DarkSide ransomware: Detection and mitigation

What is DarkSide?

DarkSide is a Ransomware as a Service (RaaS) group operated by a Russian gang of cybercriminals. It came into existence in the year 2020 and gained publicity after its massive attack on Colonial Pipeline in 2021. It is a for-profit RaaS operator targeting high-revenue organizations. The group has publicly declared that it refrains from attacking hospitals, schools, and government institutes that cannot afford the ransom. Its operations were eventually shut down by the FBI after the Colonial Pipeline ransomware attack. But some reports suggest that the DarkSide group has come back under a new name: BlackMatter.

A timeline of DarkSide's operations

The DarkSide hacker group was one of the most short-lived RaaS operators. Here is a timeline of DarkSide's activities from publicly available information:

• August 2020
  DarkSide was introduced as a new ransomware group targeting high-revenue organizations.
• October 2020
  The group donated around $20,000 of their ransom money collected from victim organizations to charity.
• Early November 2020
  DarkSide established its RaaS model and invited affiliates to join its business.
• Late November 2020
  The group launched its data leak site and content delivery network for storing and delivering compromised data.
• December 2020
  The hacker group invited media outlets and data recovery organizations to follow its press center on its leak site.
• March 2021
  DarkSide released version 2.0 of its ransomware with several updates.
• May 2021
  The group launched the Colonial Pipeline ransomware attack and was shut down by the FBI.

How DarkSide ransomware works

• DarkSide ransomware predominantly gains initial access to an organization's network by exploiting vulnerabilities in Remote Desktop Protocol (RDP). The vulnerabilities include direct connections with RDP instead of VPNs, weak passwords, misconfigured firewalls, and a lack of MFA.
• The ransomware uses tools like Mimikatz to harvest credentials and escalates its privileges using the UAC bypass technique. Once it obtains domain admin privileges, it stages a DCSync attack to replicate AD information, gaining access to highly privileged accounts in the domain.
• It establishes communication with its command-and-control server through Tor Browser. The connection is made via HTTPS over port 443 so that malicious traffic masquerades as normal web traffic, evading detection by perimeter security solutions.
• DarkSide then deploys its payload, which includes the executable and a unique victim ID that allows the victim to access DarkSide’s website to make the ransom payment.
• It encrypts files using Salsa20 and keys using RSA encryption, leveraging the advantages of both symmetric and asymmetric cryptography.
• DarkSide also leverages Cobalt Strike, a commercial penetration testing tool, as its secondary command-and-control mechanism. This establishes an avenue for sideloading, through which DarkSide actors exfiltrate data from infected devices.
• After exfiltration, DarkSide deletes the volume shadow copies of the files on the infected devices via PowerShell scripts to hinder file recovery and restoration.
• DarkSide finally displays the ransom note to the victim, putting forth its outrageous ransom demands along with payment instructions.

The Colonial Pipeline ransomware attack

In May 2021, DarkSide launched a massive ransomware attack on Colonial Pipeline, one of the largest oil pipelines in the United States. The ransomware gained access to the pipeline's network and stole 100GB of data in a two-hour timeframe. Following the data breach, the attackers also deployed multiple payloads that affected various systems within Colonial Pipeline's IT infrastructure. Critical financial operations like billing and accounting were impacted, causing Colonial Pipeline to shut down its network to prevent further damage and protect its operations. Reports suggest that the company paid $4.4 million to recover some of the stolen data, underscoring the exorbitant ransom demands of the DarkSide hacker group.

How to detect a DarkSide attack

• Secure RDP: Implement regular security updates for remote desktop applications and ensure that VPNs, MFA tools, and firewalls are consistently up to date. Adhere to the principle of least privilege when granting permissions to admin accounts for modifying RDP settings, ensuring that access is limited to what is strictly necessary.
• Analyze traffic: Analyze all incoming and outgoing traffic in the network and block transmissions of data packets that contain sensitive information or malicious files.
• Detect anomalies: Monitor user and entity behavior to flag anomalous activities like unauthorized access and logons, privilege escalation, and lateral movement within the network.
• Monitor files: Continuously monitor sensitive files, folders, and their backups to detect abnormal file executions, unauthorized access attempts, sudden increases in file encryption, and excessive file renaming.

DarkSide ransomware mitigation strategies

• Raise awareness among users and stakeholders about the various signs of DarkSide ransomware attacks and educate them on the necessary precautions to avoid becoming victims of such attacks.
• Review remote logon activities from non-remote user accounts to detect compromised accounts.
• Continuously audit endpoints and network devices for vulnerabilities and carry out regular patch updates.
• Ensure that security configurations in firewalls, IDSs, and IPSs are updated regularly.
• Monitor network traffic originating from unknown or unexpected devices and block connections to blocklisted IPs.
• Audit system processes to detect suspicious process executions and process terminations.
• Evaluate access controls in network shares and spot suspicious file access or sharing.
• Detect unauthorized access to sensitive files and track file creation, modification, and deletion activities within critical file servers, directories, and registries.
• Enable MFA across all endpoints and applications to combat account compromise.
• Implement a log management solution or a SIEM solution to gain visibility across the entire network.

Related solutions

ManageEngine Log360 is a comprehensive SIEM solution with advanced ransomware detection and mitigation capabilities. Log360 stands out as one of the best ransomware protection solutions, offering the following features:

• 360-degree network visibility: Log360 provides complete visibility into the network through out-of-the-box audit reports and interactive dashboards on a single console.
• Ransomware detection: Predefined correlation rules and alert profiles for ransomware detection help identify potential ransomware activities in real time.
• User and entity behavior analytics: With its ML-based behavior monitoring capabilities, Log360 detects anomalous activities in the network to identify potential signs of a ransomware attack.
• File monitoring: Log360's file integrity monitoring feature helps monitor unauthorized file access, creations, deletions, and modifications to protect sensitive data from ransomware.
• Cloud app security: Log360's CASB capabilities help blocklist suspicious websites and ban malicious applications to secure sensitive cloud data from ransomware threats.
• Ransomware incident response: The ransomware detection alert profiles include built-in incident response workflows that, when enabled, prevent the propagation of ransomware attacks.

To explore more, sign up for a personalized demo of Log360. You can also discover on your own with a fully functional, 30-day, free trial software download.