Active hacker groups on our radar: DarkSide

To help you develop better cyber security Nowcomm’s SOC team is taking a wider view of the threats and closer look at one of most dangerous and active hacker groups worldwide, DarkSide.

DarkSide is a hacking group first coming to prominence in 2020. The group is believed to be a deviation of another hacking group known as REvil. This is due to the ransomware used by Darkside closely resembling the non-publicly available ransomware code used by REvil. The group attempted to create a public image of being ‘for the people’, claiming to donate a percentage of the profits they earn to charities and to not target hospitals, schools, non-profit organisations or governments.

Like many ransomware organisations, DarkSide have adopted a professional attitude to their exploits. In addition to the traditional encryption of systems and bitcoin ransom demands, DarkSide included live-chat support and guaranteed turnaround times to victims willing to cooperate. Various sources state they have a mindset that they are just as much of a business as their targets.

DarkSide initially will scope out a targeted company and attempt to find any weak links exposed to the internet. These weak links could include leaked passwords for user accounts, non-patched systems or phishing techniques.

Thought to be based in Eastern Europe (specifically Russia), the DarkSide ransomware avoids targets in former Soviet Union countries by detecting the target machines set language and location. This means that if any device is thought to be in Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Syria, Tatarstan, Tajikistan, Ukraine or Uzbekistan, the ransomware will remain dormant.

If found to not be in the above locations, a file name LOG.[userid].TXT is created and is used as a log file. It will then detect and uninstall any backup and/or security programs it finds and terminate any processes which would restrict access to user data files. Files will then start to become encrypted with Salsa20 and a randomly generated matrix key. Once files have been encrypted, a ransom note titled README.[userid].TXT is placed onto the desktop. This ransom note reads as follows:

DarkSide use a model called ‘Ransomware-as-a-Service (RaaS)’, wherein an affiliate program is used. Affiliates must apply and pass an interview with DarkSide before being able to gain access to the ransomware and bespoke hacking tools. After a successful attack, affiliates must pay DarkSide a percentage of the ransom payment they have received. Although not confirmed, it is believed that affiliates can take home 75% – 90% of the ransom, depending on how much was earnt. It is thought the total earnings of DarkSide between Dec 2020 and May 2021 is around £67,000,000, with the average ransom payment being around £1,400,000.

Known Victims:

  • CompuCom
  • Canadian Discount Car and Truck Rentals
  • Toshiba
  • Brenntag
  • Colonial Pipeline

The United States of America have put a $10,000,000 reward for information which leads to the arrest of the leaders of DarkSide.

Are you worried about emerging cyber threats? Find out more about nowSecure Defend Expert Security Operations Centre (SOC) manned by UK based elite, security experts.