Illuminating DarkSide: TTPs, Tools, and Trend Towards Defense Evasion

The DarkSide ransomware group conducted several high-profile breaches, including the US-based Colonial Pipeline Company incident in May 2021. The DarkSide has established the Ransomware as a Service (RaaS) model and expanded its operations with the participation of other threat actors. 

In this research, we investigated Tactics, Techniques, and Procedures (TTPs) and also tools utilized by the DarkSide threat actors to understand their attack methods and the impact of their breaches. The most exciting finding was that only 9% of used tools in DarkSide attack campaigns were malware. 91% of utilized tools by DarkSide threat actors are publicly available and legitimate tools that are using known attack techniques.

Some key findings from this research:

DarkSide operators use at least 34 MITRE ATT&CK techniques categorized under all 14 tactics of the framework.
Emerging threat actors like DarkSide use native living-off-the-land Windows utilities, legitimate tools and services, and red team tools throughout the attack lifecycle to stay under the radar of security controls and remain undetected.
Signature-based prevention approaches are not effective against these tools. Behavior-based detection is required.
Instead of reactive approaches, proactive approaches such as attack simulation and security control validation help finding gaps and improving cyber resilience against emerging threat actors like DarkSide.

Discover all TTPs and tools used by DarkSide threat actors by downloading this report.