{ "id": "44866c74-04da-4496-990a-eb997e329a8e", "created_at": "2026-04-06T01:29:36.093267Z", "updated_at": "2026-04-10T13:12:10.729152Z", "deleted_at": null, "sha1_hash": "35a840dd6b7d802d912c0977430c8da18d1eb771", "title": "Tracking DarkSide and Ransomware: The Network View", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 91311, "plain_text": "Tracking DarkSide and Ransomware: The Network View\r\nBy Joe Slowik\r\nPublished: 2021-05-17 · Archived: 2026-04-06 00:13:21 UTC\r\nUpdated October 14, 2021.\r\nSince grabbing headlines in early May 2021, the ransomware incident impacting Colonial Pipeline attracted\r\nsignificant attention from both media and information security spaces, given the scope and impact of the event.\r\nWhile much has already been written and will continue to emerge as more evidence comes available, lacking from\r\nthe discussion so far is a network-centric view of the general behaviors and detection possibilities associated with\r\nransomware deployment. In this article, Gigamon provides an overview of the event in question, the behaviors\r\nlinked to similar ransomware operations, the importance of network visibility, and possibilities for network\r\ndetection and monitoring to meet these adversaries and related malicious activities head-on.\r\nBackground\r\nOn May 7, 2021, Colonial Pipeline suffered a ransomware incident. While all available information indicates that\r\nransomware impacted only enterprise IT systems for Colonial, the company preemptively shut down linked\r\nindustrial control systems (ICS) out of an abundance of caution. The intrusion and resulting disruption were\r\nsubsequently linked to a ransomware variant known as DarkSide. Active since at least August 2020, DarkSide\r\noperates under a “Ransomware as a Service” or “affiliate” model where the group provides “double-extortion”\r\nransomware services to other entities that execute the actual network breach and capability deployment. DarkSide\r\nthen manages negotiations and payment to both decrypt a victim’s information and to stop the selective leaking of\r\ndata exfiltrated from the target network.\r\nWhile DarkSide-related activity has continued at a relatively steady state since its initial discovery in 2020, the\r\nColonial Pipeline incident is notable given its disruptive impact. While neither the first notable cyber intrusion in\r\npipeline systems, nor the first ransomware event on pipeline infrastructure, Colonial’s preemptive shutdown of\r\ncritical systems triggered a halt in their operations. As one of the main arteries delivering refined petroleum\r\nproducts to the Eastern and Southeastern United States, the disruption induced reactions from panic buying of\r\ngasoline through statements from the White House. Although Colonial was able to begin restoring operations as\r\nearly as May 12, 2021, the shock and short-term impacts of the event were felt across both policymaker and\r\ninformation security circles.\r\nRansomware Entity Intrusion Tradecraft\r\nDarkSide ransomware impacted multiple victims since discovery in 2020. Yet while this ultimate payload\r\ninducing network disruption (and data theft for extortion) is concerning, defenders should focus on the\r\npreliminary steps enabling ransomware execution rather than the ransomware family itself. In this respect, given\r\nthe “affiliate model” through which adversaries deploy DarkSide, the ransomware variant can be linked to\r\nmultiple behavioral profiles.\r\nhttps://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/\r\nPage 1 of 7\n\nMultiple vendors provide insight into initial access, entrenchment, and subsequent lateral movement activity\r\nlinked to DarkSide deployment. Among the most notable examples are the following:\r\nInitial reporting from Digital Shadows in September 2020\r\nCyberreason Nocturnus’ overview of activity in April 2021\r\nVaronis reporting, subsequently updated after the Colonial incident\r\nAn overview of recent DarkSide behaviors from FireEye, also after the Colonial incident\r\nObservations from incident response engagements from Sophos\r\nFurther analysis from Palo Alto Unit 42\r\nThese are all valuable contributions to the discussion concerning DarkSide’s deployment, and Gigamon  highly\r\nrecommends defenders review these items for awareness and to become familiar with this threat. Yet all these\r\nitems largely focus on host-based actions and observations, which is unsurprising, as most of the entities in\r\nquestion are involved in host-based security solutions. In addition to these observations, defenders possess a\r\nmultitude of options for tracking behaviors over the network related to DarkSide deployment, as well as other\r\nransomware operations.\r\nInitial Access Mechanisms\r\nAdversary deployment of DarkSide ransomware is linked to a variety of initial access mechanisms, as one would\r\nexpect given that multiple entities relate to its use. Based on a review of available literature and analysis, Gigamon\r\nidentifies the following as primary Darkside affiliate mechanisms to initially breach victim networks:\r\nPhishing activity leveraging malicious attachments\r\nCredential replay attacks against external-facing services, such as Remote Desktop Protocol (RDP)\r\nUse of publicly disclosed exploits against external-facing services, such as vulnerabilities in externally\r\naccessible VPN appliances (including CVE-2021-20016)\r\nWhile the above represent known vectors linked to DarkSide affiliate operations, the specific mechanism used to\r\ninfiltrate Colonial Pipeline is not known at the time of this writing. Nonetheless, these initial intrusion\r\nmechanisms align well with common tradecraft associated with not only criminal operations (such as\r\nransomware), but also advanced persistent threat (APT) or state-directed intrusions.\r\nWhile one specific VPN exploit is called out in research from FireEye, Gigamon assesses that other, publicly\r\ndisclosed exploits have also likely been used as part of intrusions leading to ultimate ransomware deployment\r\nmore generally. Given the significant increase in disclosure and subsequent use of exploits targeting external-facing appliances such as VPN concentrators, network defenders should anticipate rapid moves by a variety of\r\nadversaries, whether related to DarkSide or not, to take advantage of such potential ingress points.