How dark is the DarkSide Ransomware Group

How dark is the DarkSide Ransomware Group

In the last decade, there has been an exponential increase in cyberattacks on companies all around the world. Till now no other security attack has been as serious as a Ransomware attack. This is because it denies the computer owner the ability to make further use of the computer systems. In some cases, it has resulted in the loss of life because critical medical systems were attacked and could not be brought back live on time. One of the most potent Ransomware groups is the Darkside. In this blog post, I will explore this group and the mode of operation.


What is the “Darkside” Hackers group?

The group has been called “one of the largest and most notorious” ransomware groups. Like other forms of cybercrime, its activities are fuelled by money. Its members, they claim, are not directly affiliated with any government or intelligence agency, but they rely solely on ransom payments to fund their operations.

They use a sophisticated business model know as Ransomware-as-a-Service (RaaS). This enables them to recruit other hackers to help them carry out lots of attacks. Darkside team also has an extensive network of affiliates who can distribute their malware globally through spam campaigns or targeted spear-phishing attacks.

The Ransomware-as-a-Service (RaaS) Model

Interested parties who are not necessarily hackers are recruited and given access to the hacking tools via simple, yet powerful web services to carry out their attacks in almost a point-and-click system. These new recruits are called affiliates and work for the main group. When an attack is successful and the payment is made, the loot will be shared based on the group’s revenue-sharing model.

This is a very effective business model as they even have a “free trial” of their malware to encourage easy adaptation. They also provide tutorials on how people can create and deploy ransomware themselves using the same tools they make available.

In just one month this year over $17.5 million worth of Bitcoin was deposited in a Crypto wallet linked to the hackers.

    • According to the group they have the following revenue sharing model:
    • Dynamic rate of 75% to 90%.
    • A stable rate of 80%.

They also have a trial and more attractive offer for new users:

    • 90% for the first two payouts when you switch to us from any other affiliate program if you had three ransom payments in the last month; each of them needs to be over 2M (and each needs to be verified).
    • 90% for the first two payouts when you switch to us from any other affiliate program.

The group has publicly stated that they prefer to target organizations that can afford large ransoms instead of hospitals, schools, non-profits, and governments. Ransoms demanded by the group have ranged from US$200K to US $20M. The Darkside seems to be experts in hacking oil pipelines and can bypass security measures with ransomware to extort large sums of money.

How the “Darkside” Group Works

DarkSide is believed to be based in Russia, but it is not sponsored by the government. They claimed on their website that members are not allowed to attack the computers of people in Russia, Ukraine, Georgia, or Belarus. Other computers out of reach are those from:

    • Healthcare (only: clinics, hospitals, and palliative care organizations, retirement homes, companies that develop COVID-19 vaccines or take part (to a significant extent, as a part of the supply chain) in supplying them).
    • Funeral services (morgues, crematoria, and funeral parlors).
    • Education (universities, schools).
    • Public sector (municipal services, any public agencies).
    • Non-profit organizations (charitable foundations and associations)

Experts state that the group is one of the many for-profit ransomware groups that have proliferated and thrived in Russia.

Darkside was first noticed in August 2020. They have a professional-looking website and tries to have a Robinhood image. The group claims that they donated some ransom money to charity, and they only target organizations that can afford large ransoms.

The Colonial Pipeline Hack

The Darkside seems to be fun of hacking oil pipelines and is able to bypass security measures with ease due to their expertise, making them a big threat for authorities worldwide. They have hit large oil pipelines at least four times from December 2020 to date. They make use of one of their most potent weapons: The Ryuk.

Ryuk is one of the most recent types of ransomware, and it has proved effective in locking down computers across the world. With Ryuk they can target large organizations with the ability to pay large some of Ransom.

Successful Activities of the “Darkside”.

August 2020:

DarkSide introduces its ransomware.

October 2020:

DarkSide donates US$20,000 stolen from victims to charity.

November 2020:

DarkSide establishes its RaaS model.

