Darkside, the latest ransomware operation to emerge has been attacking organizations beginning earlier this month. Darkside’s customized attacks on companies have already garnered them million-dollar payouts.
Through their “press release”, these threat actors have claimed to be affiliated with prior ransomware operations making millions of dollars. They stated that they created this new product to match their needs, as prior products didn’t.
Darkside explains that they only target companies they know that can pay the specified ransom. They have allegedly promised that they will not attack the following sectors. They include medicine, education, non-profit organizations, and the government sector.
Darkside’s ransom demands purportedly range from $200,000 to $2,000,000, depending on the victim. Before the threat actors attack, they analyze a company’s accountancy. This way they can determine how much you can pay based on your net income.
During the ransomware attack, the Darkside attackers attempt to gain access to an administrator account and the Windows domain controller. This way, the attackers gather any unencrypted data from the victim’s servers.
This stolen data is posted to a data leak site, in order to better ensure their victim will pay the ransom.
Data posted on the leak site includes the company’s name, date they were breached, and how much data was stolen. Additionally, screenshots of the data and the types of stolen data are included by the attackers as well.
Darkside threatens victims who won’t pay the ransom. They say that their data will be published on their website for at least six months. However, if a victim pays the ransom, Darkside will remove the stolen data from their leak site.
After analyzing Darkside, it seems to have some similarities with the REvil ransomware. Both of their ransom notes use a very similar template. Both groups behind these two ransomware offer chat support to their victims to provide any help with ransom payment. Additionally, MalwareHunterTeam has found that Darkside purposely avoids infecting targets in CIS (Commonwealth of Independent States) countries. This similarity has been found with REvil and GrandCrab as well.