DarkSide ransomware is a relatively new ransomware strain. It has been used to target multiple, high-revenue organizations resulting in the encryption and theft of sensitive data and threats to make it publicly available if the ransom demand is not paid.
What is DarkSide Ransomware?
DarkSide ransomware first arrived on the scene in August 2020, and was last updated in March 2021. The DarkSide group has a history of extorting high-profile organizations using the “double extortion” technique, which involves taking copies of the victim’s data before encrypting it.
In addition to threatening to destroy the decryption key if the victim refuses to pay the ransom, they will also threaten to expose their sensitive data to the public.
The group now operates a ransomware-as-a-service (RaaS) operation, where they provide a ransomware service to affiliates, in exchange for a percentage of any ransom payments made. DarkSide is one of the most sophisticated RaaS operations around, with a variety of features and attack methods to choose from, including the ability to exploit public-facing applications using RDP, escalate privileges, and impair the victims’ defenses.
The group frequently targets organizations who are using unpatched/outdated software, and their code will check the default system language, as they only target English-speaking countries.
How Does DarkSide Ransomware Work?
DarkSide ransomware is associated with the DarkSide group and now often operates as ransomware-as-a-service (RaaS). The DarkSide ransomware group has a history of double extortion of its victims, firstly asking for payment to unlock the affected computers and secondly demanding additional payment to retrieve the exfiltrated data.
To gain initial access, DarkSide will employ a variety of methods, including stolen credentials, followed by manual hacking techniques, or they might perform brute-force attacks and exploit known vulnerabilities using the remote desktop protocol (RDP). Once they have gained access, they will try to elevate their privileges to move laterally through the network. They will then try to identify and remove any backups and Volume Shadow Copies (via PowerShell), to ensure that the victim is unable to restore their files once encrypted. The next step is to try to impair the victim’s defenses by disabling security solutions, shutting down event logging processes, deleting registry keys, and so on.
It is only once the environment is set that the ransomware is deployed to as many systems as possible in one go. This is a careful and methodical approach and is therefore much more effective and hard to defend against than ransomware programs that spread automatically through networks by using built-in routines that might fail and trip detection mechanisms.
To avoid detection, DarkSide will also encrypt ransom notes and the APIs used to execute remote commands on the victim’s device. The DarkSide ransomware creates a unique ID for every victim which is added to the file extension for the encrypted files. The ransom amounts can vary significantly from a few hundred thousand dollars to millions depending on what the attackers decide, based on the victim’s size and its annual income.
Examples of DarkSide Ransomware Attacks
Given that DarkSide ransomware is still relatively new, there have been few high-profile cases reported in the media. Perhaps their biggest accomplishment so far was the attack on the Colonial Pipeline Company, which occurred in May 2021. During the attack, Colonial Pipeline were forced to temporarily shut down the 5,500-mile pipeline that carries 45% of the fuel used on the East Coast of the United States. They decided to pay the ransom ($4.4 million in bitcoins) to avoid long term disruption.
Ultimately, Colonial fell very short in their security practices, including not having MFA in place on their network, and also, critically, not enforcing stricter password policies. Despite the FBI being able to recover some of the ransom money they paid, Colonial was fined almost $1 million for lax security by US government energy regulators.
How to Protect Against DarkSide Ransomware Attacks
Use strong passwords
To prevent attackers from brute-force-guessing account passwords and to prevent the attack from spreading to other systems, you will need a strong password policy, or better yet, use multi-factor authentication (MFA) in conjunction with a zero-trust approach.
Turn off RDP
By turning off RDP, businesses can significantly reduce the risk of a DarkSide ransomware infection. This is because RDP is one of the primary ways that attackers gain access to systems to launch ransomware attacks.
Turning off RDP involves disabling the feature on the system, preventing remote access and control. This can be done through the Windows operating system by accessing the Control Panel and navigating to the System and Security settings.
Configure your firewall
Configuring your firewall is an important step in protecting against DarkSide ransomware and other types of malware. Firewalls are a type of network security system that can monitor and control incoming and outgoing network traffic.
By configuring your firewall to block certain types of traffic and restrict access to certain ports, you can prevent attackers from gaining unauthorized access to your network and systems.
One common way that DarkSide ransomware and other types of malware gain access to systems is through open ports that are not secured by a firewall. For example, attackers may use an open port to connect to a remote desktop protocol (RDP) service and gain access to the system.
By configuring your firewall to block or restrict access to these types of ports, you can prevent attackers from gaining unauthorized access and launching ransomware attacks.
Use a VPN
A VPN is a type of network security system that provides a secure and encrypted connection between a user and a remote server, allowing users to access the internet and other resources securely and privately.
One of the primary benefits of using a VPN is that it can help protect against Man-in-the-Middle (MitM) attacks, which are often used by attackers to intercept and steal data. MitM attacks involve intercepting network traffic between a user and a remote server, allowing attackers to eavesdrop on sensitive information, such as login credentials and financial data.
By using a VPN, all network traffic is encrypted and routed through a secure tunnel, preventing attackers from intercepting and stealing data. This makes it much more difficult for attackers to launch DarkSide ransomware attacks or other types of cyber-attacks.
Automate a response to anomalous events
Being able to detect and react to the symptoms of a ransomware attack is vital in today’s world. This cannot be done without the help of a dedicated visibility platform, such as a Data Security Platform. The Lepide Data Security Platform can help organizations monitor file activity and send out alerts, or trigger automated responses, when ransomware is detected. For example, if a large number of files are renamed in a short space of time, it could indicate an encryption event taking place. Lepide would be able to spot this and trigger a script to shut down the infected user account.
Backup your data regularly
Make sure that you keep a copy of your backups offline, or at least, off-network. Perhaps even consider encrypting your backups, to be on the safe-side.
Ensure that all software is up-to-date
Patches must be applied to all applications, including your operating system and any security software you use, as soon as they become available. Consider using an automated patch management solution.
Enforce “least privilege” access
Ensure that users are granted the least privileges they need to perform their role. This will limit the amount of sensitive data DarkSide has access to. To do this, you need to have a strong understanding of the sensitive data you have, who has access to it, and how they are getting that access. Trying to do this without the help of a Data Security Platform would be very difficult.
Monitor endpoints and traffic
In addition to responding to events that meet a threshold condition, there are various events you can look out for that might suggest you have been infected with DarkSide ransomware. For example, you can monitor for suspicious outbound network traffic, privilege escalation, changes to your security settings, and the installation of unauthorized software, to name a few. Use an intrusion prevention solution in conjunction with a real-time data-centric auditing solution, to detect, alert, and respond to anomalous changes.
How Lepide Helps Protect Against DarkSide Ransomware
The Lepide Data Security Platform is a comprehensive security solution that provides real-time monitoring and alerts, data discovery and classification, and visibility over access controls to protect sensitive data and prevent unauthorized access from various types of malware, including DarkSide ransomware.
The platform has advanced ransomware detection capabilities that monitor file activity in real-time, enabling administrators to identify suspicious activity that may indicate a DarkSide ransomware attack. It can also classify sensitive data, such as financial records, personally identifiable information (PII), and intellectual property, and then apply help IT teams make informed decisions about access controls to restrict access to authorized personnel.
Moreover, the platform includes features like pre-defined threat models, privilege escalation monitoring, user behavior analytics, and file activity monitoring that can detect and respond to potential DarkSide ransomware attacks in real-time, minimizing the impact of successful attacks.
If you’d like to see how the Lepide Data Security Platform can help you prevent DarkSide ransomware attacks, schedule a demo with one of our engineers.