Dealing with DarkSide

This post was last updated on September 23rd, 2021 at 03:28 pm

Brian Krebs recently reviewed more details about ‘DarkSide’ and this ransomware group’s role in shutting down the Colonial Pipeline. DarkSide is a group that packages and provides ransomware capabilities as a service. Other ransomware gangs and organizations pay a fee for DarkSide tools and services making it difficult to provide accurate attribution.

This group packages and modifies common backdoors like Harpy, Sekur, and Cobalt Strike with their own custom loaders and management interfaces. They configure and deploy various ransomware packages like REvil ransomware, none of which are actually unique to DarkSide. It’s not the malware they sell or the particular techniques used that makes them effective, it’s the fact that they are well organized and experienced. This group has an entire intelligence arm and streamlined operating procedures that starts with researching their victims, ensuring they are vulnerable, blind, and capable of paying ransoms.

How to deal with DarkSide:

So, what can you do about this potential threat? It might seem simple, but prioritizing security infrastructure and monitoring will be the keys. DarkSide has benign recon and intel gathering stages that can safely determine capabilities of their victims. This group tends to avoid well defended organizations and victims with capabilities to find them — like behavioral detection and response capabilities similar to those provided by Infocyte and our partners. CISA also has provided these recommendations for preventing business disruption from ransomware attacks.

Techniques to look out for:

  • DarkSide uses Powershell to download first malware stages and prep systems.
  • They delete Volume Shadow Copies via Powershell.
  • They decode and execute malware via Certutil.exe.
  • They can perform privilege escalation on older operating systems like Windows 7 (none seen for most modern OS’s yet)

Once recon is performed, they spread fully through the network and begin PR campaigns prior to execution of the encryption/ransom. This is an opportunity window for detection and mitigation if you have an active MDR service watching for these. Infocyte, for instance, has behavioral rules that will identify all of these actions, giving you time to respond and mitigate the more damaging ransom stage.

If you’re looking for a tool to help as soon as possible, we’re offering Infocyte Platform access for free. Get started here.

Posted in ,