Measured Insurance Partners with Canopius and Long-time Backer SCOR to Expand Critical Cyber Insurance Solutions

The DarkSide Ransomware Group: An Overview

Measured Staff
June 1, 2022
|Share this article:

On average, ransomware attacks on businesses occur every 40 seconds. By 2031, it’s expected that the total losses to ransomware among all major industries will reach $265 billion

These numbers are driven by the increasing illegal cyber activity by ransomware groups that are steadily growing in size and number. 

One of these groups is DarkSide Ransomware Group, allegedly a cybercrime gang based in Eastern Europe. What sets them apart from other groups is their Ransomware-as-a-Service (RaaS) business model. 

When Was the DarkSide Ransomware Group Founded?
The DarkSide Ransomware as a Service (RaaS) group first made itself known in August 2020, when it started its global ransomware campaign. 

The group was involved in ransomware attacks in the financial services, manufacturing, retail, and technology industries, among many others. However, they claim that they avoid targeting organizations in the healthcare, education, and nonprofit sectors. 

What’s Their Goal?
Unlike other ransomware groups, DarkSide brandishes its activities as its own way of helping the community. In addition, they claim that the money they earn from their illegal activities is donated to different charities. 

In fact, the group even made a post on the DarkWeb showing a receipt of their donations to Children International and The Water Project amounting to $10,000. 

However, this is not enough to lift themselves above the law. 

In November of 2021, the FBI announced its eagerness to catch any member of the cybercrime group. In addition, they offered a reward of up to $10,000,000 to anyone who could provide information that would lead to the identification of any of its members. 

The Colonial Pipeline Ransomware Attack
The DarkSide Ransomware Group’s most popular ransomware attack to date is the Colonial Pipeline Ransomware Attack, which they carried out in May 2021. 

This was an especially controversial event because of the consequences that ensued and the $4.4 million that the hackers received from the victim. It was the largest cyber attack on the oil industry in the history of the United States. 

This attack caused the largest fuel pipeline in the United States to go out of service. According to CNN, DarkSide’s primary target was the company’s billing system, which led to concerns that the company wouldn’t be able to determine how much to bill its customers for fuel. 

Colonial Pipeline’s main concern was that the hacker group might be able to target vulnerable parts of the pipeline. This, combined with the impacts on its billing system, was the reason why it shut down its operations. 

This attack by DarkSide was made possible through a vulnerable password for a VPN account. One of the company’s employees may have used the VPN’s password for another application targeted by a separate hack. However, according to Charles Carmakal, the senior vice president of the company, it’s not clear how the attackers obtained the password. 

The CompuCom Ransomware Attack
Before the Colonial Pipeline Attack, the DarkSide had its sights on an IT service management company, CompuCom. The group hit the South Carolina-based company and made it suffer a staggering 17% dip in its revenues for Q1 of 2021 and an overall loss of $20 million on recovery costs after the cyberattack. 

The attack was executed with Cobalt Strike – a tool that allowed the hackers unsanctioned entry into the company’s system. Unfortunately, this tool also allowed them to access their computer network and unencrypted data, providing them an entryway for their malware.

Toshiba Tec Corp Ransomware Attack
In the same month as the CompuCom attack, DarkSide targeted multinational conglomerate company, Toshiba. The cybercrime group was able to access 740 gigabytes of information from the company’s database. However, Toshiba Tec stated that the compromised information was only minimal, and no leaks were found after the attack. DarkSide was also denied a ransom. Toshiba’s spokesperson said that they didn’t make any efforts to contact the group, and they did not have any plans of paying any amount of money for the compromised data.

What is Ransomware as a Service (RaaS)?
RaaS is a business model similar to the model used by businesses selling on-demand software services. One example of these businesses is Microsoft, which caters to customers looking to purchase a subscription in exchange for access to the company’s products, such as Microsoft 365. 

DarkSide functions similarly to Microsoft. The only difference is that the cybercrime group offers ransomware services to its buyers or affiliates, as they call them. 

In addition, DarkSide takes a cut from its affiliates’ successful ransomware attacks. Affiliates are to pay 25% of their collections amounting to $500,000 or less and 10% for collections greater than $5 million.

Best Practices to Minimize the Risk of Ransomware Attacks
There are many lessons to learn from these attacks, not only from DarkSide but also from other cybercrime groups. Researching the methods and innovations these groups use to infiltrate SMBs and even today’s largest conglomerates can help build effective defensive cyber measures for your business.

Here are some best practices that you, as an individual or a business, can do to limit or eliminate the risk of ransomware attacks:

Backup Your Files – Ransomware attacks are often successful because businesses don’t back up their files.  When attackers successfully encrypt their information, businesses have no choice but to bargain for their release. And that’s mainly how ransomware works. In 2021, an insurance company paid a ransom of $40 million in exchange for their stolen data. With a backup, a business can easily regain control of their operations by simply restoring a copy of their data.

Regularly Update Your Systems – System updates are not optional, these updates are crucial for strengthening your system’s defenses against cyber intrusions and malware. Software applications will always have weak points present in their codes. This is because ransomware attacks and other cyber threats are constantly becoming more sophisticated. Software updates are a way to keep up with attackers’ increasingly innovative ways of breaching into secure cyberspaces.

Train Your Employees – It’s pretty common for ransomware attacks to be publicly announced by the victims days, weeks, or even months from the actual breach. This is because attackers stay silent and infiltrate their target’s systems without any detection by necessity.  

This will allow them ample time to gather enough data that can increase their chances of acquiring a ransom payment from their victims. The more data they can take, the higher the chance of getting paid. 

This is why it is crucial that your employees are prepared to act immediately and effectively upon spotting any suspicious activities happening in your networks and systems to mitigate further or potential data losses once a system breach is attempted.

A feasible training program may include ransomware foundational knowledge and identification of different ransomware methods, such as phishing ploys, drive-by downloads, and SQL injections, among many others. Employees should also be trained on how to handle data storage devices.

Notable ransomware incidents, like the Colonial Pipeline attack, have shed must-needed light on the possibility and prevalences of cyber attacks. While the threat of a ransomware attack is legitimate to any type of business, commiting to cybersecurity best practices can minimize the risk to an organization and its data.