FBI and DHS’s CISA have published a joint alert to warn of ransomware attacks conducted by the DarkSide group. The alert comes after the disruptive attack that hit Colonial Pipeline that caused chaos and disruption.
The Darkside ransomware gang first emerged in the threat landscape in August 2020, in recent months the group was very active and targeted organizations worldwide.
Early this year the group announced that it will no longer attack organizations in the healthcare industry, companies involved in the development and distribution of COVID-19 vaccines, and funeral service organizations.
The alert provides technical details and mitigations related to the activity of Darkside ransomware gang. The group provides Ransomware-as-a-Service (RaaS) to a network of affiliates.
“DarkSide is ransomware-as-a-service (RaaS)—the developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.” According to open-source reporting, since August 2020, DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data. The DarkSide group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.,” reads the joint alert.
“According to open-source reporting, DarkSide actors have previously been observed gaining initial access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI) (Phishing [T1566], Exploit Public-Facing Application [T1190], External Remote Services [T1133])., DarkSide actors have also been observed using Remote Desktop Protocol (RDP) to maintain Persistence [TA0003]..”
The alert confirmed that crooks use DarkSide to gain access to a victim’s network to encrypt files on internal systems and exfiltrate data, then threaten to expose data if the victim refuses to pay the ransom.
US agencies warn that groups employed DarkSide ransomware in attacks aimed at organizations across various Critical Infrastructure sectors, including manufacturing, legal, insurance, healthcare, and energy.
Immediately after the attack on Colonial Pipeline, the DarkSide group pointed out that it is financially motivated and that there is no political motivation behind its intrusion.
“Our goal is to make money, and not creating problems for society,” reads a statement from the group.
The FBI/CISA joint alert includes mitigations for ransomware attacks:
CISA and FBI urge CI owners and operators to apply the following mitigations now to reduce the risk of severe business or functional degradation should their CI entity fall victim to a ransomware attack in the future.
“CISA and the FBI do not encourage paying a ransom to criminal actors,” concludes the alert. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
Please vote Security Affairs as Best Personal cybersecurity Blog
(SecurityAffairs – hacking, DarkSide)