Quicktake: What is DarkSide and how does it operate?

Ransomware's new variant is twice as fast as its previous version and encrypts files quicker than any of its peers

DarkSide, the criminal group identified by the FBI  for being behind the ransomware attack on the Colonial Pipeline, said its aim is to "make money" but not create problems for society.

The National looks at the group's history and how it works.

What is DarkSide?

DarkSide is a relatively new group that released a ransomware strain which made its first appearance in August. Recently, it announced the release of an advanced version called DarkSide 2.0. The new version is twice as fast as the previous one and encrypts files more quickly than any other ransomware on the market, according to cyber experts.

"They are very new but they are very organised," Lior Div, chief executive and co-founder of Boston-based security firm Cybereason, said.

Who are its targets?

The group stresses it is not political, but so far has targeted largely English-speaking countries and avoided the economies of former Soviet states, according to Cybereason.

Its ransom demands range between $200,000 to $2 million and the group has published stolen data from more than 40 victims, who are believed to represent just a fraction of the overall number of victims.

How does it operate?

DarkSide follows the RaaS (ransomware-as-a-service) model, meaning it will sell or lease ransomware to others to perform attacks. The group also has a help desk to facilitate negotiations with victims and to collect information about their targets – not just technical details but also other general information on victims.

"By collecting information, the group is making sure the ransomware is only used against the right targets. The group claims they only target large, profitable companies in their ransomware attacks and claims to have extorted millions of dollars from companies," Cybereason said in a blog.

DarkSide reportedly tried to donate around $20,000 in stolen Bitcoin to different charities, but they refused to accept the funds because of the illegitimate source.

Is it really behind the Colonial Pipeline attack?

Some industry experts suggested that Ryuk ransomware, linked with Russian criminal groups, is behind the attack on the Colonial Pipeline.

With more than 2,000 victims this year, Ryuk is “by far one of the most successful ransomwares”, Ram Narayanan, a Middle East-based manager at US security firm Check Point, said.

“While the US is one of Ryuk’s favourite markets, it is also targeting the UAE and there have been six attacks by Ryuk on UAE organisations so far this year. Globally, 2021 is seeing a huge and worrying surge in ransomware, with a 56 per cent increase compared to the end of last year,” Mr Narayanan added.

How do companies avoid attacks?

The best way for companies to try to avoid becoming victims is to invest in the training of their employees and strengthening their systems to avoid criminal entities like DarkSide and Ryuk.

“This is a nightmare scenario with lasting, real-world repercussions. Infrastructure today is so vulnerable that just about anyone who wants to get in can get in,” Dan Schiappa, chief product officer at British security firm Sophos, said.

“There is a clear national security value for foreign powers [who] want to shut down fuel supply throughout the nation. They are hitting where it hurts, hedging bets on a large payout,” he added.

New research by Sophos found that infrastructure organisations are more likely to pay a ransom than any other industry, with 43 per cent of the victims submitting to demands.

“Organisations must start investing in cyber security preparedness and awareness training … focus on prevention by implementing strong resiliency measures and ensure that employees are properly trained,” Francis Gaffney, director of threat intelligence and response at London-based cyber security company Mimecast, said.

EDITOR'S PICKS
NEWSLETTERS