The Dark Side of the
DarkSide Ransomware Group

DarkSide is a relatively new ransomware group. eSentire’s security research team, the Threat Response Unit (TRU), began tracking them in December 2020, and the group is thought to have emerged in November 2020. The operators claim on their blog/leak site to have infected 59 organizations in total, compromising 37 of them in 2021. News broke on May 8, 2021, that the DarkSide group might be behind the ransomware attack which forced the shutdown of Colonial Pipeline the day before. The Colonial Pipeline is one of the largest pipelines in the U.S. and delivers about 45 percent of the fuel used along the Eastern Seaboard. As of May 12, the shutdown has caused gas shortages in many markets, and depending on how long the shutdown lasts, the incident could impact millions of consumers.

DarkSide states that they provide their ransomware via a Ransomware-as-a-Service model. eSentire’s TRU wonders if one of DarkSide’s affiliates (partners) was responsible for the attack against Colonial Pipeline, and that the threat actors behind DarkSide were unaware of the sensitive target until news broke across the globe of Colonial’s shutdown.

Interestingly, DarkSide published the following on their website on Monday, May 10, suggesting that this may be the case: “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.“

See image below from the DarkSide website:

The DarkSide threat actors also state on their blog that they are able to capture more of a foothold into their victims’ IT environments, boasting that they seize victims’ SQL databases, network passwords, network maps, any clear passwords, domain names, etc

DarkSide Continues to Claim New Victims after Colonial Pipeline Incident

Like many of the other ransomware gangs, the DarkSide operators list their victims. Regardless of the tremendous attention currently being paid to the DarkSide gang by law enforcement and security researchers, they appear to be carrying on as if it is “business as usual.” On Tuesday, May 11 and Wednesday, May 12 they posted two new victim organizations. One of them is an IT Services company out of the U.S. They claim to have stolen all kinds of data from the firm including their financial statements, employee passports, Active Directory passwords etc . The other purported victim is a U.K.-based civil engineering company and a developer of wind farms. In reviewing their list of victims, it appears that they are primarily located in the U.S., South America, Middle East, and U.K. DarkSide victims include manufacturers of all types of products, energy companies, retailers of clothing and office products, and travel companies.

One of the other organizations DarkSide claims to have compromised is a Georgia-based company called The Dixie Group (NASDAQ: DXYN.O). The threat actors posted The Dixie Group on their list of victims on April 18, 2021. The Dixie Group manufactures carpets and custom rugs, and proprietary yarns used in manufacturing soft floorcoverings. eSentire cannot confirm DarkSide’s claim that they attacked The Dixie Group. However, on April 19, The Dixie Group Inc., announced that they suffered a ransomware attack on their IT systems on April 17, 2021. News outlets also reported in March 2021 that the DarkSide operators attacked CompuCom Systems, gaining access to administrative credentials, and then deploying their ransomware.

Another purported victim of the DarkSide group is a well-known, U.S.-based clothing manufacturer. Not only does DarkSide provide financial records that they claim are from the company, but they also provide video footage from what they claim is one of the clothing company’s shipping and receiving centers. The other victims they claim to have compromised include one of the largest electric power facilities in South America, which generates, transmits, distributes, and trades electric energy.

They name other victims as well, including a large company based in the Middle East that designs, manufactures, and markets a broad range of products for healthcare facilities; U.S. law firms; a large U.S.-based dental practice; a feed and fertilizer company; travel companies; and a sportswear company.

An ironic aspect of the DarkSide group is that they have registration sections on their blog for “press members” and for “ransomware recovery firms.” If you are a member of the press, they state they will give you an exclusive, letting you know about a company that has been breached before they publish it to their blog site. If you are with a ransomware recovery firm, they state they will offer discounts on the ransom being demanded of the victim organization.

The DarkSide operators also like to give the impression that they are like Robin Hood. They state that they ONLY go after profitable companies — those organizations that can afford to pay a ransom. They state that they will not attack hospitals, palliative care facilities, nursing homes, funeral homes, and companies involved in developing and distributing the COVID-19 vaccine. (See image below.)

Best of all, they state that they have donated several thousand dollars to two charities, one helping provide education to disadvantaged children and one that helps provide clean water to communities in Africa. The threat actors specifically ask that the names of the charities to which they have donated not be publicized so as not to cause them problems.

Finally, they offer to provide victim names in advance so investors can earn money from the company’s stock price reduction, once news of the attack is known. (See image below.)

The DarkSide group is just one of many ransomware gangs plaguing organizations today. These threat groups are indiscriminate in their attacks, they have compromised every type of company and entity one can think of--- from hospitals to school districts to car and medical device manufacturers to local and state government agencies. For those organizations who do not have the right security protections in place, ransomware attacks can do untold damage to their victims, as we are seeing with Colonial Pipeline, and as we saw with the ransomware attacks levied against the City of Baltimore and the City of Atlanta. Both cities suffered approximately $18 million in damages.

Is your company prepared to defend against a ransomware attack or other type of cyberattack? If you aren’t currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.

Want to learn more? Connect with an eSentire Security Specialist.