DarkSide ransomware is a relatively new ransomware strain that threat actors have been utilising to target numerous businesses, resulting in the encryption and theft of sensitive data as well as threats to make it publicly available if a ransom demand is not met. Read how the meat industry is the latest to be attacked by ransomware

The form of ransomware has been active since August 2020 and was used in a hack against Georgia-based Colonial Pipeline, causing a severe gasoline supply disruption along the United States East Coast. The virus is provided as a service to various hackers via an affiliate scheme and, like other well-known ransomware threats, utilises double extortion, combining file encryption with data theft, and is distributed on infiltrated networks by manual hacking tactics. Recent reports state that the threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the REvil RaaS [ransomware-as-a-service] group.

Main Targets

As mentioned, DarkSide ransomware typically targets high-revenue businesses. With time, several other DarkSide victims have been discovered through incident response engagements and posts on the DarkSide blog. The majority of the victims were situated in the United States and worked in a variety of industries, including financial services, legal, manufacturing, professional services, retail, and technology.

How DarkSide Infiltrates Networks

DarkSide and its associates deliver ransomware using the same human-operated approach as other popular ransomware organisations that have plagued businesses in recent years. This implies that attackers acquire access to networks by several mechanisms, including stolen credentials followed by manual hacking techniques and lateral movement utilising a range of system administration or penetration testing tools.

The objective is to map the network to identify crucial servers, elevate privileges, get domain administrator credentials, disable and remove backups, exfiltrate sensitive data, and then spread the ransomware to as many systems as possible at once. This deliberate and precise technique is far more effective and difficult to fight against than ransomware programmes that spread automatically over networks by utilising built-in routines that may fail and trip detection measures. Read how to identify sensitive data on our blog for more information.

To get a footing, each DarkSide affiliate may use a different strategy. These techniques are similar to those used by other ransomware groups: purchasing stolen credentials from underground markets, performing brute-force password guessing or credential stuffing attacks, purchasing access to machines infected with botnet malware such as Dridex, TrickBot, or Zloader, and so on. It also happens by sending emails with malicious attachments that include a lightweight malware loader.

What is the DarkSide Ransomware Routine?

The DarkSide ransomware encrypts victims’ data with Salsa20 and RSA-1024 and is said to have a Linux variant. When installed on Windows, the virus examines the system’s language setting and, if it is the language of a nation in the former Soviet Bloc or its area of influence, it avoids encrypting the data. This is typical of malware created by groups who are based in the region and who want to avoid attracting the attention of local authorities by not hitting local organizations.

According to Cybereason researchers, the virus then disables services with the following names: vss, sql, svc, memtas, mepocs, sophos, veeam, or backup. These include backup procedures, such as the Windows Volume Shadow Copy Service (VSS), or security solutions. It then proceeds to identify ongoing processes and ends them so that it can decrypt the files they were accessing. It also employs a PowerShell command to remove any existing volume shadow copies that may be utilised to recover files.

DarkSide ransomware generates a unique ID for each victim and appends it to the file extension of the encrypted files. The ransom payments might range from a few hundred thousand dollars to millions of dollars, based on the assailants’ assessment of the victim’s size and yearly income.

Implementing software solutions such as SecurityShield helps to continuously scan servers or provides an endpoint to search for flaws in software design. It discovers vulnerabilities, assesses their impact, classifies them, identifies risks they pose, and then generates a prioritized risk response remediation plan to fix them and more. To know more about our software solutions you can visit our website, read our blog or follow us on Twitter and LinkedIn.


Meat Industry attacked by Ransomware

Industries are becoming increasingly reliant on technology to improve efficiency and streamline business processes. However, this dependency on technological solutions come with their own security risks. If the valuable data required by most technology and IT solutions can be breached, it is susceptible to a cyberattack. The largest data breaches in 2020 are alarming and show how complex cyberattacks have become. The most recent hack was the ransomware attack against JBS the world’s largest meat-processing company. This attack disrupted all of its meat processing plants in the US and shut down slaughterhouses across Australia, bringing about one-fifth of US beef production to a halt.

The aftermath

The attack was executed by REvil, a cybercriminal group, believed to have originated in Russia. This is the third major attack that’s been tied to Russia this year. Efforts are being made by the US government to directly engage with the Russian government on this matter, with the message that “responsible states do not harbor ransomware criminals”. An FBI investigation is also underway while the Agricultural sector is in talks with other major meat processors to make up for any production shortages.

Currently, JBS is unclear about the degree of damage caused. The company is also not aware of any evidence that a supplier or customer was involved or even if employee data was compromised. What is known is that the cybersecurity attack affected some of JBS’s servers supporting the North American and Australian IT systems. Resolving this ransomware attack is going to take time, delaying certain transactions with customers and suppliers. Companies need to protect their endpoints and non-trusted clouds.

The plan of action

The company has taken immediate action to resolve the situation  ― alerting authorities, suspending affected systems, and activating the company’s global network of IT professionals and third-party experts. JBS is also closely collaborating with an incident response firm to restore its systems through its backup servers, which are unaffected. But, even as JBS has sufficiently recovered, with most of its plants commencing operations on June 2, 2021, the shutdown is indicating a temporary surge in beef and pork prices. This surge coincides with the industry already battling COVID-19 related supply chain disruptions.

The ripple effect of ransomware attacks

The JBS attack is the second major ransomware attack to stir chaos in US supply chains, occurring only a month after a similar incident shut down the Colonial Pipeline. Undoubtedly, the JBS attack and Colonial Pipeline attack are high-profile cyber attacks, highlighting the vulnerability of corporations and government agencies. These attacks offer a frightening insight into how swiftly cybercriminals can send an entire economic sector into a tailspin. It is for this reason that organizations must prioritize protecting their at-risk data and consequently, their business reputations.

To effectively combat ransomware, devising strict security strategies is important. Implementing software solutions such as those provided by SecurityShield protects your sensitive data before it becomes a target, by continuously scanning endpoints or servers to search for irregularities in software design. These software solutions help to safeguard industries crucial to US economic security.

Follow us on Twitter or LinkedIn for more insightful updates.