The DarkSide APT is a cybercriminal threat actor modeled after the Ransomware-as-a-Corporation (RaaC) trend. The group specializes in deploying ransomware attacks against specifically chosen targets. Some infosec researchers have estimated that DarkSide has managed to extort a total of $1 million from its victims.
The general tactics, techniques, and procedures (TTPS) of DarkSide show great similarities and, in many cases, overlap with the methods seen in attack campaigns from other APTs such as Sodinokibi, DoppelPaymer, Maze and NetWalker. What sets DarkSide apart, however, is the group's highly targeted approach when selecting its victims, the creation of custom ransomware executables for each targeted organization, and the corporate-like characteristics that they have adopted.
Official Press Release for Added Legitimacy
DarkSide announced the start of their ransomware operation through a press release published on their Tor website. While this is not the first time that threat actors have relied on press releases as a communication channel, it is still a rare occurrence. However, press releases do have some advantages - they allow the cybercriminals to project an image of a professional entity that can be trusted to uphold their end of any negotiations while attracting bigger media attention simultaneously, which can be used as leverage against any breached organization. After all, most ransomware APTs have started collecting private data before locking the files on the infected machines. The exfiltrated information is then weaponized and the involvement of the media could mean even bigger reputational damage for the affected company.
Hackers with Moral Code?
In their press release, the DarkSide hackers outline several aspects of their future operations. Apparently, the cybercriminals will abstain from launching any attacks against critical or vulnerable sectors such as hospitals, schools, and even governmental entities. On top of that, the APT group clarifies that they intend to go after targets based on that entity's financial revenue, implying that they will avoid companies that are already struggling financially. While these are some truly noble intentions, at least for a cybercriminal organization, it remains to be seen if DarkSide will manage to follow through. After all, hospitals remain among the most likely targets of ransomware attacks.
The DarkSide operators modify their malicious toolkit to match the currently selected target. While this method requires a lot more effort than simply deploying the same ransomware executable all the time, it ensures a higher chance of success. The ransomware threat deletes the Shadow Volume Copies on the compromised system through a PowerShell command. Afterward, the malware will terminate numerous databases, applications, mail clients, and more as a preparation for initiating its encryption routine. DarkSide, however, avoids tampering with the following process:
The inclusion of TeamViewer in that list is rather curious and may suggest that the threat actor relies on the application for remote access to the compromised computers.
The displayed ransom note also will be tailor-made for the currently chosen target. The notes usually include the exact amount of data collected by the hackers, its type, and a link to the remote server where the data was uploaded. The acquired information is used as a potent extortion tool. If the breached organization refuses to meet DarkSide's demands, the data can either be sold to competitors or simply released to the public and damage the reputation of the victim severely.