Last week, ransomware operators DarkSide launched a cyberattack on Colonial Pipeline, the largest oil pipeline operator in the United States. Information security firms and cybersecurity researchers have shared information about the group responsible for the incident.
DarkSide operators operate on a ransomware-as-a-service (RaaS) business model, whereby their customers can distribute malware in exchange for a percentage of the ransom. To date, at least five Russian-speaking partners of DarkSide have been identified.
The DarkSide group maintains a blog on the Tor network where they brag about hacked organizations. Attackers are capable of carrying out denial of service (DDoS) attacks against victims who are unwilling to pay the ransom.
Victims are given the opportunity to directly negotiate ransom payments with criminals. In one case, the attackers demanded a ransom in the amount of $ 30 million, but after negotiations, the victim was able to reduce the amount to $ 11 million. The hackers also promised to remove all stolen data and no longer attack the company’s network.
For initial access, cybercriminals use credentials acquired from underground forums, brute force attacks and email spam to spread malware, according to security researchers at Intel 471. These attacks exploited at least one zero-day vulnerability.
Post-exploitation tools used in DarkSide attacks can include Cobalt Strike, Metasploit, BloodHound, Mimikatz, F-Secure Labs Custom Command and Control (C3) framework, TeamViewer, SMOKEDHAM backdoor, and NGROK utility.
One of the group’s partners only installs the ransomware three days after the initial breach, while the other tends to hide in compromised networks for months before taking the same step.
On Tuesday, May 11, the United States Cyber and Infrastructure Security Agency (CISA) and the FBI issued a warning to help organizations avoid falling victim to DarkSide ransomware attacks.