Return to Blog
March 01, 2022

Dealing with DarkSide

By Elizabeth Fichtner

Brian Krebs reviewed more details about ‘DarkSide’ and this ransomware group’s role in shutting down the Colonial Pipeline. DarkSide is a group that packages and provides ransomware capabilities as a service. Other ransomware gangs and organizations pay a fee for DarkSide tools and services making it difficult to provide accurate attribution.

This group packages and modifies common backdoors like Harpy, Sekur, and Cobalt Strike with their own custom loaders and management interfaces. They configure and deploy various ransomware packages like REvil ransomware, none of which are actually unique to DarkSide. It’s not the malware they sell or the particular techniques used that make them effective, it’s the fact that they are well organized and experienced. This group has an entire intelligence arm and streamlined operating procedures that start with researching their victims, ensuring they are vulnerable, blind, and capable of paying ransoms.

How to deal with DarkSide:

So, what can you do about this potential threat? It might seem simple, but prioritizing security infrastructure and monitoring will be the keys. DarkSide has benign recon and intel gathering stages that can safely determine the capabilities of their victims. This group tends to avoid well defended organizations and victims with capabilities to find them—like behavioral detection and response capabilities. CISA also has provided these recommendations for preventing business disruption from ransomware attacks.

Techniques to look out for:

  • DarkSide uses Powershell to download the first malware stages and prep systems.
  • They delete Volume Shadow Copies via Powershell.
  • They decode and execute malware via Certutil.exe.
  • They can perform privilege escalation on older operating systems like Windows 7 (none seen for most modern OS’s yet)

Once recon is performed, they spread fully through the network and begin PR campaigns prior to execution of the encryption/ransom. This is an opportunity window for detection and mitigation if you have an active MDR service watching for these.

To learn how to protect your clients’ from the most sophisticated and malicious cyber threats, set up a demo with one of our representatives.

Related

Deteniendo Amenazas Cibernéticas Que Están Afectando tu Seguridad

Los criminales cibernéticos están volviéndose más astutos cada día, encontrando nuevas formas de atacar los datos vulnerables de su empresa día a día.

Enhance IT Security and Reduce Stress with Datto EDR, Managed SOC & AV

Learn how Datto EDR, Datto AV and RocketCyber Managed SOC reduce the stress on an IT team while providing 24/7/365 threat coverage.

Suggested Next Reads

PSA

How to Automate Sales Quotes and Proposals

Manual sales quoting and proposal processes are time-consuming and error-prone, leading to diminished client experience. Learn how to automate them.

May 08, 2024 | Max Herschap

What is PSA Ticketing?

PSA ticketing helps IT support teams organize, track and resolve service requests swiftly and efficiently. Learn how it enhances customer experience.

May 07, 2024 | Max Herschap