What is DARKSIDE, the cybercriminal ransomware group that has the world on alert?
Grow Your Business, Not Your Inbox
On May 7, 2021, a ransomware attack violated Colonial Pipeline, one of the most important oil pipeline companies in the United States, causing the interruption of the supply of naphtha, diesel and other refined products for a section of approximately 8,850 kilometers. According to the FBI, the person responsible for this attack is theDARKSIDE ransomware .
What is DARKSIDE?
Since its initial appearance in August 2020, the creators of the DARKSIDE ransomware and their affiliates have launched a global crime spree that has affected organizations in more than 15 countries and multiple vertical industries. Like many of their peers, these cybercriminals carry out multi-faceted extortion in which data is exfiltrated and encrypted instead, allowing them to demand payment for unlocking and nondisclosure of stolen data to put more pressure on the victims.
DARKSIDE ransomware works under the form of ransomware as a service (RaaS), in which the profits are shared between its owners and partners, or affiliates, who provide access to organizations and implement the ransomware . These groups demonstrated varying levels of technical sophistication throughout the intrusions. While cyber attackers generally relied on legitimate and commercially available tools to facilitate various stages of their operations, at least one of the threat groups also employed a now seemingly patched zero-day vulnerability.
In this regard, multiple victims of DARKSIDE have been identified, with the majority of the organizations being based in the United States and spanning multiple sectors, including financial, legal, manufacturing, professional services, retail, and technology. The number of victims publicly named on the cybercriminal group DARKSIDE's blog has increased overall since August 2020. The overall growth in the number of victims demonstrates the increasing use of DARKSIDE ransomware by multiple affiliates.
As of November 2020, the Russian cyber attacker “darksupp” announced DARKSIDE RaaS on the Russian forums exploit.in and xss.is. In April 2021, darksupp released an update for the RaaS “Darkside 2.0” that included several new features and a description of the types of partners and services they were looking for. Affiliates retain a percentage of each victim's ransom fee. According to the forum announcements, RaaS operators take 25% for ransom fees of less than $ 500,000, but this drops to 10% for ransom fees above $ 5 million.
In addition to providing compilations of DARKSIDE ransomware , the operators of this service also maintain a blog accessible via TOR. The cybercriminal group uses this site to outreach to victims in an attempt to pressure these organizations to pay for the non-disclosure of stolen data.
A recent update to an underground forum posting also indicates that using functionality from the same DARKSIDE kit, cybercriminals can attempt to target organizations that have been the victims of denial of service (DDoS) attacks. However, darksupp has stated that affiliates are prohibited from targeting hospitals, schools, universities, non-profit organizations and public sector entities.
How does the DARKSIDE affiliate program work?
DARKSIDE RaaS affiliates must pass an interview after which they are provided access to an administration panel. Within this panel, affiliates can perform various actions, such as creating a ransomware build, specifying content for the DARKSIDE blog, managing victims, and contacting technical support.
One point to note is that the relevant advertisements by the cybercriminal group have aimed to find initial access providers or cyber attackers capable of implementing ransomware in already obtained accesses. Some cybercriminals claiming to use DARKSIDE have also allegedly associated themselves with other RaaS affiliate programs, including BABUK and SODINOKIBI (also known as REvil).
Additionally, cybercriminals have become more proficient at conducting extortion operations and this success has directly contributed to the rapid increase in the number of high-impact ransomware incidents in recent years.
Ransomware operators have incorporated additional extortion tactics designed to increase the likelihood that victims will agree to pay ransom prices.
For example, in late April 2021, DARKSIDE traders released a statement stating that they would be infringing on organizations listed on NASDAQ and other stock markets. In this way, they made it known that they would be willing to provide data to stock traders about the upcoming information leaks, to allow them possible gains due to the falls in the price of the shares after an announced breach.
Based on observed trends, it is a fact that the extortion tactics used by cybercriminals to pressure victims will continue to evolve throughout 2021.
Ransomware alert in Mexico
These types of cyberattacks are increasingly numerous, sophisticated, dangerous and massive. According to the SILIKN research unit, in Mexico, more than half of private and public organizations suffered an attack of this type during 2020. Cybersecurity Ventures predicted that by the end of 2019, a ransomware attack occurred every 14 seconds. By early 2021, it estimated that these attacks would appear every 11 seconds.
In Mexico, the average cost of remediation for organizations for a ransomware attack is 470 thousand dollars and if the ransom is paid, it is 940 thousand dollars.
In 2021, the fastest growing attack in Mexico will be ransomware and less than 50% of organizations have personnel trained to deal with it.
In 2020, ransomware primarily targeted the manufacturing sector, healthcare organizations, and construction companies, with the average ransom reaching $ 500,000, according to data from SILIKN's research unit.
How can a ransomware attack be prevented?
Here are a couple of suggestions:
Update your systems constantly . Software comes with vulnerabilities, and attackers love to exploit vulnerabilities, so your company should have a strong patch and update management policy.
Patching is a simple and effective way to help defend against ransomware . It should be a regular routine routine, in which organizations frequently update and update everything from laptops and desktops to servers, mobile devices, operating systems (Windows, macOS, Linux / Unix), endpoint security (antivirus software / antimalware), web browsers, that is, any device and system connected to the network.
Continuous training. It's real, end users are often to blame for ransomware attacks. Or they are the victims of phishing , malicious phishing or unauthorized downloads to infected sites. Why? Because threats grow at an exponential rate and if a company's staff does not continuously receive training, information and training on cybersecurity, it is most likely that they will fail in their attempt to identify and, therefore, contain a cyberattack.
While it is encouraging to see more and more organizations requiring their employees to attend cybersecurity awareness training programs, this does not necessarily mean that everyone retains what they have learned. Therefore, education should be ongoing and encourage hypervigilance to the point where it becomes second nature for users: always look for signs of malicious intent and check sources before clicking links or opening email attachments. .