skip to Main Content

Dark Side, a new ransomware operation that attacks organizations

Bleeping Computer: Dark Side is a new ransomware operation that started attacking organizations starting August 10th. The cybercrime gang issued a note that explains the campaign and the excluded targets, based on their “principles” 

Dark Side is a new ransomware operation that began attacking organizations starting August 10th. It has been denounced by Bleeping Computer cyber security experts. The malicious campaign perform targeted attacks against numerous companies. The cybercrime hackers behind it released a message, in which they claim that “We are a new product on the market, but that does not mean that we have no experience and we came from nowhere. We received millions of dollars profit by partnering with other well-known cryptolockers. We created DarkSide because we didn’t find the perfect product for us. Now we have it.” Furthermore, the threat actor explains that “Based on our principles, wi will not attack the following targets: medicine (hospitals, hospices), Education (schiools, universities), Non-profit organizations, and government sector.” Finally, they stated that “We only attack companies that can pay the requested amount, we don’t want to kill your business”.

The cyber security experts: ransoms range from $200,000 to $2,000,000. Threat actors spread laterally in a network to gain access to an administrator account and the Windows domain controller. Meanwhile, they harvest unencrypted data and publish it on a data leak site

According Bleeping Computer cyber security experts, DarkSide’s ransom demands range from $200,000 to $2,000,000. These numbers can likely be more or less depending on the victim. When the cybercrime actors breach a network, they will spread laterally until they gain access to an administrator account and the Windows domain controller. Meanwhile, they harvest unencrypted data from the victim’s servers and upload it to their own devices. This stolen data is then posted to a data leak site under their control and used as part of the extortion attempt to increase pressure (a trick started by Maze authors). The malicious hackers list list the company name, the date they were breached, how much data was stolen, screenshots of the data, and the types of them. The threat is “If you don’t pay the ransom, we will publish all of the data on the website for at least six months.”

The cybercrime hackers esploit customised malware for the specific company with PowerShell command that deletes Shadow Volume Copies on the system. The ransomware utilises  a SALSA20 key to encrypt files, and each victim receives a personalized ransom note

When Dark Side cybercrime gang launch an attack, they create a customized ransomware executable for the specific company, with a PowerShell command that deletes Shadow Volume Copies on the system so that they cannot be used to restore files. According to the cyber security expert Vitali Kremez, they then proceed to terminate various database, office applications, and mail clients to prepare the machine for encryption. When encrypting a computer, malware will avoid terminating certain processes. Michael Gillespie told BleepingComputer that it exploits a SALSA20 key to encrypt files. This key is then encrypted with a public RSA-1024 key included in the executable. Each victim will also have a custom extension created using a custom checksum of the victim’s MAC address. It includes personalized “Welcome to Dark” ransom note with the amount of data that was stolen, the type of data, and a link to it on the malicious site.

Back To Top