What We Do
How we do it
Resources
SECURITY ADVISORIES
Jun 16, 2021
Clop (Cl0p) Ransomware Gang Currently Claims 57 Victims on Leak Site, as Six Clop Gang Members Arrested in Ukraine Today
News broke earlier today that six members of the Clop (CIOp) Ransomware gang were arrested in Kiev, Ukraine and in surrounding towns earlier today by the Cyber Police Department of the National Police of Ukraine, working in cooperation with law enforcement officials from South Korea (the Republic of Korea) and the United States. eSentire’s security research team, the Threat Response Unit (TRU),…
Read More →
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here →
Leadership Work at eSentire
LATEST PRESS RELEASE
Jun 17, 2021
eSentire Revolutionizes Incident Response Services Introducing 4-hour Remote Threat Suppression Globally
Waterloo, ON and Washington, DC – eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), announced today the launch of its Cyber Investigations Portfolio, complete with Emergency Incident Response, Digital Forensics Investigations and Security Incident Response Planning services. Believing that cyber investigations and incident response stand to benefit more from…
Read More →
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program →
Resources
Blog — May 12, 2021

The Dark Side of the
DarkSide Ransomware Group

6 min read

Number of Victims Listed

New Since January 1st, 2021

Victim Profiles

59

37

Victims located in the U.S., South America, Middle East, and U.K.

Victims include manufacturers of all types of products, including energy companies, clothing companies, travel companies.

DarkSide is a relatively new ransomware group. eSentire’s security research team, the Threat Response Unit (TRU), began tracking them in December 2020, and the group is thought to have emerged in November 2020. The operators claim on their blog/leak site to have infected 59 organizations in total, compromising 37 of them in 2021. News broke on May 8, 2021, that the DarkSide group might be behind the ransomware attack which forced the shutdown of Colonial Pipeline the day before. The Colonial Pipeline is one of the largest pipelines in the U.S. and delivers about 45 percent of the fuel used along the Eastern Seaboard. As of May 12, the shutdown has caused gas shortages in many markets, and depending on how long the shutdown lasts, the incident could impact millions of consumers.

DarkSide states that they provide their ransomware via a Ransomware-as-a-Service model. eSentire’s TRU wonders if one of DarkSide’s affiliates (partners) was responsible for the attack against Colonial Pipeline, and that the threat actors behind DarkSide were unaware of the sensitive target until news broke across the globe of Colonial’s shutdown.

Interestingly, DarkSide published the following on their website on Monday, May 10, suggesting that this may be the case: “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.

See image below from the DarkSide website:

The DarkSide threat actors also state on their blog that they are able to capture more of a foothold into their victims’ IT environments, boasting that they seize victims’ SQL databases, network passwords, network maps, any clear passwords, domain names, etc

DarkSide Continues to Claim New Victims after Colonial Pipeline Incident

Like many of the other ransomware gangs, the DarkSide operators list their victims. Regardless of the tremendous attention currently being paid to the DarkSide gang by law enforcement and security researchers, they appear to be carrying on as if it is “business as usual.” On Tuesday, May 11 and Wednesday, May 12 they posted two new victim organizations. One of them is an IT Services company out of the U.S. They claim to have stolen all kinds of data from the firm including their financial statements, employee passports, Active Directory passwords etc . The other purported victim is a U.K.-based civil engineering company and a developer of wind farms. In reviewing their list of victims, it appears that they are primarily located in the U.S., South America, Middle East, and U.K. DarkSide victims include manufacturers of all types of products, energy companies, retailers of clothing and office products, and travel companies.

One of the other organizations DarkSide claims to have compromised is a Georgia-based company called The Dixie Group (NASDAQ: DXYN.O). The threat actors posted The Dixie Group on their list of victims on April 18, 2021. The Dixie Group manufactures carpets and custom rugs, and proprietary yarns used in manufacturing soft floorcoverings. eSentire cannot confirm DarkSide’s claim that they attacked The Dixie Group. However, on April 19, The Dixie Group Inc., announced that they suffered a ransomware attack on their IT systems on April 17, 2021. News outlets also reported in March 2021 that the DarkSide operators attacked CompuCom Systems, gaining access to administrative credentials, and then deploying their ransomware.

Another purported victim of the DarkSide group is a well-known, U.S.-based clothing manufacturer. Not only does DarkSide provide financial records that they claim are from the company, but they also provide video footage from what they claim is one of the clothing company’s shipping and receiving centers. The other victims they claim to have compromised include one of the largest electric power facilities in South America, which generates, transmits, distributes, and trades electric energy.

They name other victims as well, including a large company based in the Middle East that designs, manufactures, and markets a broad range of products for healthcare facilities; U.S. law firms; a large U.S.-based dental practice; a feed and fertilizer company; travel companies; and a sportswear company.

An ironic aspect of the DarkSide group is that they have registration sections on their blog for “press members” and for “ransomware recovery firms.” If you are a member of the press, they state they will give you an exclusive, letting you know about a company that has been breached before they publish it to their blog site. If you are with a ransomware recovery firm, they state they will offer discounts on the ransom being demanded of the victim organization.

The DarkSide operators also like to give the impression that they are like Robin Hood. They state that they ONLY go after profitable companies — those organizations that can afford to pay a ransom. They state that they will not attack hospitals, palliative care facilities, nursing homes, funeral homes, and companies involved in developing and distributing the COVID-19 vaccine. (See image below.)

Best of all, they state that they have donated several thousand dollars to two charities, one helping provide education to disadvantaged children and one that helps provide clean water to communities in Africa. The threat actors specifically ask that the names of the charities to which they have donated not be publicized so as not to cause them problems.

Finally, they offer to provide victim names in advance so investors can earn money from the company’s stock price reduction, once news of the attack is known. (See image below.)

The DarkSide group is just one of many ransomware gangs plaguing organizations today. These threat groups are indiscriminate in their attacks, they have compromised every type of company and entity one can think of--- from hospitals to school districts to car and medical device manufacturers to local and state government agencies. For those organizations who do not have the right security protections in place, ransomware attacks can do untold damage to their victims, as we are seeing with Colonial Pipeline, and as we saw with the ransomware attacks levied against the City of Baltimore and the City of Atlanta. Both cities suffered approximately $18 million in damages.

Is your company prepared to defend against a ransomware attack or other type of cyberattack? If you aren’t currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.

Want to learn more? Connect with an eSentire Security Specialist.

eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.