5 Things to Know about DarkSide & Other Ransomware as a Service Groups

June 22, 2021
Vectra AI Security Research team
Cybersecurity
5 Things to Know about DarkSide & Other Ransomware as a Service Groups

1. Who is DarkSide?

DarkSide was a ransomware as a service (RaaS) group for hire. DarkSide RaaS group has been operating and involved in cyberattacks since at least August 2020. Hackers would hire DarkSide to extract the maximum ransom from an organization after proving to DarkSide that they had established persistent access to a target. From there, DarkSide uses the access to deploy the ransomware.

DarkSide, like many other RaaS groups used a double ransom approach. First, they would sell the encryption key, then request a ransom for the stolen data from the organization, or it would be destroyed.

2. What is the DarkSide ransomware business model?

DarkSide runs an affiliate program where ransomware operators provide crypto-locking malware code to third parties. Each affiliate receives a version of code with their unique ID embedded. For every victim that pays a ransom, the affiliate shares a percentage of the payment (generally ~30%) with the ransomware operator.

Ransomware as a Service use the affiliate model

3. What are DarkSide ransomware attack methods?

RaaS groups including DarkSide do not infiltrate organizations. Instead, the hacker must prove they have gained access to an organization, and the RaaS group would use this access to stage the ransomware while simultaneously performing due diligence on the targets’ ransomware insurance policy to ensure maximum profit. These groups use commonly observed techniques throughout their staging activities which make it possible for Vectra to detect ransomware long before any encryption occurs.

New ransomware, same techniques and tactics

4. How does Ransomware bypass standard security tools?

5. How to detect and stop Ransomware gangs like DarkSide before the ransomware event?

While DarkSide has purportedly ceased operations following the Colonial Pipeline attack, there are currently more than 100 RaaS groups active, and certainly more ready to take their place. Early detection of threat-actor behavior is critical to stopping ransomware from crippling your business. Vectra identifies pre-ransomware behaviors used by DarkSide and other RaaS groups to stop the attacks.

If you feel that your business isn’t a target for ransomware—just ask yourself:

  • Can your business afford to be down for 21 days?*
  • Can your business afford to take 287 days to recover from an attack?**
  • Can your business afford to pay $312,493 in ransom?***
  • Can your organizations afford the brand damage of an attack?

Stop Ransomware now! Vectra can show you how.

* Coveware, “Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands,” February 1, 2021. https://www.coveware.com/blog/ransomware-marketplace-report-q4-2020
** Emsisoft Malware Lab, “The State of Ransomware in the US: Report and Statistics 2020,” January 18, 2021, Emisoft Blog, https://blog.emsisoft.com/en/37314/the-state-of-ransomware-in-the-us-report-and-statistics-2020/
*** Unit 42, Palo Alto Networks, “Ransomware Threat Assessments: A Companion to the 2021 Unit 42 Ransomware Threat Report,” March 17, 2021, https://unit42.paloaltonetworks.com/ransomware-threat-assessments.