cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

The inner workings of DarkSide’s ransomware-as-a-service model

Malcolm Bailie from Nozomi Networks unpacks the malicious strategy employed by cyber crime organisations.

user iconMalcolm Bailie
Fri, 06 Aug 2021
Malcolm Bailie
expand image

The term ‘as-a-service’ is synonymous with the cloud community and organisations simplifying their on-premises reliance on IT infrastructure.

But the term has been taken to the next level by technology’s greatest foe – cyber crime – with cyber criminal hacking group DarkSide popularising the ransomware-as-a-service (RaaS) term and attack strategy.

Unfortunately, RaaS has been a highly successful model and is believed to be behind the infamous Colonial Pipeline attack. This had a huge impact locally, creating fears over fuel price rises and the attack being leveraged by the government to drive home the importance of the Security of Critical Infrastructure (SOCI) Bill.


RaaS involves multiple parties in an attack, with a ‘divide and conquer’ approach that plays to the strengths of each party. Experienced malware writers develop the ransomware code and affiliates who specialise in gaining access, deploy it.

We put the weight of our Nozomi Networks Labs team into studying the inner workings of DarkSide and RaaS, and discovered some vital information for other energy providers to help avoid Colonial’s fate.

Victim and file selection

The malware begins by collecting basic information about computer systems to get a sense of the technical environment. Like other malware systems, it avoids certain languages such as Russian or Eastern European languages, which gives a strong indication of where the group is based.

After selecting its target, the malware then considers what files it should encrypt. While an attack on all available files seems like a logical approach, this can leave the victim with no information on how to contact the attackers and pay the ransom.

Further, the all-in approach means encryption takes significantly longer, in turn leaving more time for the malware to be discovered before the attacker wants that to happen.

In DarkSide’s case, the strain is something of a file connoisseur. It meticulously sifts through an environment to find the perfect files to encrypt, a process mainly driven by examining their file directories, names and extensions. This information then helps the attackers determine the nature and importance of files – zeroing in on the ‘crown jewels’ that the victim can’t operate without.

Staying anonymous

Anonymity is essential to a cyber criminal. Once locations, servers, etc are known, it’s quite easy for authorities to shut them down.

DarkSide and many other gangs use open-source anonymous communication software Tor. This protects anonymity and prevents sudden shutdown during an attack.

This level of privacy also extends to the way DarkSide interacts with Windows’ operating system. Normal, non-malware programs interact using the Windows application programming interface (WinAPI). If DarkSide did this, it would quickly alert basic security systems and the game would be up.

To avoid this, it doesn’t immediately make all the APIs it uses available within the system – it resolves them in a dynamic way before using them, using a mixture of hashed (active) or encrypted names. While it breaks the normal rules programs use, this method does so without causing detection.

Attacking the ‘insurance policy’

If all organisations could simply replace the data encrypted, ransomware attacks might never happen.

Backing up data isn’t enough, as DarkSide ensures normal backup systems are unusable on the machines it targets. While virtually all businesses back up their data, the issue is that most backups sit on the same system as the originals. Unsurprisingly, DarkSide deletes backup files once it sees them.

But it doesn’t stop there. It aims to stop the entire process of backing up data by disabling various backup solutions, searching for them by name.

DarkSide essentially uses the culmination of tried and tested techniques and the RaaS model to inflict the most damage possible. It’s estimated that over 40 victims have paid out more than $120 million in cryptocurrency payments. In Colonial’s case, it paid out close to $6 million, which was later (mostly) recovered by the US Justice Department.

And these threats are growing – particularly in critical sectors. Nozomi Networks recently unveiled research showing industrial control system (ICS) based vulnerabilities increased by 44 per cent, while vulnerabilities in the critical manufacturing sector rose by nearly 150 per cent in the first half of 2020.

While RaaS strains like DarkSide are sophisticated, there are means to avoid this kind of attack, including harder perimeter defences, indicator of compromise (IOC) tracking and monitoring, and immutable data backup stored on separate systems to core files.

Energy and other critical infrastructure providers in Australia should take heed of the harsh lessons companies like Colonial have had to learn from experience. As the Australian government ramps up its cyber security strategy, it’s important our most critical assets harmonise and shore up their own security and monitoring systems.

Malcolm Bailie is manager solutions delivery and projects (APAC) for industrial cyber security, operational technology and IoT company Nozomi Networks.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.