This week our Security Research team noticed loads of blocked traffic between ThreatSTOP customer machines and domains recently associated with DarkSide ransomware - the malware behind the Colonial Pipeline shutdown that forced the company to pay $5 million in ransom. The domains - fotoeuropa[.]ro and catsdegree[.]com – logged an accumulative 3.8 million blocked communication attempts in our systems over the last week alone. Almost nothing makes us happier than potential victims saved from malicious threat actors and cyberattack disasters. 

Who is the DarkSide gang?

DarkSide is a cybercriminal gang believed to be based in Russia that has been active since August 2020. In less than a year, these threat actors have launched multiple global cyber campaigns affecting multiple industries and organizations in over 15 countries. The DarkSide ransomware is offered as ransomware-as-a-service (RaaS), meaning that the threat actors provide DarkSide to various affiliates who infect victim networks and, in return, share the profits from the attack with the creators.

Since the ransomware is used by various hackers, the infection vectors also vary. Some use commercially available tools to breach victim networks, while others have used zero day vulnerabilities. Once the victims have been infected, the ransomware not only encrypts their data but also exfiltrates it, gaining more leverage for ransom payment demands.

The crypto-analytics company Elliptic identified that in just 9 months DarkSide and its affiliates cashed in at least $90 million in bitcoin ransom payments from 47 different victims. Doing some simple math we can say – holy cow that’s a lot of ransom money from each victim. Of the whole amount, the DarkSide creators raked in $15.5 million while the affiliates made a whopping $74.7M.

ransom-payments

DarkSide Ransom Payments Oct. 20 - May 21. Image: elliptic.co.

 

The Colonial Pipeline Attack

On May 7, the Colonial Pipeline Company, which supplies 45% of the East Coast's fuel, discovered a ransomware breach in the company network, which forced the halt of all pipeline operations because the billing systems were affected. By far the most well-known DarkSide attack, this incident caused loads of media buzz. The DarkSide gang obtained a payment of $5 million from the victim – over twice the average ransom payment for this malware.

colonial-pipeline

5,500 miles of fuel pipe shut down after to ransomware attack. Image: colpipe.com

 

Protecting Your Network from Threats Like This

It is still unknown what has become of the DarkSide threat actors. They claim to have disbanded, though some experts believe that they have pretended to call it quits to avoid scrutiny. Whether they are still active under a different name, or are using the same malicious infrastructure for other destructive targeted attacks, it is very clear that the domains they were using are still active. In addition to catsdegree[.]com and fotoeuropa[.]ro, there many other IOCs related to DarkSide activity. For example, our systems logged almost 200K connection attempts from the DarkSide TOR domain darksidfqzcuhtk2[.]onion over the last 7 days. We recommend blocking all inbound and outbound traffic to IOCs related to DarkSide (see list below). If the attackers somehow manage to breach your network don't let their malware exfiltrate your data. Blocking outbound traffic is an extremely important layer of defense against cyber attacks.

Another way to block threat activity like DarkSide's is blocking anonymizer services and TOR. In their attack on the Colonial Pipeline company, DarkSide used TOR relays which could have been blocked. Blacklisting the IPs of these anonymous services protects users from suspicious and potentially malicious traffic, and could have protected the victims of this attack. ThreatSTOP customers are protected by our Tor Exit Nodes - IPs target, which blocks access to the TOR network, and our Anonymous VPN Services Exit – IPs target which blocks traffic from anonymous VPN providers.

Protect against this threat by adding the indicators below to your network perimeter access rules and to your protective DNS rules. Preventing communication with these IP addresses and domains, and identifying the machines trying to for remediation will prevent damage and losses from this ransomware. ThreatSTOP automates this for companies and security teams like yours. If you are a ThreatSTOP customer, you are already and automatically protected from Darkside and other threats like this.

Ready to try ThreatSTOP in your network ? Want an expert-led demo to see how it works?

Get a Demo

DarkSide Indicators of Compromise:

IPs Domains
104[.]193[.]252[.]197 athaliaoriginals[.]com
108[.]62[.]118[.]232 auth[.]athaliaoriginals[.]com
159[.]65[.]225[.]72 baa[.]stage[.]8886370[.]pop[.]athaliaoriginals[.]com
162[.]244[.]34[.]152 caa[.]stage[.]8886370[.]pop[.]athaliaoriginals[.]com
162[.]244[.]81[.]253 iaa[.]stage[.]8886370[.]pop[.]athaliaoriginals[.]com
176[.]123[.]2[.]216 imap[.]athaliaoriginals[.]com
185[.]105[.]109[.]19 baroquetees[.]com
185[.]180[.]197[.]86 catsdegree[.]com
185[.]203[.]116[.]28 ctxinit[.]azureedge[.]net
185[.]203[.]116[.]7 darksidedxcftmqa[.]onion
185[.]203[.]117[.]159 darksidfqzcuhtk2[.]onion
185[.]243[.]214[.]107 fotoeuropa[.]ro
185[.]92[.]151[.]150 gosleepaddict[.]com
192[.]3[.]141[.]157 ironnetworks[.]xyz
198[.]54[.]117[.]197 kgtwiakkdooplnihvali[.]com
198[.]54[.]117[.]199 koliz[.]xyz
212[.]109[.]221[.]205 lagrom[.]com
213[.]252[.]247[.]18 los-web[.]xyz
23[.]95[.]85[.]176 openmsdn[.]xyz
45[.]14[.]12[.]108 rumahsia[.]com
45[.]147[.]197[.]220 securebestapp20[.]com
45[.]61[.]138[.]171 skolibri13[.]azureedge[.]net
45[.]84[.]0[.]127 sol-doc[.]xyz
46[.]166[.]128[.]144 yeeterracing[.]com
51[.]210[.]138[.]71 7cats[.]ch
80[.]209[.]241[.]4  
81[.]91[.]177[.]54