Recently,DarkSide, launching customized attacks and asking for millions of dollars as ransom payout. A similarity in source code implies these threat actors could be following in the footsteps of GandCrab and REvil ransomware.
How do the actors operate?
The new ransomware operation DarkSide is attacking numerous companies, trying to gain access to an administrator account and the Windows domain controller on the breached network.
After getting inside, they harvest unencrypted data from the victim’s servers and upload it to their own devices.
According to Advanced Intel’s Vitali Kremez, DarkSide terminates various databases, office applications, and mail clients to prepare the victims’ machine for encryption.
Their ransom demands range from $200,000 to $2,000,000. Apparently, the hackers also own a leak site where they list the victim company name, breached date information, and screenshots as proof.
The hacker’s view
The DarkSide threat actors claimed to have made millions of dollars working with other well-known cryptolockers.
They stated that they were looking for a new custom product to suit their requirements, and hence they created this ransomware.
Possible connection to REvil and GandCrab
DarkSide purposely avoids infecting victims in Commonwealth of Independent States (CIS) countries. The source code to perform this action is similar to the code used in REvil and GandCrab.
Additionally, the ransom note left by REvil uses almost the same template as used by the REvil ransom note.
Ransomware on a boom
A drastic increase has been observed in ransomware attacks. One one hand, a large number of new ransomware like VHD, Ensiko, and several others have surfaced in the market
For protection against ever-growing risks of ransomware, organizations need to guard up with extreme measures, like frequent data backups, multi-factor authentication, and the use of intrusion detection and prevention solutions.