What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Jun 03, 2022
UPDATE: CVE-2022-26134 – Confluence Zero-Day Vulnerability
THE THREAT June 3rd Update: Atlassian has released security patches to address this vulnerability. On June 2nd, 2022, Atlassian disclosed a critical vulnerability impacting the Confluence…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
May 17, 2022
Cybersecurity Leader eSentire Continues Its Commitment to Rigorous Security Standards Earning PCI DSS Certification
Waterloo, ON, May 17, 2022 — eSentire, the Authority in Managed Detection and Response (MDR), maintains one of the most secure and robust IT environments of any MDR provider in the industry. To that end, eSentire today announced that it has received the Payment Card Industry Data Security Standard (PCI DSS) certification, considered one of the most stringent and comprehensive payment card…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — May 12, 2021

The Dark Side of the
DarkSide Ransomware Group

5 minutes read
Speak With A Security Expert Now

Number of Victims Listed

New Since January 1st, 2021

Victim Profiles

59

37

Victims located in the U.S., South America, Middle East, and U.K.

Victims include manufacturers of all types of products, including energy companies, clothing companies, travel companies.

DarkSide is a relatively new ransomware group. eSentire’s security research team, the Threat Response Unit (TRU), began tracking them in December 2020, and the group is thought to have emerged in November 2020. The operators claim on their blog/leak site to have infected 59 organizations in total, compromising 37 of them in 2021. News broke on May 8, 2021, that the DarkSide group might be behind the ransomware attack which forced the shutdown of Colonial Pipeline the day before. The Colonial Pipeline is one of the largest pipelines in the U.S. and delivers about 45 percent of the fuel used along the Eastern Seaboard. As of May 12, the shutdown has caused gas shortages in many markets, and depending on how long the shutdown lasts, the incident could impact millions of consumers.

DarkSide states that they provide their ransomware via a Ransomware-as-a-Service model. eSentire’s TRU wonders if one of DarkSide’s affiliates (partners) was responsible for the attack against Colonial Pipeline, and that the threat actors behind DarkSide were unaware of the sensitive target until news broke across the globe of Colonial’s shutdown.

Interestingly, DarkSide published the following on their website on Monday, May 10, suggesting that this may be the case: “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.

See image below from the DarkSide website:

The DarkSide threat actors also state on their blog that they are able to capture more of a foothold into their victims’ IT environments, boasting that they seize victims’ SQL databases, network passwords, network maps, any clear passwords, domain names, etc

DarkSide Continues to Claim New Victims after Colonial Pipeline Incident

Like many of the other ransomware gangs, the DarkSide operators list their victims. Regardless of the tremendous attention currently being paid to the DarkSide gang by law enforcement and security researchers, they appear to be carrying on as if it is “business as usual.” On Tuesday, May 11 and Wednesday, May 12 they posted two new victim organizations. One of them is an IT Services company out of the U.S. They claim to have stolen all kinds of data from the firm including their financial statements, employee passports, Active Directory passwords etc . The other purported victim is a U.K.-based civil engineering company and a developer of wind farms. In reviewing their list of victims, it appears that they are primarily located in the U.S., South America, Middle East, and U.K. DarkSide victims include manufacturers of all types of products, energy companies, retailers of clothing and office products, and travel companies.

One of the other organizations DarkSide claims to have compromised is a Georgia-based company called The Dixie Group (NASDAQ: DXYN.O). The threat actors posted The Dixie Group on their list of victims on April 18, 2021. The Dixie Group manufactures carpets and custom rugs, and proprietary yarns used in manufacturing soft floorcoverings. eSentire cannot confirm DarkSide’s claim that they attacked The Dixie Group. However, on April 19, The Dixie Group Inc., announced that they suffered a ransomware attack on their IT systems on April 17, 2021. News outlets also reported in March 2021 that the DarkSide operators attacked CompuCom Systems, gaining access to administrative credentials, and then deploying their ransomware.

Another purported victim of the DarkSide group is a well-known, U.S.-based clothing manufacturer. Not only does DarkSide provide financial records that they claim are from the company, but they also provide video footage from what they claim is one of the clothing company’s shipping and receiving centers. The other victims they claim to have compromised include one of the largest electric power facilities in South America, which generates, transmits, distributes, and trades electric energy.

They name other victims as well, including a large company based in the Middle East that designs, manufactures, and markets a broad range of products for healthcare facilities; U.S. law firms; a large U.S.-based dental practice; a feed and fertilizer company; travel companies; and a sportswear company.

An ironic aspect of the DarkSide group is that they have registration sections on their blog for “press members” and for “ransomware recovery firms.” If you are a member of the press, they state they will give you an exclusive, letting you know about a company that has been breached before they publish it to their blog site. If you are with a ransomware recovery firm, they state they will offer discounts on the ransom being demanded of the victim organization.

The DarkSide operators also like to give the impression that they are like Robin Hood. They state that they ONLY go after profitable companies — those organizations that can afford to pay a ransom. They state that they will not attack hospitals, palliative care facilities, nursing homes, funeral homes, and companies involved in developing and distributing the COVID-19 vaccine. (See image below.)

Best of all, they state that they have donated several thousand dollars to two charities, one helping provide education to disadvantaged children and one that helps provide clean water to communities in Africa. The threat actors specifically ask that the names of the charities to which they have donated not be publicized so as not to cause them problems.

Finally, they offer to provide victim names in advance so investors can earn money from the company’s stock price reduction, once news of the attack is known. (See image below.)

The DarkSide group is just one of many ransomware gangs plaguing organizations today. These threat groups are indiscriminate in their attacks, they have compromised every type of company and entity one can think of--- from hospitals to school districts to car and medical device manufacturers to local and state government agencies. For those organizations who do not have the right security protections in place, ransomware attacks can do untold damage to their victims, as we are seeing with Colonial Pipeline, and as we saw with the ransomware attacks levied against the City of Baltimore and the City of Atlanta. Both cities suffered approximately $18 million in damages.

Is your company prepared to defend against a ransomware attack or other type of cyberattack? If you aren’t currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.

Want to learn more? Connect with an eSentire Security Specialist.

Join 100,000+ Security Leaders

Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs
eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.