New DarkSide Ransomware Strain Targets Large Orgs, Colonial Pipeline Attacked
Cybersecurity experts have warned about a new and sophisticated ransomware strain, DarkSide, which has been targeting large, high-revenue organisations. This malware is known for its advanced auto techniques and has caused significant disruption, including a high-profile attack on the Colonial Pipeline in the United States.
DarkSide ransomware employs a range of tactics to evade detection and prevent data recovery. It deletes volume shadow copies, uses encrypted APIs, strings, and ransom notes, and exploits vulnerabilities like CVE-2019-5544 and CVE-2020-3992 in unpatched or older auto parts software. The group behind DarkSide, also known as DarkSide, operates as ransomware-as-a-service (RaaS), further increasing its reach.
The malware encrypts sensitive data and threatens to make it public if ransom demands are not met. It has been using double extortion tactics since its emergence in August 2020. DarkSide attackers have targeted virtual infrastructure through weak versions of the VMware ESXi hypervisor, exploiting the same vulnerabilities. They also employ techniques such as exploiting public-facing applications and impairing defenses.
To mitigate DarkSide ransomware attacks, organisations are advised to maintain strong passwords, use VPNs, update software regularly, and back up data. Qualys Multi-Vector EDR provides protection, detection, and response capabilities to combat such attacks. DarkSide ransomware encrypts files using Salsa20 and an RSA-1024 public key, excluding certain files based on extension.
Organisations must remain vigilant against evolving cyber threats like DarkSide ransomware. By implementing robust cybersecurity practices and investing in advanced protection tools, businesses can minimise their risk and better prepare for potential attacks.
