DarkSide ransomware is a type of ransomware developed by the cybercriminal group, Darkside. Darkside ransomware encrypts files on infected systems, rendering them inaccessible until a ransom is paid in cryptocurrency.
What is DarkSide?
DarkSide is a cybercriminal group that utilizes ransomware to attack organizations and offers Ransomware-as-a-service (RaaS) which allow customers to rent their ransomware tools. They arm less technically skilled hackers to launch complex attacks on organizations while DarkSide takes a cut of the ransom payments.
DarkSide has become infamous for their “double extortion tactics” wherein, they threaten victims who refuse to pay their ransom demands with selling their data on the black market or publishing sensitive information on their DarkSide Leaks website. They have stolen over 100GB of data and have gathered approximately $4 million in ransom.
One of the most infamous DarkSide attacks targeted Colonial Pipeline in May 2021. Colonial Pipeline is a major fuel pipeline operator in the U.S. and due to DarkSide’s attack, they were forced to temporarily shut down operations which led to widespread fuel shortages and price hikes. Colonial Pipeline reportedly paid a $4.4 million ransom.
What happened to DarkSide?
Following the high-profile Colonial Pipeline attack in 2021, DarkSide faced increased scrutiny from international law enforcement. In response to the pressure, the group announced its withdrawal from operations, citing the loss of access to its infrastructure and cryptocurrency wallets. However, the RaaS model means that remnants of their tools and tactics may persist through other cybercriminal groups.
How does DarkSide Ransomware work?
Instead of using spear-phishing emails like traditional ransomware, DarkSide ransomware targets virtual desktop infrastructures. Once inside, attackers establish command and control using remote desktop protocols (RDP) over port 443, routed through TOR to mask their activities.
DarkSide ransomware most commonly exploit two vulnerabilities: CVE-2019-5544, an exploit in OpenSLP, and CVE-2020-3992, a vulnerability in VMware. Both vulnerabilities have patches that address them, but organizations that do not utilize patch management software may still have the olderversions which give DarkSide ransomeware a point of attack.
How to defend your devices from DarkSide Ransomware
-
Use backups
Maintain regular backups of critical data to ensure that no files are lost during a DarkSide ransomware attack. Backup software for ransomware recovery protect an organization’s data by employing encryption in-transit and in-storage, multi-factor authentication (MFA), and revocable authorization keys. With ransomware recovery, technicians can quickly restore any files that are encrypted by DarkSide ransomware.
-
Patch management
Keeping software consistently updated ensures that vulnerabilities cannot be exploited by ransomware. By ensuring that your organization’s patch management process remains consistent and reliable, you can prevent DarkSide ransomware from exploitng vulnerabilities and gaining access to your systems and networks.
-
Utilize network segmentation
Having visibility of your network allows you to spot unauthorized parties and take proactive steps such as employing segmentation to contain potential breaches and limit access between different parts of the network. A remote monitoring and management (RMM) software with network monitoring can allow your IT team to deal with ransomware attacks.
Improving IT security against ransomware
As more businesses move to remote or hybrid work setups, DarkSide ransomware poses more of a threat. By understanding the threat posed by DarkSide ransomware, cybersecurity professionals can take proactive measures to secure their IT infrastructure.
Employing consistent patching removes vulnerabilities that could be potential vectors for an attack. But IT Teams should look to not only to prevent attacks but also to ensure business continuity in the event of a Darkside ransomware attack through a reliable backup and data recovery solution.Some comprehensive endpoint management software, such as NinjaOne, offer all these tools to safeguard your data, mitigate risks and minimize downtime from ransomware attacks.