November 2020

DarkSide launches its content delivery network (CDN) for storing and delivering compromised data.

March 2021

DarkSide releases version 2.0 of their ransomware with several important updates to make it more sophisticated.

March 2021

They hit the IT managed services provider CompuCom

May 2021
DarkSide launched an attack on the Colonial Pipeline. After the attack, Darkside said that they were not a political organization and would start to check where their targets are.

Attack Method

Darkside has a method of a quick escalation. The longer it takes a victim to comply with the demand the more troubles they get.

Step One: The Ransom Phase

This is the initial delivery phase. In this phase, the ransomware encrypts the files and leaves a ransom note behind while the attackers seat back and wait for payment.

Step two: The Double Extortion Phase.

This is the step the attackers start threatening the victim to release to the public the data it stole if the money is not paid on time. In some cases, additional money is demanded to prevent the public distribution of the stolen data.

This was what happened in the case of Toshiba Tec Corp., a unit of Toshiba Corp, more than 740 gigabytes of information were compromised, and included personal data of personnel such as copies of passports.

The group also likes to hedge their bets by shorting the shares of the companies they hack in the stock market and profiting from the temporary fall of the value of the shares.

The first published case of double extortion happened in November 2019. Allied Universal, a large American security company, was the victim. When Allied refused to pay the demand of 300 Bitcoins the attackers upped the game and threatened to release sensitive information exfiltrated from the company.

To prove they were not kidding, the attackers published some of the files they stole which included contracts, medical records, and encryption certificates.

Step Three: Triple Extortion Phase

In this phase, the victims are threatened with Distributed Denial of Service Attack (DDoS) if they do not pay the ransom. In this phase, if a victim pays up for the first time, then he or she is likely to be targeted by the hackers again and extorted of more money to keep their data safe.

This happened to the German company Brenntag this May 2021, when their systems were hit by ransomware. A DDoS attack took down their IT infrastructure and encrypted data. They ended up paying $4.4 million ransom in Bitcoin to Darkside and still suffered significant downtime.

Step Four: The Final Extortion Phase

If the victim still has not paid then they will get a further escalation. This time they will start getting calls to comply. Sometimes, the clients of the victim will be included at this point to turn up the heat.

Step Five: The Release Phase

After getting paid, hackers will release the data they encrypted by providing the victim with the encryption key to unlock the files. This stage also includes publicizing that a victim has been hacked, so victims cannot deny what happened and know how much money was extorted from them.

Ransomware is one of the most potent security attacks in history. It could result in a loss of life if it takes down critical medical systems. There have been over 2 million ransomware incidents, which means that this attack can happen to anyone!  Therefore, it’s important for every company to take steps towards preventing and mitigating these types of cyberattacks as soon as possible.

If you want help with training your staff and creating awareness on these types of cyberattack please contact us via email at


Surviving Identity Theft

Surviving Identity Theft

What is Identity Theft?

Identity theft happens when a criminal steals information about you and uses that information to commit fraud, such as requesting unemployment benefits, tax refunds, or a new loan or credit card in your name. If you don’t take precautions, you may end up paying for products or services that you didn’t buy and dealing with the stress and financial heartache that follows identity theft. 

Your personal information exists in numerous places all over the internet. Every time you browse or purchase something online, watch a video, buy groceries, visit your doctor, or use an app on your smartphone, information about you is being collected. That information is often legally sold or shared with other companies. Even if just one of these gets hacked, the criminals can gain access to your personal information. Assume that some information about you is already available to criminals and consider what you can do to slow down or detect the use of your information for fraud. 

