New ransomware campaign named DarkSide has emerged from the DarkWeb earlier this month. They have devoted their energies to formulate customized targeted attacks and have been said to have earned millions of dollars as payouts.
Yes you have read it right, at around August 10, 2020, the new ransomware DarkSide has began their targeted attacks against numerous companies and it has been said they have been receiving hefty payouts since its release.
They even issued a press release claiming that they were former affiliates who had made millions of dollars worth with other ransomware operations prior.
They have stated that ransomware products on the market do not suit their needs which made them decide to launch their own.
Now they have become a new product on the market but they do not lack the experience to run such campaign. According to them, they have received millions of dollars as profit by partnering with other infamous and well-known cryptolockers.
According to them, they do not want to kill your business. This is why they claim that they only target companies that can pay the specified ransom.
Their press release have stated that they do not target the following types of organizations.
Medicine (hospitals, hospices).
Education (schools, universities).
Non-profit organizations.
Government sector.
As per victims, ransom demands range from $200,000 to $2,000,000 and probably would vary depending on the targeted victim.
They first breach the network and spread laterally until they gain access to an administrator account and the windows domain controller. They gather unencrypted data and uploads them to their own devices to be later on used as leverage to extort payment.
The information is later on posted to a leak site displaying their name, date of breach and amount of data stolen including what type of data got compromised.
Interestingly enough, they say if the victim does not pay, the information they gathered will publish their data on their website for 6 months. If this is true, being able to restore everything from backups, you might still think twice about paying to keep data confidential. However, if payment has been made, stolen data will be completely wiped out from their site.
Their attacks are highly customized for each and every company they try to breach. First thing they do when they get in is to delete Volume Shadow Copies to prevent you from restoring files. Then it proceeds to terminate various database, office applications, and mail clients in order for them to prepare the machine for encryption.
Michael Gillespie, who analyzed the encryption process, told BleepingComputer that the ransomware utilizes a SALSA20 key to encrypt files. This key is then encrypted with a public RSA-1024 key included in the executable.
Each victim will also have a custom extension created using a custom checksum of the victim’s MAC address.
Each executable is customized to include personalized “Welcome to Dark” ransom note, which will include the amount of data that was stolen, the type of data, and a link to their data on the data leak site.
By now, it has been a standard practice of exfiltrating data before encrypting networks.
“We take our reputation very seriously,” the DarkSide operators said, adding that if ransoms are paid, “all guarantees will be fulfilled.”
With the ongoing global pandemic, businesses are down and struggling, how could they cope up with suck an attack? Will this ransomware specifically target can afford companies only? Will they keep their word of excluding Medicine (hospitals, hospices), Education (schools, universities), Non-profit organizations and Government sector. Only time will tell.
