DarkSide ransomware first arrived on the scene in August 2020, and was last updated in March 2021. The DarkSide group has a history of extorting high-profile organizations using the “double extortion” technique, which involves taking copies of the victim’s data before encrypting it.
In addition to threatening to destroy the decryption key if the victim refuses to pay the ransom, they will also threaten to expose their sensitive data to the public.
The group now operates a ransomware-as-a-service (RaaS) operation, where they provide a ransomware service to affiliates, in exchange for a percentage of any ransom payments made.
DarkSide is one of the most sophisticated RaaS operations around, with a variety of features and attack methods to choose from, including the ability to exploit public-facing applications using RDP, escalate privileges, and impair the victims’ defenses.
The group frequently targets organizations who are using unpatched/outdated software, and their code will check the default system language, as they only target English-speaking countries.
How Does DarkSide Ransomware Work
In order to gain initial access, DarkSide will perform brute-force attacks and exploits on known vulnerabilities using the remote desktop protocol (RDP). Once they have gained access, they will try to elevate their privileges in order to move laterally throughout the network. They will then try to identify and remove any backups and Volume Shadow Copies (via PowerShell), to ensure that the victim is unable to restore their files once encrypted. They will also try to impair the victim’s defenses by disabling security solutions, shutting down event logging processes, deleting registry keys, and more. In order to avoid detection, DarkSide will also encrypt ransom notes and the APIs used to execute remote commands on the victims’ device.
Examples of DarkSide Ransomware Attacks
Given that DarkSide ransomware is still relatively new, there have been few high-profile cases reported in the media. Perhaps their biggest accomplishment so far was the attack on the Colonial Pipeline Company, which occurred in May 2021. During the attack, Colonial Pipeline were forced to temporarily shut down the 5,500-mile pipeline that carries 45% of the fuel used on the East Coast of the United States. They decided to pay the ransom ($4.4 million in bitcoins) to avoid long term disruption.
Ultimately, Colonial fell very short in their security practices, including not having MFA in place on their network, and also, critically, not enforcing stricter password policies. Despite the FBI being able to recover some of the ransom money they paid, Colonial was fined almost $1 million for lax security by US government energy regulators.
How to Protect Against DarkSide Ransomware Attacks
Use strong passwords
To prevent attackers from brute-force-guessing account passwords and to prevent the attack from spreading to other systems, you will need a strong password policy, or better yet, use multi-factor authentication (MFA) in conjunction with a zero-trust approach.
Turn off RDP
If you are not using RDP, it is a good idea to turn it off. If you really need to use it, make sure that you are using it on a non-standard port.
Configure your firewall
Block public access to ports, specifically port 3389. Only allow access to IPs that are under your control.
Use a VPN
Use a VPN as opposed to RDP, and if possible, enable MFA for added security.
Automate a response to anomalous events
Adopt a real-time auditing solution that can detect and respond to events that match a pre-defined threshold condition, such as when x number of login attempts have failed, or when x number of files have been copied or encrypted within a given time-frame.
Backup your data regularly
Make sure that you keep a copy of your backups offline, or at least, off-network. Perhaps even consider encrypting your backups, to be on the safe-side.
Ensure that all software is up-to-date
Patches must be applied to all applications, including your operating system and any security software you use, as soon as they become available. Consider using an automated patch management solution.
Enforce “least privilege” access
Ensure that users are granted the least privileges they need to perform their role. This will limit the amount of sensitive data DarkSide has access to.
Monitor endpoints and traffic
In addition to responding to events that meet a threshold condition, there are various events you can look out for that might suggest you have been infected with DarkSide ransomware. For example, you can monitor for suspicious outbound network traffic, privilege escalation, changes to your security settings, and the installation of unauthorized software, to name a few. Use an intrusion prevention solution in conjunction with a real-time data-centric auditing solution, to detect, alert, and respond to anomalous changes.