Ransomware Spotlight Report 2023 is live!

Darkside Ransomware: Further Threat Associations Unearthed

Posted on Jun 30, 2021 | By Priya Ravindran

{Update} August 19, 2021:
Three months after the Colonial Pipeline incident, the repercussions are still being felt. The company recently identified that the DarkSide operators got their hands on documents containing personal data of over 5000 people, and has started sending out notification letters to affected individuals.


{Update} July 13, 2021

As recently as July 2021, the popular fashion brand, Guess, announced that it had fallen victim to an attack by Darkside back in February, and warned of customer data leaks on the Dark Web. The information released included classified information like the company’s financial details, and customers’ Social Security numbers, driver's license numbers, passport numbers, and financial account numbers.


Darkside Ransomware has added two more CVEs to its arsenal alongside two additional APT group associations. Check out our analysis and patch these vulnerabilities before they strike again!

Last month, Darkside ransomware went down in history for causing the single largest disruption in gasoline supply in the United States. The attack was so crippling that fuel prices reached a peak, panic buying was induced, and almost 45% of the East Coast’s fuel supply was cut off. It took a week of reconstruction, alongside FBI interference and a $5M ransom payment, to bring the supply back online. Subsequently, the FBI recovered about half of the ransom paid after gaining access to the bitcoin account that was used in the transaction.


More CVE Findings

In our previous blog, we observed how the Darkside ransomware group utilized two vulnerabilities - CVE-2019-5544 and CVE-2020-3992 to launch their attacks on the Colonial Pipeline. Since then, we have come across more interesting findings about this ransomware.


It has come to light that two additional CVEs are part of the Darkside attack arsenal - CVE-2020-1472 and CVE-2021-20016. 

Darkside Ransomware CVEs


  • CVE-2021-20016 is a new vulnerability identified earlier this year. It is assigned a CVSS v3 score of 9.8 and tagged as a critical flaw.

  • The vulnerability exists across 6 Sonicwall Secure Mobile Access (SMA) products which act as an access gateway for organizations to provide remote access to resources hosted on-prem, in cloud and in hybrid datacenters. 

  • The Sonicwall advisory has published workarounds for this vulnerability.



  • CVE-2020-1472, popularly known as the Zerologon vulnerability, is a critical 2020 CVE that has a CVSS v3 score of 10. It can be exploited to gain elevated access to resources.

  • CVE-2020-1472 is seen in 11 products spread across vendors Microsoft, Fedora project, Opensuse, Canonical, Synology and Samba.

  • Security updates are available for patching the vulnerability.

  • In our Ransomware Report 2020, we noted that CVE-2020-1472 was also weaponized by the CryptoMix ransomware family, which is associated with five other ransomware groups.


Two Advanced Persistent Threat (APT) groups - Carbanak and FIN7 are now additionally associated with Darkside. This brings the total number of APT groups using Darkside to five.



  • From our exposure analysis using Shodan, we can see that there are 2911 deployments of Sonicwall SMA 200 firmware and 688 products with CVE-2020-1472 that are currently in use, making them vulnerable to attacks.         


The Darkside Attack Methodology

The threat actors have been identified using the Tor browser, which creates a multi-hop proxy network. Messages are encrypted at multiple levels using onion routing, allowing for increased anonymity on the Internet. The Darkside ransomware group has also been observed deploying Cobalt Strike as their command and control weapon. Cobalt Strike is a collection of threat emulation tools that is seeing more and more adoption by malicious groups.


According to the latest news reports, the Colonial pipeline attack happened because of leaked credentials of a virtual private network (VPN) account, through which employees remotely accessed the company’s network. While we may not exactly know what VPN vulnerability led to the breach, a lesson learned is that it is important to ensure safety of the VPNs and other applications we use. This is something CSW has always emphasised upon and even warned about in our Cyber Risk Series.


Darkside Ransomware MITRE ATT&CK Mapping

The below tactics and techniques are in addition to the previously published MITRE attack mapping details.



T1087 - Account Discovery

T1098 - Account Manipulation

T1027.004 - Compile After Discovery

T1555 - Credentials From Password Stores

T1555.002 - Credentials From Registry

T1486 - Data Encrypted For Impact

T1140 - Deobfuscate/Decode Files or Information

T1055.001 - Dynamic-Link Library Injection

T1190 - Exploit Public-Facing Application

T1133 - External Remote Services

T1083 - File and Directory Discovery

T1105 - Ingress Tool Transfer 

T1490 - Ingress System Recovery

T1036 - Masquerading

T1090.003 - Multi-hop Proxy

T1027 - Obfuscated Files or Information

T1566 - Phishing

T1059.001 - Powershell

T1057 - Process Discovery

T1113 - Screen Capture

T1569.002 - Service Execution

T1489 - Service Stop

T1129 - Shared Modules

T1082 - System Information Discovery

T1080 - Taint Shared Content

T1047 - Windows Management Instrumentation






















Has Darkside truly retired? The question remains...        

Recent research highlights a new Darkside ransomware variant that projects a behaviour unseen to date. Found to affect Windows platforms, the new find seeks out partition information on harddisks to identify hidden data, and can even compromise multi-boot systems. 


Fraudsters have also been observed impersonating the Darkside ransomware group in more recent activities, trying to capitalize on the impact of the increase in ransomware affairs. The fact is that remediation following a ransomware attack is a cumbersome process. Organizations need to take proactive measures to ensure they do not become a victim to such attacks.



We can help you analyze your assets and prioritize the vulnerabilities that need to be patched. Avoid becoming a victim to ransomware attacks


Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!


Secure your environment from cyber-attacks!

Know How