How to detect it

  • Review your financial cards and other accounts regularly for any charges or payments you did not make. An easy way to do this is to sign up for email, text messages, or phone app notifications for payments and other transactions. Monitor them for fraud.
  • Investigate situations when merchants decline your credit or debit cards. Look into letters or phone calls from debt collectors for overdue payments for credit cards, medical bills, or loans that you know are not yours. 
  • Pay attention to letters that inform you about unemployment or other government benefit claims for which you never applied. 
  • If available in your area, review your credit reports at least once a year. For example, in the United States, you can request free reports from 

What to do when it happens

  • Contact the organization that is involved in the fraud. For example, if a criminal opened a credit card in your name, call that credit card company to notify it about the fraud. If someone filed for a tax refund or unemployment benefits in your name, contact the corresponding government organization.
  • File a report with law enforcement to create an official record of identity theft. You can often do this online. For example, in the United States you can report at Follow the site’s instructions for any additional steps you may need to take.
  • When responding to fraud, keep records of your interactions with your financial institutions and law enforcement, as well as the costs you incur due to identity theft in case these details will be needed later.
  • Notify your insurance company; you may have identity theft protection included in one of your policies.

How to defend against it

Here are some simple steps you can take to decrease the chance of identity fraud happening: 

  • Limit how much information you share about yourself with online services and websites.
  • Use a unique strong password for all of your online accounts and enable two-factor authentication as additional protection for your most important accounts.
  • If applicable in your location, restrict who can get access to your credit reports. For example, in the United States freeze your credit score so that anyone who tries to get a credit card or loan in your name has to first temporarily unfreeze it.
  • Consider getting insurance coverage, either through a dedicated policy or as part of your existing insurance plan, that covers the costs of dealing with identity theft.

Securing Wi-Fi At Home

Securing Wi-Fi At Home


To create a secure home network, you need to start by securing your WiFi access point (sometimes called a WiFi router). This is the device that controls who and what can connect to your home network. Here are five simple steps to securing your home WiFi to create a far more secure home network for you and your family.

Focus on The Basics

Often the easiest way to connect to and configure your WiFi device is while connected to your home network. Point your web browser to the specific IP address documented in your device’s manual (an example of this would be, or use a utility or mobile app provided by your WiFi device vendor.

1. Change the Admin Password

Your WiFi access point was most likely shipped with a default password for the administrator account that allows you to change the device configuration. Often these default passwords are publicly known, perhaps even posted on the Internet. Be sure to change the admin password to a unique, strong password, so only you have access to it. If your device allows it, change the admin username as well.

2. Create a Network Password: 

Configure your WiFi network, so it has a unique, strong password as well (make sure it is different from your device admin password). This way only people and devices you trust can join your home network. Consider using a password manager to select a strong password and to keep track of all of your passwords for you.

3. Firmware Updates: 

Turn on automatic updating of your WiFi access point’s operating system, often called firmware. This way you ensure your device is as secure as possible with the latest security options. If automatic updating is not an option on your WiFi access point, periodically log into and check your device to see if any updates are available. If your device is no longer supported by the vendor, consider buying a new one that you can update to obtain the latest security features

Use a Guest Network: 

A guest network is a virtual separate network that your WiFi access point can create. This means that your WiFi access point actually has two networks. The primary network is the one that your trusted devices connect to, such as your computer, smartphone, or tablet devices. The guest network is what untrusted devices connect to, such as guests visiting your house or perhaps some of your personal smart home devices. When something connects to your guest network, it cannot see or communicate with any of your trusted personal devices connected to your primary network.

5. Use Secure DNS Filtering:

DNS is an internetwide service that converts the names of websites into numeric addresses. It is what helps ensure your computer can connect to a website when you type in the website’s name. WiFi access points typically use the default DNS server supplied by your internet service provider, but more secure alternatives are available for free from services such as OpenDNS, CloudFlare for Families, or Quad9that can provide extra security by blocking malicious or other undesirable websites. Log into your WiFi access point and change the DNS server address to a more secure alternative. 

Securing your home WiFi access point is the first, and one of the most important, steps in creating a secure home network. For more information about securing your WiFi access point, refer to the device’s manual, or if your internet service provider provided your WiFi device, contact them for more information on security features.


