DarkSide is a relatively new ransomware group, which first appeared in August 2020 on one of the Russian language hacking forums where they were availing their ransomware to others groups. They are a new type of ransomware-as-a-service business, attempting to instill trust and reliability between themselves and their victims. The stealthy techniques followed by the threat actors ensure the attack tools and pattern would evade detection on the monitored system.
The DarkSide group aggressively pressure the victims to pay the ransom amount. In short, they don’t like to be ignored. In case the victims do not reply within two or three days, they start to send threatening emails to employees. Even if that doesn’t work, they start calling senior executives on their mobile phones. The next course of action is to threaten the victim by saying that they would start to contact the victim’s customers or the press. And if that doesn’t work, they might launch DDoS to take down the whole external websites.
DarkSide group techniques build on the typical pattern of a ransomware attack, which includes encrypting the files and demanding a ransom amount to decrypt them and restore access. It is obvious that some of the victims have already backed up their data, and they do not see a need to pay the ransom amount to get the decryption keys for restoration purposes. Darkside group is already prepared for that scenario and exfiltrate sensitive information and analyze the victim’s network so that they can up the amount if a victim refuses to pay it. Following that, they threaten to release the data publicly or launch a DDoS attack.
DarkSide group also offers its RaaS to third parties for a percentage of the profits. They operate with a more advanced business model and identifies high-value targets, involving more precise monetization of the compromised assets. These attacks can be typically run by more than one group that collaborates and split profits. Following the above pointers, these look more like an APT (advanced persistent threat) attack than a traditional ransomware event.