On May 10, the FBI announced that on Friday, May 7, a group known as DarkSide was responsible for a ransomware attack that effectively shut down the operation of the Colonial Pipeline.
DarkSide is a relatively new actor that presents itself as an independent for-profit group that follows the RaaS (ransomware-as-a-service) model touting new ransomware, DarkSide 2.0, equipped with the “fastest encryption speed on the market.” Along with conducting its ransomware operations, the group also markets and sells its software and tools to other hacking groups.
DarkSide’s team is considered relatively professional and organized. The group even has a dedicated phone number and a helpdesk to facilitate negotiations with its victims. DarkSide has traditionally presented itself to be quite meticulous in using this process to collect information from the victim to only use its ransomware on the “right targets.” This stems from the claim that DarkSide is only interested in extorting large for-profit businesses and has even attempted to donate a portion of its earnings to various charities. Further analysis of the group’s historic attacks shows that only western, English-speaking companies have been targeted with a mandate to exempt companies in Soviet states grouped under the Commonwealth of Independent States (CIS) coalition, including Georgia and Ukraine, hinting at the origins of the group.
DarkSide 2.0 features multithreading in both Windows and Linux versions. The Linux version of the ransomware can now target VMware ESXi vulnerabilities, meaning it can hijack virtual machines and encrypt their virtual hard drives targeting network-attached storages (NAS), including Synology and OMV. A unique feature of the DarkSide ransomware is that it targets domain controllers, which puts the entire network environment at risk.
Global guardian Cyber security
Global Guardian utilizes a defense-in-depth approach to protect our clients from ransomware attacks such as DarkSide. Global Guardian’s cyber security solution thoroughly detects and prevents DarkSide ransomware deployment from several aspects. Our 24/7 Security Operations Center monitors both next-generation firewalls and our Secure Workstation endpoint software to protect your corporate network and devices. These systems are specifically designed to prevent this type of attack and others. To keep up with the ever-evolving threat landscape, our internal systems and deployed equipment and software are uniquely equipped and constantly updated in real-time with the latest threat intelligence to stay ahead of malicious actors and malware.
From an Intelligence and Analysis perspective, we continue to monitor the situation. We receive intelligence from dozens of high-quality, reliable sources and will update your firewalls with any additional information as it is received and validated.
In the meantime, if you are a Global Guardian Cyber Security client, you are already protected. If you are interested in establishing cyber security services to secure your network, Global Guardian can assist immediately.
Standing by to Support
If you're concerned or have had a problem or breach, please contact Global Guardian to speak with your Virtual CISO® or contact our 24/7 Security Operations Center at +1-703-566-9463, or cyber@globalguardian.com.
