DarkSide is a group that packages and provides ransomware capabilities as a
service. Other ransomware gangs and organisations pay a fee for DarkSide tools
and services making it difficult to provide accurate attribution.
This group packages and modifies common backdoors like Harpy, Sekur, and Cobalt
Strike with their custom loaders and management interfaces. They configure and
deploy various ransomware packages like REvil ransomware, none of which are
unique to DarkSide. It’s not the malware they sell or the particular techniques used
that make them effective, it’s the fact that they are well organised and experienced.
This group has an entire intelligence arm and streamlined operating procedures that
start with researching their victims, ensuring they are vulnerable, blind, and capable
of paying ransoms.
How to deal with DarkSide:
So, what can you do about this potential threat? It might seem simple, but prioritising
security infrastructure and monitoring will be the keys. DarkSide has benign recon
and intel gathering stages that can safely determine the capabilities of their victims.
This group tends to avoid well-defended organisations and victims with capabilities
to find them—like behavioral detection and response capabilities.
Techniques to look out for:
- DarkSide uses Powershell to download the first malware stages and prep systems.
- They delete Volume Shadow Copies via Powershell.
- They decode and execute malware via Certutil.exe.
- They can perform privilege escalation on older operating systems like Windows 7 (none seen for most modern OS’s yet)
Once recon is performed, they spread fully through the network and begin PR
campaigns before the execution of the encryption/ransom. This is an opportunity
window for detection and mitigation if you have an active MDR service watching for
To learn how to protect your organisation from the most sophisticated and malicious
cyber threats, set up a demo with one of our representatives: Contact us for a no-
IT Connexion is a proud partner of Datto Inc.