DarkSide is the name given to the group operating the relatively new DarkSide ransomware variant that has been active since early August 2020, opting for a targeted approach where each attack involves a customised payload. The malware’s operators claim to be former affiliates of ransomware-as-a-service (RaaS) solutions who eventually decided to create their own product.
They also claim they will avoid targeting the healthcare, education, government and not-for-profit sectors, possibly out of a desire to be seen as responsible. However, it remains to be seen whether this promise will be honoured, as avoiding government targets would be unusual for ransomware and healthcare remains a popular target, even during the COVID-19 pandemic. What they will avoid targeting, based on analysis of DarkSide’s code, are CIS countries, suggesting the operators are from this region too and are aiming to evade local law enforcement.
The attack on the Colonial Pipeline is not the first time DarkSide has targeted a utility company. Centrais Electricas Brasileiras (Electrobras) and Companhia Paranaense de Energia (Copel) have reported ransomware attacks, impacting sensitive data and causing operational shut-downs. Two state-owned Brazilian energy companies, Electrobas owns Electronuclear which constructs and operates nuclear power plants and Copel is the largest utility provider in the Brazilian state of Parana, providing utilities to over 11 million people.
Once inside an organisation, DarkSide will delete Shadow Volume copies so the victim cannot recover via file backups and terminate various processes, such as those associated with databases and mail clients, to facilitate the encryption stage. While this is again standard behaviour for targeted ransomware, less typical is the fact it specifically avoids terminating TeamViewer, which the attackers may be using for remote access to the victim’s network. After the encryption process is complete, the victim is presented with a ransom demand varying between USD 200,000 – 2,000,000, with the amount likely depending on the victim organisation’s size.
Security researchers have identified similarities in the ransom notes used by DarkSide and Sodinokibi, one of the most prominent RaaS solutions. They have also observed the two engaging in the same behaviours, such as the way certain commands are executed. While it is possible the developers of Sodinokibi created DarkSide, we assess it is more likely, given the latter’s alleged origins, that DarkSide’s operators are former affiliates of Sodinokibi, reusing aspects of it in their own malware.
Despite the assessment they are Russian backed, DarkSide anounced their servers would be hosted in Iran. As stated on a cybercriminal forum (see image below), DarkSide’s operators are attempting to prevent any disruption to their data leak services and facilitate data retrieval for third parties. While saving data across multiple servers ensures that the takedown of one such instance does not lead to the deletion of the data, using servers localised in Iran lowers the risk these are targeted by Western security officials and taken down as a result.
Despite the aforementioned benefits, the decision to host resources on Iranian services might have drawbacks. For instance, based on the possibility that a portion of the proceeds obtained through ransom payments are used to pay service providers within Iran, a country against which the US is enforcing sanctions, one security firm has already stated its intent to stop facilitating negotiations with DarkSide operators. To avoid incurring potential fines and violating US regulations, other security firms and ransomware negotiators might decide to take a similar stance.
With their recent attack causing a state of emergency in 17 states and gaining the attention of the mainstream media, they are now arguably the most famous strain of ransomware. With some US politicians calling the attack an act of war, the group may well have serious concerns over their future.
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.