Making Passwords Simple:

Password Managers:


OpenDNS Setup Guide:

OUCH! Is published by SANS Security Awareness and is distributed under the Creative Commons BYNCND 4.0 license. You are free to share or distribute this newsletter as long as you do not sell or modify it. Editorial Board: Walter Scrivens, Phil Hoffman, Alan Waggoner, Les Ridout, Princess Young

Guest Editor Joshua Wright

Guest Editor Joshua Wright

(Twitter @joswr1ght) is a senior director at Counter Hack Challenges, LLC, leading the coordination and development of cyber challenges for NetWars and the Holiday Hack Challenge. Find Josh at LinkedIn here:

How to Build a Holistic Information Security Learning Program for Your Organization

How to Build a Holistic Information Security Learning Program for Your Organization

The security of our information systems is now a number one priority. We can no longer think of a society without all the luxury of technology. These technologies are powered by information systems that need to be secured. Whether you are trying to secure a multibillion-dollar company, a government institution, or a small one-person business, everyone should start taking security seriously.

According to the NIST publication SP 800-50 there are three steps that lead to an effective security program. This program targets everyone in the organization at different levels and functions.

For Everyone.

Everyone should have basic information security understanding and know what they should do in case of a security event through an awareness program. Awareness is about helping people know what to do and not necessarily understanding how security works.

“Awareness is not training. The purpose of awareness presentations is simply to focus attention on security.” The Awareness program is intended to allow individuals to recognize IT security concerns and respond accordingly.

The awareness program should be based on key aspects of the organization’s information security policy. The information should be adapted to suit the need of everyone within the organization right from the top of the organization to the lowest level. Therefore, everyone within the organization should be provided with a security awareness program.

All IT System Users

All users using the information systems should be provided with basic information security training. This is in addition to the security awareness program for everyone. The security awareness program tells people not to click on a link in an email from an unknown sender but to delete it. But how does the user go about deleting this email securely?  Therefore, these users should be trained to carry out the recommendations in the security awareness program.

Any user exposed to the organization’s IT systems should be provided with basic information security and literacy training. The main difference between an awareness program and training is more formal, having a goal of building knowledge and skills to facilitate job performance. Training strives to produce relevant and needed security skills and competencies.”

Here, the organization needs to come out with the training need analyses and build a training program that ranges from a beginner to an advanced level.

IT and Security Professionals

Any misstep by any IT professional could easily lead to a security breach. It does not matter whether they are System Developers, Network Engineers, or Operating Systems Administrators.  They are all standing side by side with the information and cybersecurity professionals on the battlefield of cyberwarfare.

Education teaches people to make educated decisions. All IT professionals exposed to the information systems on a technical level should be well-educated to help them perform their jobs effectively and efficiently.

Therefore, a continued security education program that will provide them regular security training tailored to their job role should be available to them. A well-tailored information security education should be available at multiple levels. The beginners, the intermediate, and at the advanced level.  Organizations should strive to produce IT security specialists and professionals capable of vision and pro-active response.



North Koreans Hackers Indicted by U.S. DOJ for $200 Million Heist

North Koreans Hackers Indicted by U.S. DOJ for $200 Million Heist

Some North Korean citizens are being charged by the U.S. Justice department for the 2014 Sony Pictures hack, and the global WannaCry Ransomware attack of 2017. According to investigators from the US Secret Service and the department of homeland security those indicted includes:

Jon Chang Hyok (a.k.a “Alex/Quan Jiang”)

Kim Il (a.k.a. “Julien Kim”/”Tony Walker”)

Park Jin Hyok (a.k.a. Pak Jin Hek/Pak Kwang Jin)

They are also being accused of masterminding the theft of $200 million through cyber theft. They are suspected to be members of north Korea hacking group operated by the Reconnaissance General Bureau (RGB), which is an intelligence division of the Democratic People’s Republic of Korea (DPRK).

In the last few years these groups were suspected to have masterminded the $81 million Bangladesh Bank Heist

It is also confirmed that the group stole $6.1 million through ATM heist in 2018 using Payday ATM attack in what is called “ATM cash out scheme”.  Their area of specialization goes beyond traditional banks heist and into cryptocurrencies. The suspects are also accused  of stealing over $112 million in cryptocurrency across the globe.

