top of page

The ATP Named 'Darkside' Is Back and More Powerful Than Ever, Are They the New 'Maze'?

Darkside, the up-and-coming cybercrime group first reported in August 2020, is back–executing highly targeted campaigns designed to take companies down. They’re using new stealthy tactics to establish backdoors and scout Active Directory to harvest credentials while carefully covering their tracks. The endgame: steal data--including backups--and unleash ransomware.

We sat down with Matt Radolec, Director, Security Architecture & Incident Response at data security and insider threat detection company Varonis to discuss their new research on Darkside, and what they're seeing from first-hand experience via four investigations and ransom negotiations with the group:

What are some TTPs of Darkside?

We saw Darkside use a variety of tactics in each case we examined, and it’s worth noting that each attack is customized. These include targeted Phishing E-mails, RDP Brute Force, Kerberoasting, DCSync, Golden Ticket, C2-RDP over Tor embedded in HTTP/S, C2, Cobalt Strike over Tor.

Who are they targeting?

The cases we examined spanned manufacturing, insurance, retail, and legal.

What makes them dangerous?

A few things stand out:

  • They weaponize an organizations data against them by going for extortion first/ransomware second.

  • They use built-in windows tool to avoid detection and ‘live-off-the-land”

  • They actively target systems which traditionally have less monitoring(servers, applications, etc)

  • They have longer dwell time to decrease chances of detection

  • They customize infections to be more resilient (not re-using the same malicious code)

What can organizations do to protect themselves against advanced threats like Darkside?

We recommend organizations protect their data from the inside out – following the principals of least privilege, zero trust, identification and robust monitoring of critical/sensitive data. They should implement behavioral monitoring to identify stealthy attackers who work hard to avoid detection from network/host-based detection systems

It’s also essential to pro-actively review their systems and hunt for threats.



bottom of page