Ransomware on a Boom: DarkSide Hackers Launches Customized Ransomware Attacks

Lately, a new operation for ransomware has been found, dubbed DarkSide, that launches customized attacks and asks for millions of dollars as ransom payouts. The DarkSide operators are the latest group to adopt a veneer of professionalism — while escalating the consequences of their attacks at the same time. A similarity in source code indicates these threat actors could follow in the footsteps of ransomware GandCrab and REvil. The latest ransomware strain was built to shake down millions of big-game targets — with attacks couched in an uncanny air of professionalism. There are numerous cybersecurity training and cybersecurity certifications online; enroll in one today!


Table of Contents

  • The $1 million DarkSide threat
  • How new is the DarkSide criminal crew?
  • How do they act?
  • Customized Ransomware Attacks
  • Mitigating against this threat from the Dark Side
  • Final Word


Let us see more about this ransomware and how it attacks businesses.


The $1 million DarkSide threat

The cybercriminals profess to have already made “millions of dollars of profit” from partnerships with other ransomware actors but created DarkSide due to the hunt’s failure for the perfect cryptolocker attack product. DarkSide is this perfect product, they claim. According to cybersecurity experts, at least one victim of the newly evolved threat appears to have paid more than $1 million in ransoms. The ransoms themselves vary from $200,000 (£150,000) to $2 million (£ 1.5 million), but those numbers double when an initial payment window is not met.


How new are the DarkSide criminal crew?

While DarkSide claims to be new, and there are specific attacks against ransomware, the methodology is being tried and tested. Besides, it has been suggested that similarities exist in the malware that links DarkSide to REvil, and before them, GandCrab. This doesn’t mean the highly successful REvil operators are evolving into something new, but it’s interesting to note the links. And speaking of notes, even the customized “Welcome to the Dark Side” ransom notes appear to be based on REvil templates that DarkSide uses. REvil, you may remember, opened a Dark Web auction house recently specifically for auctioning off data stolen from high-profile “clients” as they described them. DarkSide purposefully avoids infecting victims in the countries of the Commonwealth of Independent States (CIS). The source code for this action resembles the code used in REvil and GandCrab. Also, REvil’s ransom note uses nearly the same template as the ransom note used by REvil.


How do they act?

DarkSide’s new ransomware operation attacks numerous companies, attempting to access the broken network’s administrator account and Windows domain controller. They harvest unencrypted data from the victim’s servers after getting inside and upload it to their own devices. DarkSide terminates different databases, office applications, and mail clients to prepare the victim’s encryption machine.

The hackers own a leak site where they list as evidence the victim company’s name, the date information breached, and the screenshots. The DarkSide gang, with cruel irony, states that they “don’t want to kill businesses,” and will “only attack companies that can pay the amount.” One assumes that it explains the variations in ransom, as it appears that these are highly targeted attacks that take into account how big a ransom can be set with good payment chances. Indeed, that statement says DarkSide analyses accountancy records and determines how much a net income basis can be paid.


Customized Ransomware Attacks

When performing attacks, DarkSide creates executable custom ransomware for the particular company that they are attacking. When executed, a PowerShell command is executed by the ransomware, which deletes Shadow Volume Copies on the system not to be used to restore files. It then proceeds to terminate various databases, office applications, and mail clients to prepare the encryption machine. DarkSide avoids terminating specific processes when encrypting a computer. Specifically avoiding TeamViewer is not common, if ever seen with ransomware, and might indicate that the threat actors are employing it for remote access to computers. Cybersecurity professionals, who analyzed the encryption process, told that a SALSA20 key is used by the ransomware to encrypt files. Then this key is encrypted with an RSA-1024 public key included in the executable. Each victim has a custom extension created using a custom checksum of the victim’s MAC address. Each executable is customized to include a personalized ransom note “Welcome to Dark,” which includes the amount of data that has been stolen, data type, and a link to their data on the data leak site. The ransomware looks unbreakable at this time, and there’s no way to get files back for free.

Mitigating against this threat from the Dark Side

Reducing the risk of loss, that is, data loss is key to using the Dark Side Cybersecurity force.

Whatever, and wherever they come from, DarkSide appears to be another ransomware player to be taken seriously and thrown into the sickening mix.

That suggests going back to the basics of safety hygiene and ensuring that your organization does more than just making data backups.

  • You have to reduce the risk of the attack, decrease the attack’s surface, and make safety a real priority for the business.
  • Keeping everything patched and up-to-date ensures that strong authentication is used wherever it can be, educating every employee from shop floor to the boardroom to be cognizant, and ‘waking up’ to the threats that allow ransomware attackers to access the network can be of great help.
  • Reduce your footprint of insecurity, and make things harder for cybercriminals, not easier.


Final Word

A drastic increase was observed in ransomware attacks in the past several months. On the one hand, much new ransomware such as VHD, Ensiko, and several others have surfaced on the market. On the other hand, nearly all major law enforcement agencies such as Interpol and FBI have been busy alerting users of the sharp increase in ransomware related activities. To protect against the ever-growing risks of ransomware, organizations need to guard against extreme measures, such as frequent data backups, multifactor authentication, and intrusion detection and prevention solutions.