DarkSide ransomware has been making a lot of buzz in the Ransomware-as-a-Service (RaaS) landscape, since August 2020, with increased activity in the past few months. Though it has called for a shutdown as of now, experts say the gang received $90 million in BTC within a few months.
Recent DarkSide attacks
According to Trend Micro, DarkSide ransomware was targeting organizations in finance, manufacturing, and critical infrastructure sectors across multiple countries such as France, Belgium, Canada, and the U.S.
A couple of weeks ago, it was found that one of the ransomware variants had started targeting VM-related files on VMware’s ESXI servers. It was a Linux variant that particularly targeted ESXi servers.
Recently, the ransomware group targeted Colonial Pipeline and received a ransom of $5 million. Additionally, One Call Insurance was hit by Darkside and declared to shut down its operations.
In mid-May, the managing director of Möbelstadt Sommerlad revealed that they were hit by the DarkSide ransomware attack.
The European units of Toshiba were hit by the DarkSide ransomware group. The firm disconnected its network connections between Europe and Japan to stop the propagation of malware.
Connection to Carbon Spider
Recently, CrowdStrike Intelligence attributed the operation of DarkSide to Carbon Spider, a skilled e-crime group believed to be operating from Eastern Europe. The accused has however refuted such claims.
On May 10, the DarkSide group posted a press release on its dedicated leak site stating that it does not participate in geopolitics and there is no need to connect the group with a government.
It said its goal is to make money without creating any problems in society. The group claimed to introduce a system to check affiliate victims of the RaaS before encryption to stop social consequences.
A flaw that was fixed
In January, a security firm Bitdefender found a flaw inside the DarkSide ransomware. The firm claimed that organizations hit by DarkSide ransomware could download a free tool and avoid paying the ransom.
Along with Bitdefender two other researchers, Michael Gillespie and Fabian Wosar had found this flaw a month before and silently started looking for victims to help them.
However, the publication of the tool alerted the DarkSide group about the flaw, and the next day, the ransomware group declared that it had fixed the flaw and started their attacks again.
Conclusion
The attackers behind DarkSide are smart and choose their victims carefully through financial analysis. Though the group claimed to shut down its operations a few weeks ago, some experts still claim new attacks are ongoing. It implies that some hackers are still using its infrastructure. It indicates that there could be more attacks possible in the near future.