Netskope Threat Coverage: DarkSide

DarkSide is a ransomware-as-a-service platform that made headlines on May 8, 2021, for targeting Colonial Pipeline, resulting in a shutdown of their pipeline operations. The DarkSide ransomware platform first appeared in August 2020, advertising that they would not target organizations in the education, government, medical, or non-profit sectors. Based on comments DarkSide have added to their website following the Colonial Pipeline attack, “critical infrastructure” is likely to be their next addition to this list. The techniques used by DarkSide are similar to those used by the REvil (a.k.a. Sodinokibi) platform, one of the original ransomware-as-a-service platforms that made at least $123 million in profit last year.

Protection

Netskope Threat Labs is actively monitoring multiple ransomware-as-a-service platforms, including DarkSide. We expect organizations to continue to be heavily targeted with multiple ransomware families for the foreseeable future until something is done to disrupt the ability of the criminal organizations behind the attacks to profit from this activity.

DarkSide ransomware samples are detected by Netskope Threat Protection, which uses both static signatures and machine learning to identify ransomware. Netskope Advanced Threat Protection provides an additional layer of production using both ML and heuristic-based static analysis engines and cloud sandbox.

• Gen.Malware.Detect.By.Sandbox indicates a sample that was detected by Netskope’s cloud sandbox
• Gen.Malware.Detect.By.StHeur indicates a sample that was detected by one of Netskope’s static analysis engines

Sample Hashes

9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297
0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9
78782fd324bc98a57274bd3fff8f756217c011484ebf6b614060115a699ee134
d43b271fb4931263f8fa54b297e3cf60762a0fe5c50ed76999f276dcc3c283be
516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b