Active hacker groups on our radar: DarkSide

To help you develop better cyber security Nowcomm’s SOC team is taking a wider view of the threats and closer look at one of most dangerous and active hacker groups worldwide, DarkSide.

DarkSide is a hacking group first coming to prominence in 2020. The group is believed to be a deviation of another hacking group known as REvil. This is due to the ransomware used by Darkside closely resembling the non-publicly available ransomware code used by REvil. The group attempted to create a public image of being ‘for the people’, claiming to donate a percentage of the profits they earn to charities and to not target hospitals, schools, non-profit organisations or governments.

Like many ransomware organisations, DarkSide have adopted a professional attitude to their exploits. In addition to the traditional encryption of systems and bitcoin ransom demands, DarkSide included live-chat support and guaranteed turnaround times to victims willing to cooperate. Various sources state they have a mindset that they are just as much of a business as their targets.

DarkSide initially will scope out a targeted company and attempt to find any weak links exposed to the internet. These weak links could include leaked passwords for user accounts, non-patched systems or phishing techniques.

Thought to be based in Eastern Europe (specifically Russia), the DarkSide ransomware avoids targets in former Soviet Union countries by detecting the target machines set language and location. This means that if any device is thought to be in Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Syria, Tatarstan, Tajikistan, Ukraine or Uzbekistan, the ransomware will remain dormant.

If found to not be in the above locations, a file name LOG.[userid].TXT is created and is used as a log file. It will then detect and uninstall any backup and/or security programs it finds and terminate any processes which would restrict access to user data files. Files will then start to become encrypted with Salsa20 and a randomly generated matrix key. Once files have been encrypted, a ransom note titled README.[userid].TXT is placed onto the desktop. This ransom note reads as follows:

DarkSide use a model called ‘Ransomware-as-a-Service (RaaS)’, wherein an affiliate program is used. Affiliates must apply and pass an interview with DarkSide before being able to gain access to the ransomware and bespoke hacking tools. After a successful attack, affiliates must pay DarkSide a percentage of the ransom payment they have received. Although not confirmed, it is believed that affiliates can take home 75% – 90% of the ransom, depending on how much was earnt. It is thought the total earnings of DarkSide between Dec 2020 and May 2021 is around £67,000,000, with the average ransom payment being around £1,400,000.

Known Victims:

  • CompuCom
  • Canadian Discount Car and Truck Rentals
  • Toshiba
  • Brenntag
  • Colonial Pipeline

The United States of America have put a $10,000,000 reward for information which leads to the arrest of the leaders of DarkSide.

Are you worried about emerging cyber threats? Find out more about nowSecure Defend Expert Security Operations Centre (SOC) manned by UK based elite, security experts.

Related posts

Cybersecurity lessons learnt from 2022 and the New Year’s security resolutions you should stick to

12 new year’s resolutions for collaboration and hybrid working in 2023

What are the main reasons for poor WiFi in schools and how can you improve it?

How WiFi in schools is transforming the learning experience

All about the Department for Education Connect the Classroom initiative

Cloud Telephony for Public Sector

How is SASE Helping the Public Sector?

Hybrid workers are here to stay, but is your business ready?

How does call recording and analytics improve customer services?

A Quick Guide to Zero Trust Security

New phish in town – Browser-in-the-browser attack

Dubber on Webex – Call Insights and AI for Public Sector

Deep dive into the world of Secure Cloud Analytics

How is contact centre technology transforming the customer experience?

Exploits our radar: Apache Log4j

Cisco Secure Endpoint vs Microsoft Defender: Which one to choose?

From nice-to-have to business essential: why security matters for every business

How the adoption of digital accelerated collaboration technology

Active hacker groups on our radar: DarkSide

PrintNightmare Windows Print Spooler attack vs Cisco Endpoint Protection (AMP)