Kaspersky Comment: DarkSide and their ongoing activity
May 2021 by Vladimir Kuskov, Head of threat exploration au sein de Kaspersky
The recent ransomware attack on the Colonial pipeline in the U.S has been attributed to, and claimed by, the cybercriminal gang Darkside. With attacks attributed to Darkside growing more frequent in the last year, Kaspersky has shared further insight around this group, and has shed light on how their activity reflects wider trends within ransomware.
The comment from Vladimir Kuskov, Head of Threat Exploration at Kaspersky:
"DarkSide is a typical case of cybercriminal groups involved in ‘Big Game Hunting’. Their stated goal is to make money. They work in a manner similar to affiliate partner schemes – offering their ransomware ‘product’ to ‘partners’ which may, in turn, buy access to organisations from other hackers and then use it to deploy ransomware. Unlike some other groups, Darkside claims to have a code of conduct: they do not attack hospitals, schools, government institutions and non-commercial organisations. Interestingly, DarkSide published a statement today on their leak site. Judging by their statement, it appears that they did not expect such consequences and attention after the latest attack on the Colonial Pipeline."
"There are versions of DarkSide ransomware for Windows and Linux. Both versions have a secure cryptographically scheme so the decryption is not possible without the criminal’s key."
"Previously they had used the same decryption keys for multiple victims, which allowed security companies to make a decryption tool that helped victims to recover their files without paying the ransom. DarkSide responded to that situation and ‘fixed’ this problem so new victims do not have the option anymore. "
"Targeted ransomware attacks have become more common in the past couple of years and organisations need to focus on protecting themselves and their networks to avoid falling victim to such attacks. We advise not exposing remote desktop services to public networks unless absolutely necessary and always using strong passwords. Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network and always keep software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities. On top of that, focus your defence strategy in detecting lateral movements and data exfiltration to the Internet and paying special attention to the outgoing traffic to detect cybercriminals connections. Having regular up to date backups of systems is key to a speedy recovery from a ransomware attack."