DarkSide was a ransomware as a service (RaaS) group for hire. DarkSide RaaS group has been operating and involved in cyberattacks since at least August 2020. Hackers would hire DarkSide to extract the maximum ransom from an organization after proving to DarkSide that they had established persistent access to a target. From there, DarkSide uses the access to deploy the ransomware.
DarkSide, like many other RaaS groups used a double ransom approach. First, they would sell the encryption key, then request a ransom for the stolen data from the organization, or it would be destroyed.
DarkSide runs an affiliate program where ransomware operators provide crypto-locking malware code to third parties. Each affiliate receives a version of code with their unique ID embedded. For every victim that pays a ransom, the affiliate shares a percentage of the payment (generally ~30%) with the ransomware operator.
RaaS groups including DarkSide do not infiltrate organizations. Instead, the hacker must prove they have gained access to an organization, and the RaaS group would use this access to stage the ransomware while simultaneously performing due diligence on the targets’ ransomware insurance policy to ensure maximum profit. These groups use commonly observed techniques throughout their staging activities which make it possible for Vectra to detect ransomware long before any encryption occurs.
While DarkSide has purportedly ceased operations following the Colonial Pipeline attack, there are currently more than 100 RaaS groups active, and certainly more ready to take their place. Early detection of threat-actor behavior is critical to stopping ransomware from crippling your business. Vectra identifies pre-ransomware behaviors used by DarkSide and other RaaS groups to stop the attacks.
If you feel that your business isn’t a target for ransomware—just ask yourself:
Stop Ransomware now! Vectra can show you how.