The U.S. DOJ Indictment

Documentary of the Bangladesh Bank Heist.

What do We do About the 4% Clickers?

What do We do About the 4% Clickers?

According to a report from during crises such as the COVID-19 Crises “3 in 10 workers worldwide have clicked a phishing link in the past year. In the US, it’s 1 in 3.”

In a normal situation 4% of the people will click on a link from an unknown sender even when the hyperlink states, “Don’t click on this link” Research shows you cannot avoid this phenomenon.

Training and security awareness programs have helped organisation to reduce successful attack on their network from phishing. However, such an attack does not need lots of people clicking to be 100% successful. The success from the 4% is enough to be a nuisance to your organisation.  So, what can you do about this problem?

The attackers trying to break into the corporate network want to be able to move laterally within the network. Even when you cannot eliminate the 4% you could take measures to reduce the effect of their actions by introducing Zero Trust Security (ZTS) into your organisation. With Zero Trust Security you can reduce lateral movement in your network and as such, intruders have limited access to few systems within the network. Zero Trust Security is not a product but a set of design principles which cannot be implemented using a single product. So, watch out for vendors that promise to sell you a single product that would provide you Zero Trust Security.

According to Microsoft, Zero Trust controls can be implemented across six fundamental elements of your network:

  • Identities
  • Devices
  • Applications
  • Data
  • Infrastructure
  • Networks

In addition to the above controls, there should be visibility of all assets of the environment and complete orchestration of all automation.

Other security vendors such as OneTrust (CISCO), Checkpoint, Palo Alto Networks have similar ideas regarding the implementation of Zero Trust Security. Zero Trust Security is a holistic approach to security architecture design. It is based on the fundamental concept of Never trust, always verify anyone or anything operating within or from outside the security boundary. It is designed to protect all computer assets, applications, and data.

Zero Trust Security ensures all resources are accessed securely regardless of location.  The principles of The Least privilege are implemented through access control and strictly enforced.

To learn more about Zero Trust Security please visit our ZTS training.

[dvmd_table_maker tbl_row_header_count=”0″ tbl_column_max_width=”1.5fr” tbl_column_min_width=”76px” tbl_frame_gap_row=”0px” tbl_stripes_active=”on” tbl_chead_cell_align_horz=”center” _builder_version=”4.8.1″ _module_preset=”default” tbl_tcell_text_font_size=”18px” tbl_chead_text_level=”h4″ tbl_chead_text_font=”|700|||||||” tbl_chead_text_font_size=”16px” background_color=”#ffffff” use_background_color_gradient=”on” background_color_gradient_start=”#ffffff” background_color_gradient_end=”rgba(22,6,99,0)” custom_margin=”||2px|||”][dvmd_table_maker_item col_label=”Training ” col_content=”TRAINING
Understanding Zero Trust Security (ZTS)” _builder_version=”4.7.4″ _module_preset=”default”][/dvmd_table_maker_item][dvmd_table_maker_item col_label=”Date” col_content=”DATE
Febuary 24-25, 2021
” col_tcell_cell_align_horz=”center” col_tcell_cell_align_vert=”center” _builder_version=”4.8.1″ _module_preset=”default”][/dvmd_table_maker_item][dvmd_table_maker_item col_label=”Training Type” col_content=”TRAINING TYPE
” col_tcell_cell_align_horz=”center” col_tcell_cell_align_vert=”center” _builder_version=”4.7.4″ _module_preset=”default”][/dvmd_table_maker_item][dvmd_table_maker_item col_content=”ENROLL BELOW
” col_tcell_cell_align_horz=”center” col_tcell_cell_align_vert=”center” _builder_version=”4.7.4″ _module_preset=”default”][/dvmd_table_maker_item][/dvmd_table_maker]

All training runs from 9:00 to 16:30 every day.