Our reverse engineering revealed that Darkside’s malware will check device language settings to ensure they don’t attack Russia-based organizations. They have publicly stated that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can afford to pay large ransoms. While we can’t conclude that the group is comprised of former IT security professionals, their attacks reveal a deep knowledge of their victims’ infrastructure, security technologies, and weaknesses. The group’s name, Darkside, evokes the image of a good guy (or gal) that has turned from the light. They provide web chat support to victims, build intricate data leak storage systems with redundancy, and perform financial analysis of victims prior to attacking.
The Darkside ransomware group announced their RaaS (Ransomware-as-a-Service) in August of 2020 via a “press release.” Since then, they have become known for their professional operations and large ransoms. In this technical blog post, we will review the tactics, techniques, and procedures (TTPs) we’ve observed.
These highly targeted campaigns were conducted in several phases over weeks or months, ultimately targeting theft and encryption of sensitive data, including backups. Our team has recently led several high-profile investigations of attacks attributed to an up-and-coming cybercrime group, Darkside.
0 kommentar(er)
