DarkSide is a ransomware-as-a-service platform that made headlines on May 8, 2021, for targeting Colonial Pipeline, resulting in a shutdown of their pipeline operations. The DarkSide ransomware platform first appeared in August 2020, advertising that they would not target organizations in the education, government, medical, or non-profit sectors. Based on comments DarkSide have added to their website following the Colonial Pipeline attack, “critical infrastructure” is likely to be their next addition to this list. The techniques used by DarkSide are similar to those used by the REvil (a.k.a. Sodinokibi) platform, one of the original ransomware-as-a-service platforms that made at least $123 million in profit last year.
Netskope Threat Labs is actively monitoring multiple ransomware-as-a-service platforms, including DarkSide. We expect organizations to continue to be heavily targeted with multiple ransomware families for the foreseeable future until something is done to disrupt the ability of the criminal organizations behind the attacks to profit from this activity.
DarkSide ransomware samples are detected by Netskope Threat Protection, which uses both static signatures and machine learning to identify ransomware. Netskope Advanced Threat Protection provides an additional layer of production using both ML and heuristic-based static analysis engines and cloud sandbox.
Gen.Malware.Detect.By.Sandboxindicates a sample that was detected by Netskope’s cloud sandbox
Gen.Malware.Detect.By.StHeurindicates a sample that was detected by one of Netskope’s static analysis engines