DarkSide Ransomware operators have posted on a Russian speaking forum that they will be creating a distributed storage system in Iran to store victim data for up to six months. The post, which was found by researchers at Kela, stated that the group wanted to find a way other than a website to store the data that operators of their ransomware stole. Many ransomware operators have moved to websites to post and store victim information. DarkSide is run as Ransomware-as-service, meaning the group develops the ransomware and licenses the system to other criminals to hack into companies and encrypt victim data. The operators get a percentage of the money their affiliates manage to steal. The group also deposited 320 thousand US dollars onto the website in search of new affiliates to hack companies. DarkSide puts all their new affiliates through an interviews process. The group also claims that their malware cannot be used to target the healthcare sector, education, non-profit, and government entities.
Many other groups stated at the beginning of the pandemic they would not target healthcare, but some have gone back on that promise. Moving forward, it is unknown if the group will be able to keep this promise or what they will do if an affiliate targets one of these entities. Companies should use the 3-2-1 rule as a guideline for backup practices. The rule states that three copies of all critical data are retained on at least two different types of media and at least one of them is stored offline. This will allow any company infected by ransomware to restore from a backup without paying the ransom, even if the threat actors attempt to destroy or corrupt online backup copies. In order to avoid data theft, it is necessary to implement a strong security program using a defense in depth approach to detect attempts to attack the network at multiple stages so that even if the intruder manages to bypass some defenses, others are in place to alert security analysts to the problem. Although attacks usually take a few days to complete, in some recent cases, ransomware attacks went from the first workstation infection (via a malicious email attachment) to full domain control and widespread encryption in about five hours. Security analysts need to be available 24 hours a day to respond to intrusions and must detect attacks quickly to be successful at stopping them before attackers have a chance to do serious damage. The Binary Defense Security Operations Task Force watches over clients’ workstations and servers 24 hours a day, every day, and is able to stop attacks no matter when they occur.
More can be read here: https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/