Shedding Light on the DarkSide Ransomware Attack

 

It has been well over a decade since cybersecurity professionals began warning about both nation-state and financially motivated cyber-kinetic attacks. Concerned about a cybersecurity threat that would have the potential to destroy physical assets and human lives, many looked to sound the alarm in industrial organizations, tracking the vulnerabilities that could lead to a compromise in operational technology networks.

 

A variety of attacks in that realm took place over the years, whether launched in nation-state conflicts across the globe or as an apparent amateur challenge. Most recently, cybercriminals who deploy ransomware targeted a large U.S. refined products pipeline system, causing disruption to its operations and making headlines across the world. The attack reportedly only affected IT networks but had the potential to spread to operational zones and upstream to the overall supply chain — an attack scenario that could be much more damaging.

 

Unlike many attacks on industrial organizations that have been connected to adversarial nation-states, it seems that the pipeline attack might be a cybercrime case motivated by a large bounty. The group suspected in this hit goes by the name “DarkSide.”

 

IBM Security X-Force data shows that ransomware has become the number one threat type X-Force responded to in 2020 accounting for 23% of actual attacks that impacted organizations. Of those, our incident response data shows 59% of attacks were double-extortion cases, where in addition to having their data encrypted, victims were also threatened with data being leaked unless they paid for a decryption key by a specified deadline.

 

X-Force incident response data further shows that ransomware attacks were the most common threat to organizations that use operational technology (OT) in 2020. Sectors we examined in our data include manufacturing, oil and gas, transportation, utilities, construction, and mining, where ransomware attacks accounted for 33% of all attacks we responded to. This trend suggests that threat actors may be finding organizations with OT networks to be particularly attractive for ransomware attacks precisely because of the costly downtime and impact on a wider ecosystem and on individual consumers.

 

Who is on the DarkSide?

In August 2020, a new ransomware gang announced its entry into the cybercrime arena. In no less than a “press release” of sorts, its operators declared they had developed the perfect ransomware tool because other codes they used in the past were not up to the task. The post appeared on the group’s TOR domain where the newcomers also advised they were not inexperienced cybercriminals and acted as former affiliates to other successful gangs, making millions of dollars in the process. The malware itself has small similarities to the GandCrab and Sodinokibi ransomware, as does the ransom note’s template. Another similarity is that DarkSide is designed to avoid computers where a language layout corresponds with one of 17 countries from the former Soviet Union, adding Syrian Arabic — another similarity to Sodinokibi. When looking for affiliates to join their ranks, tech-savvy Russian speakers need apply. They further stress that they are not interested in “English speaking personalities.”  DarkSide has also noted that while they plan to target organizations, they would aim for those who ‘can pay’ and spare healthcare, schools, non-profits, and government.

 

New Group, Old TTPs

Like other gangs that operate modern ransomware codes, such as Sodinokibi and Maze, DarkSide blends crypto-locking data with data exfiltration and extortion. If they are not initially paid for a decryption key, the attackers threaten to publish confidential data they stole from the victim and post it on their dedicated website, DarkSide Leaks, for at least 6 months. When a ransom note appears on an encrypted networked device, the note also communicates a TOR URL to a page called “Your personal leak page” as part of the threat that if the ransom is not paid, data will be uploaded to that URL. Ransom is demanded in Bitcoin or Monero. If it is not paid by a specific initial deadline, the amount doubles.

Read on here.