What is DarkSide ransomware?

DarkSide is a relatively new ransomware group, only appearing on the scene in August 2020 in Russian-language hacking forums. They have poised themselves as a new type of ransomware-as-a-service business, attempting to inculcate “trust” and a sense of reliability between themselves and their victims.

DarkSide offers its RaaS to affiliates for a percentage of the profits. The group presents a prime example of modern ransomware, operating with a more advanced business model. Modern ransomware identifies high-value targets and involves more precise monetization of compromised assets (with double extortion as an example). Modern ransomware attacks are also typically done by several groups who collaborate and split profits. These attacks may look more like advanced persistent threat (APT) attacks than traditional ransomware events.

What happened to the Colonial Pipeline?

Colonial Pipeline has operated continuously since the early 1960s, supplying 45% of the US East Coast gasoline supply, in addition to diesel and jet fuel. On Friday, May 8th, it shut down 5,500 miles of its pipeline infrastructure in response to a cyber-extortion attempt. The pipeline restarted on May 12th. Though the incident is still under investigation, the FBI confirmed what was already speculated on Monday: DarkSide was behind the attack.

In an apparent response to—though not an admission of involvement in—the attack, DarkSide released a statement on their website stating that they would introduce “moderation” to “avoid social consequences in the future.”

What organisations should do to defend against DarkSide?

Lengthy detection, investigation and response periods following a successful ransomware attack are simply too little, too late. They risk putting themselves in a situation where they must pay one (or more) ransoms. Prevention is key to defending against ransomware attacks.

In those situations, there is no guarantee that they will get their data/systems restored by the attackers, that there won’t be data corruption, that their stolen information will be deleted from the attackers’ servers or that those responsible won’t follow up with another attack and ransom demand in the future.

Organisations need to detect the attack at the earliest stages and block the threat outright. That’s why prevention is the key to defending against ransomware like DarkSide. This takes a future-ready, multi-layered operation-centric approach where Indicators of Behavior (IOBs) are leveraged to detect earlier and remediate faster than attackers can adapt their tactics.

Tal to us to learn more and see how we protect our customers against attacks like DarkSide.