In August 2020, the threat actor group Carbon Spider, associated with the ReVil group, introduced a new ransomware called Darkside. It was later offered as a RaaS in November 2020. It uses a variety of methods to gain initial access to its target system, specifically through phishing, Remote Desktop Protocol (RDP) exploitation, Cobalt Strike, and other exploits. Once it gains a foothold, it moves to the Domain Controller (DC), where it proceeds to steal credentials as well as other valuable assets for data exfiltration. It then continues its lateral movement through the system, eventually using the DC network share to deploy the ransomware to connected machines.
Darkside, which is being offered via the ransomware-as-a-service (RaaS) model, has already been deployed against critical infrastructure in the United States. It uses a “double extortion” technique where the attackers threaten to release sensitive information in addition to encrypting data on their victim's machines.
- File Encryption
- Data Exfiltration
- Command and Control
- Lateral Movement
- Credential Stealing
- Data loss - loss of important files, documents and other data upon encryption
- Financial loss - users are asked to pay in order to decrypt files that were affected
- Exfiltration of data
|SHA1||DETECTION/POLICY/RULES||PATTERN BRANCH/VERSION||RELEASE DATE / LAST UPDATE|
Predictive Machine Learning
|PATTERN BRANCH/VERSION||RELEASE DATE|
|Malware Behavior Blocking||2020|
Tipping Point DV filter
|Malware DV Filter 39754|
Solution Map - What should customers do?
To update Trend Micro products, refer to the corresponding Online Help Center guides.
Make sure to always use the latest pattern available to detect the old and new variants of Darkside Ransomware.
- Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
Make sure to implement the ransomware protection features and best practices.
- Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
- You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
- For support assistance, please contact Trend Micro Technical Support.