In late May, the notorious DarkSide gang made a major announcement of dissolving its RaaS operation following the mounting pressure from the U.S. authorities after the attack on Colonial Pipeline. It informed its affiliates about losing access to their public-facing servers, which was among the reasons for the shutdown. However, this abrupt decision left many of its affiliates deserted, some of them complaining about not getting paid for their past activities.

How much did DarkSide earn?

  • Since its inception in August 2020, the DarkSide ransomware gang and its affiliates had launched a global crime spree affecting organizations in over 15 countries and different industry verticals.
  • In nine months, they had made at least $90 million from ransom payments.
  • Bleeping Computer adds that the gang had collected about $9 million in just one week from the attacks on Colonial Pipeline and Brenntag.
  • Although DarkSide has closed its shop now, the affiliates that have received the corresponding decryption keys continue to extort the victims for ransom.

The new developments

  • Recently, FireEye researchers revealed that UNC2465, one of the affiliates of the DarkSide ransomware group has shifted its focus to software supply chain attacks.
  • The group had targeted at least one of its victims by planting trojanized software installers for download on the victim company's website.
  • This enabled the group to compromise the internal network of the victim company and plant SMOKEDHAM backdoor malware which later dropped the NGROK on the victim employee’s computer. It also used another malware named BEACON.
  • Since the Darskide ransomware was not involved in this case, researchers believe that ‘affiliate groups that have conducted DarkSide intrusions may use multiple ransomware affiliate programs and can switch between them at will.’

What else is happening?

  • Given the huge impact Darkside created by attacking Colonial Pipeline, other threat actors have started leveraging the name of the DarkSide ransomware to target organizations in the food and energy sector.
  • An email that pretends to be from DarkSide, threatened the targets of leaking sensitive information if a ransom of 100 bitcoins is not paid.
  • The email creates a sense of panic by claiming that the attackers have successfully gained access to the target’s network.
  • In addition to sending emails to companies, the attackers also filled contact forms on several companies’ websites as a part of the attack strategy.

The bottom line   

Although active for a short time period, the DarkSide ransomware gang has left behind a major espionage trail to be adopted by other adversaries. In light of the rising number of cases of ransomware attacks, it is highly likely that low-level threat actors will continue to terrorize organizations in the name of the infamous gang or by leveraging its tactics.

Cyware Publisher