Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Coverage Advisory for DarkSide Ransomware Activity Targeting Manufacturing, Legal, Insurance, Healthcare and Energy Sectors

May 10, 2021 - 3 min read


A cybersecurity advisory was released by the Federal Bureau of Investigation (FBI) related to a DarkSide ransomware infection targeting manufacturing, legal, insurance, healthcare and energy sectors. In May 2021, the FBI received notification that the ransomware variant DarkSide had infected a critical infrastructure company. The attack was confirmed to have been waged against Colonial Pipeline, the largest fuel distributor in the United States.


What is the issue?

DarkSide was first spotted in August 2020. It is distributed through weak or compromised credentials of Virtual Desktop Infrastructure (VDI) or  RDP connections. It encrypts files and appends the extension “.{random 6 alphanumeric/numeric characters}.” It uses a combination of RSA and SALSA20 algorithms to encrypt files. DarkSide has impacted numerous organizations across various sectors including manufacturing, legal, insurance, healthcare, and energy. 

DarkSide uses double extortion tactics by exfiltrating data and threatening to publish it to the internet in addition to encrypting files. Double extortion has been an increasing tactic among ransomware operators since late 2019.


What systems are impacted?

All machines running Windows and Linux operating systems.


What can you do to protect yourself?

We recommend making periodic backups of all the important data and keeping those backups isolated off the network. It is equally important to have updated security software and the latest software patches applied to the endpoints. Remote Desktop service access should always be restricted, or it should be turned off if not used. As always, avoid opening suspicious emails containing attachments or links that come from any unknown sources. Disable macros in Office programs. Do not enable them unless it is essential to do so. Enable multi-factor authentication (MFA) across both business and personal email accounts to thwart most credential harvesting attacks.

Zero Trust architecture and policy are essential to mitigating the success and damage of ransomware attacks. We recommend using context-based identity and policy enforcement to control and monitor access to the internet and applications. We suggest connecting users and entities directly to applications rather than to a network to eliminate lateral movement. Additionally, we recommend using in-line data loss prevention to further protect against data exfiltration.


Zscaler coverage

  • Advanced Threat Protection
  • Malware Protection
  • Advanced Cloud Sandbox

Details related to these threat signatures can be found in the Zscaler Threat Library.

Our Cloud Sandbox Report for DarkSide ransomware executable can be seen in Figure 1.

Fig 1: Cloud Sandbox Report for DarkSide Ransomware

Fig 1: Cloud Sandbox Report for DarkSide Ransomware

The Zscaler Cloud Sandbox provides proactive coverage against advanced threats such as ransomware and banker trojans. The Zscaler ThreatLabZ team is also actively monitoring DarkSide, CobaltStrike and Zloader malware families and ensuring coverage for all the latest IOCs associated with these malware.




form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

Technical Analysis of CryptNet Ransomware
Read Post
Trigona ransomware
Technical Analysis of Trigona Ransomware
Read Post
Nevada ransomware
Nevada Ransomware: Yet Another Nokoyawa Variant
Read Post
Ransomware hacker
Nokoyawa Ransomware: Rust or Bust
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.