, forcing an organization to pay a ransom to regain access. Creating frequent data backups minimizes the potential data loss caused by a ransomware attack.
Patch Management: Some ransomware variants spread by exploiting unpatched vulnerabilities in an organization’s systems. Promptly installing updates can help to close these gaps before they can be exploited by an attacker.
Multi-Factor Authentication: Compromised user credentials are used with RDP or VPNs to gain access to and plant malware on corporate computers. Implementing multi-factor authentication (MFA) can limit the risks of weak or breached passwords.

Endpoint Security: Ransomware can gain access to an organization’s computers in various ways. An endpoint security solution with anti-ransomware capabilities can help to detect and eliminate ransomware infections and minimize the damage incurred.

Protecting Against Ransomware with Harmony Endpoint

Check Point’s Harmony Endpoint is a full-featured endpoint security solution that provides robust protection against ransomware attacks. In the latest MITRE Engenuity ATT&CK evaluation, Harmony Endpoint detected all attack techniques used in the test, demonstrating its ability to provide comprehensive protection against modern cyber threats, including ransomware attacks.

Harmony Endpoint enables organizations to proactively detect ransomware infections within their environments. To learn about threat hunting with Harmony Endpoint, watch this video. Additionally, see how Harmony Endpoint can be used to identify Maze ransomware infections in this video.

To learn more about Harmony Endpoint’s capabilities, check out the solution brief. You’re also welcome to see Harmony Endpoint in action with a personalized demo and try it out for yourself with a free trial.