Darkside Ransomware Returns with a Vengeance

Background

• DarkSide is a Ransomware-as-a-Service (RaaS) that has been active since August 2020.
• As a part of the modus operandi, the group operated the ransomware through ads posted on cybercrime forums. Eventually, it used a well-established RaaS model to partner with other cybercrime groups.
• The primary targets of the ransomware include companies in the professional services and manufacturing sectors.

Did the release of decryptor lead to DarkSide shutdown?

• No, it didn’t seem so. In March, threat intelligence experts warned of a new version of the ransomware that featured a faster encryption process, VoIP calling, and modules to target virtual machines.
• Moreover, DarkSide 2.0 featured multithreading capabilities in both Windows and Linux versions. While the Windows version encrypted files faster than any other RaaS model, the Linux version targeted VMware ESXi vulnerabilities to hijack virtual machines and encrypt their virtual hard drives.
• Furthermore, the ransomware variant has also been designed to target NAS devices, including Synology and OMV.

What other changes did the gang implement?

• Not content with its victim-pressuring tactics, the DarkSide gang forged ahead with DarkSide Leaks to increase the chance of receiving ransom payments.
• According to a report from Kaspersky, the gang leverages the media and engages with journalists to give updates on upcoming leaks.
• Apart from the ransom demand made against the decryption key, the gang persuades reluctant victims to pay the ransom by falsely claiming that it would go toward donations.
• To make it worse, the gang has started taking aim at companies listed on NASDAQ or other stock markets. This unprecedented extortion tactic can have a negative impact on targeted companies’ stock prices.

Final words