Caleb Boma | August 26th, 2020


DarkSide, a new ransomware group discovered on August 10, 2020, has begun gaining traction due to recent ransomware attacks across the United States. Darkside is a unique group in the way they neglect to target the medicine, education, non-profit organizations, and the government sector, based on currently available information. This decision is crucial as COVID-19 continues to affect everyone, schools beginning their 2020-2021 school year, non-profits fighting to stay alive, and the U.S. government preparing for the 2020 election in November. DarkSide ransomware group specifically targets what is considered in cybersecurity as “low hanging fruit” through unsecured environments. Environments with open RDP (Remote Desktop Protocol), online backups and those vulnerable to phishing techniques are at risk. DarkSide, based on previous attack analysis, even reviews financial documents to understand the victim’s income and determine if they are capable to pay the ransom.

In 14 days, DarkSide has snagged multiple million-dollar ransoms. After numerous trial and errors with other businesses about their ransomware products, DarkSide appears to conclude it was best to create a product of their own to meet their desired needs and wants for success in the Blackhat cybersecurity market of ransomware groups out to take companies’ money for their own good. As said by DarkSide, “We received millions of dollars in profit by partnering with other well-known cryptolockers.” They claim they are not out to put a business six feet under. This human-operated ransomware attack technique spreads laterally throughout a network to obtain administrator access and the Windows domain controller. As a result, the cybercriminals collect unencrypted data from the victim’s servers and upload it to their own devices.

Once the data is posted online, the cybercriminals publish the following information:

A psychological technique is utilized to manipulate the victim into paying the ransom. Extortion scares the victim even if having been recovered from backups. DarkSide claims if the ransom is paid, the victim’s stolen data will be removed from the online forum.

Based on open source intelligence, it has been discovered the victim whom had paid the one-million-dollar ransom has had their leaked data successfully removed from the online forum. IT World Canada says the Toronto-based billion-dollar company, Brookfield Residential is one of its first victims. Brookfield Residential’s total assets are worth $4.5 billion and a total equity of $1.6 billion. Therefore, it is clear Brookfield Residential has the ability to pay for a one-million-dollar ransom.

There is significant evidence for their customized ransomware attacks. Each ransomware executable is tailored specifically for the company under attack. To add more debris to the disaster, the personalized ransom note reads, “Welcome to Dark”. In this year of “Dark Mode”, it seems appropriate to greet victims with this phrase. If one is accustomed to reading ransom notes, a lightbulb might go off, sparking an idea about the connection to REvil.

If viewed side by side with the time to read line by line, DarkSide’s ransom note shines with similarities to REvil’s ransom note. Bank Info Security provides an image of DarkSide’s ransom note. If viewed side by side with the time to read line by line, DarkSide’s ransom note shines with similarities to REvil’s ransom note, which is can be seen here.

Outmaneuver your adversary.

To become more familiar with ShadowSpear®, visit or email [email protected] to speak with a cybersecurity professional.

24/7 Breach Response: 833.997.7327