Darkside .🌚… It’s too dark

DarkSide is run as a Ransomware-as-a-Service (RaaS) where developers are in charge of programming the ransomware software and payment site, and affiliates are recruited to hack businesses and encrypt their devices. Access need to be gained before distributing the Ransomware

As part of this arrangement, the DarkSide ransomware developers receive a 10-25% cut, and an affiliate gets 75-90% of any ransom payments they generate.

Distributed storage system to leak data

DarkSide has stated that they are working on a distributed storage system to store and leak victims’ stolen data. Following double- extortion techniques is famous strategy.

To disrupt these extortion demands, law enforcement and cybersecurity firms actively try to take down these data leak sites.DarkSide states that they plan to create a distributed “sustainable storage system” in Iran to host the victim’s stolen data for six months.

“Some targets think that if a lot of data has been downloaded from them, then after their publication, hackers and other people will download it for a long time through the TOR. We think so too, so we will change it.” Sustainable server means data will get replicated between servers with an retention of 6 months

The DarkSide operation announced that they were looking for new Russian affiliates to join their program, who they claim to earn an average of $400k per victim.

Unlike other ransomware operations, such as Ryuk, Egregor, and others, DarkSide states that do not allow attacks on:

Medical sector
Educational division
Non-profit organizations.
Government sector.

It is too soon to tell if DarkSide will keep its promises about not targeting these organizations.

Rainy Ransomware August ! Strom hit

Large-scale breaches have mushroomed in 2020, with an increase of 273% in the first quarter as compared to the previous year. Ransomware is among the most common types of attacks and is up by 90%, as per a recent report

Tricks up their Sleeves

Ransomware operators have started using memory-mapped I/O to encrypt files, making it difficult for behavior-based anti-ransomware solutions to monitor malicious activities.

WastedLocker is using this technique to encrypt cached documents in memory, without causing additional disk I/O, which can shield it from behavior-monitoring software.

Researchers have identified a new element in recent Sodinokibi (REvil) campaigns, wherein they scan compromised networks for PoS software to make additional money from payment information. Attackers might directly use the payment information to strip accounts or sell them on underground forums.

Ransomware Attackers Up the Ante
Allegedly, Maze ransomware operators have infected the network of SK Hynix, the RAM and flash memory supplier, and leaked some of the stolen files on their website as proof of the infiltration, holding the semiconductor giant to ransom.

A ransomware attack targeted the services of SnapFulfil, a cloud-based warehouse management software provider, disrupting warehouse operations for a minimum of one of its customers. The U.K-based company is working with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) to restore its systems.

Hackers accessed guest and employee data and encrypted a portion of the IT systems of one of the brands of British-American cruise operator, Carnival, in a ransomware attack.

Netwalker ransomware operators attacked Forsee Power, a lithium-ion battery systems provider, and shared a few screenshots of folders containing sensitive data as evidence of the breach on their online blog.

Brown-Forman, the makers of Jack Daniel’s, lost 1TB of corporate data at the hands of Sodinokibi ransomware. Some of the other firms that fell victim to ransomware attacks this month include Konica Minolta, SPIE group, R1 RCM, Boyce Technologies, LG, Xerox, and Canon.

While many organizations use the conventional signature-based solutions to protect their data, files, and systems, they need to take a more comprehensive approach toward security to address the threats posed by evolving ransomware. Not only endpoint security protects… Defence in depth must be maintained at a granular level to upheld the security.

Darkside ! Ransomware

Recently,DarkSide, launching customized attacks and asking for millions of dollars as ransom payout. A similarity in source code implies these threat actors could be following in the footsteps of GandCrab and REvil ransomware.

How do the actors operate?

The new ransomware operation DarkSide is attacking numerous companies, trying to gain access to an administrator account and the Windows domain controller on the breached network.

After getting inside, they harvest unencrypted data from the victim’s servers and upload it to their own devices.
According to Advanced Intel’s Vitali Kremez, DarkSide terminates various databases, office applications, and mail clients to prepare the victims’ machine for encryption.

Their ransom demands range from $200,000 to $2,000,000. Apparently, the hackers also own a leak site where they list the victim company name, breached date information, and screenshots as proof.

The hacker’s view

The DarkSide threat actors claimed to have made millions of dollars working with other well-known cryptolockers.
They stated that they were looking for a new custom product to suit their requirements, and hence they created this ransomware.

Possible connection to REvil and GandCrab
DarkSide purposely avoids infecting victims in Commonwealth of Independent States (CIS) countries. The source code to perform this action is similar to the code used in REvil and GandCrab.

Additionally, the ransom note left by REvil uses almost the same template as used by the REvil ransom note.

Ransomware on a boom

A drastic increase has been observed in ransomware attacks. One one hand, a large number of new ransomware like VHD, Ensiko, and several others have surfaced in the market

Caution must

For protection against ever-growing risks of ransomware, organizations need to guard up with extreme measures, like frequent data backups, multi-factor authentication, and the use of intrusion detection and prevention solutions.