\r\nLateral Movement and Command and Control Activity\r\nOnce within victim networks, DarkSide-related intrusions leverage a combination of built-in system tools (such as\r\n“LoLBins”) and publicly or commercially available tools for varying levels of network communication and\r\nfunctionality. Such items are deployed to both spread throughout the victim network, as well as to maintain\r\ncommand and control (C2) over any implants or tools. Examples include:\r\nhttps://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/\r\nPage 2 of 7\n\nThe Sysinternals remote command execution utility PSExec\r\nCommercially available remote access tools such as TeamViewer\r\nThe PuTTY-related application Plink\r\nThe commercially available (but frequently pirated or cracked) Cobalt Strike\r\nThe publicly available Custom Command and Control (C3) framework\r\nNetwork enumeration tools such as ADRecon and BloodHound for mapping victim Active Directory\r\ninstances\r\nTunneling C2 traffic, including RDP, via The Onion Router (TOR) to mask activity\r\nAdditionally, adversaries leverage built-in tools such as RDP and Server Message Block (SMB) connections to\r\nenable tool or capability deployment and lateral movement in victim environments, combined with continuous\r\ncredential harvesting via tools such as Mimikatz.\r\nAt this stage, endpoint-related visibility becomes valuable in assessing an intrusion in many cases. However, even\r\nthe best endpoint visibility on its own is insufficient to track, detect, and monitor elusive adversaries. This is\r\nespecially the case for internal network movement. By pairing network monitoring and visibility with robust\r\nnetwork security monitoring, defenders can ensure that all possible avenues for intruder operation are accounted\r\nfor.\r\nLike the initial access vectors described in the previous section, the lateral movement and C2 mechanisms\r\nidentified here are hardly unique to DarkSide deployment. Instead, these techniques encompass behaviors also\r\ndeployed by entities ranging from APTs to other, criminal actors. By establishing monitoring for either external\r\ncommunication linked to the tools or techniques listed above, or examining internal communication flows for\r\nlateral movement activity, defenders can identify malicious behaviors even when endpoint and similar visibility\r\ncan be evaded.\r\nData Exfiltration\r\nOne other component to DarkSide-related operations, along with some other ransomware families, is the use of\r\n“double extortion” to prompt payment. In addition to encrypting data, victim information is stolen with threat of\r\npublication unless payment is made. Identifying large-scale data exfiltration in progress can be an indicator of\r\nimminent disruptive actions, and if caught in time may allow for defenders to respond quickly to prevent further\r\nharm. Based on reporting from researchers at Red Canary on general trends in this space, as well as specific\r\nobservations on DarkSide, the following tools and techniques appear associated with “double extortion”\r\noperations:\r\nUse of cross-platform, free tools such as Rclone or WinSCP\r\nMega.io-focused tools such as MEGAcmd or MEGAsync\r\nAlthough not conclusively proven, media reporting indicates at least in the Colonial incident the criminals\r\nleveraged cloud hosting infrastructure, specifically from Digital Ocean, as an intermediary for data exfiltration as\r\npart of this process.\r\nThe above behaviors provide a variety of potential detection possibilities. Examples include simple tracking of\r\nlarge, anomalous traffic flows indicative of large-scale data exfiltration to use of specific service and destination\r\nhttps://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/\r\nPage 3 of 7\n\ncombinations (such as WinSCP to an Autonomous System Number (ASN) associated with a cloud provider).\r\nNetwork Visibility and Monitoring\r\nThe mechanisms identified above are not distinct to DarkSide deployment; this provides a substantial benefit to\r\ndefenders in that identifying general techniques associated with such intrusions will enable defensive coverage\r\nover a wide number of potential adversaries. Moreover, given the efforts by DarkSide-related entities (as well as\r\nnumerous other threats) to evade endpoint detection and response (EDR) solutions as part of fundamental\r\ntradecraft, bolstering host-centric visibility with robust network monitoring can enable organizations to detect\r\nsuch operations at multiple phases of the Cyber Kill Chain.\r\nEstablishing network visibility and monitoring not only at the network edge but also for internal network traffic\r\ncan enable powerful defensive responses covering a variety of threats. Looking at the behaviors identified in the\r\nprevious sections, various defense and alerting mechanisms emerge from initial access through lateral movement\r\nand code execution.\r\nExternal Monitoring\r\nMonitoring external scanning or authentication brute force activity can be difficult given the sheer volume of\r\nactivity from multiple services, malicious actors, and other entities. Yet being able to differentiate security-significant “signal” from background “noise” is critical in articulating meaningful, sustainable network defense.\r\nFor example, identifying exploit scanning activity, such as for the VPN vulnerability linked to DarkSide\r\ndeployment above, may rapidly result in numerous alarms for various commercial or academic scanners\r\nattempting to identify vulnerable instances. Instead of attempting to chase every single potential vulnerability\r\nscan, defenders should seek higher-quality, lower-volume detections to ensure focused and efficient operations.\r\nBy viewing network security events not as atomic, discrete objects but as interrelated items linked through time\r\nand execution, powerful possibilities emerge for detection and analysis. For example, identifying linked activity\r\nsuch as a vulnerability scan of an external-facing service (or an explicit attempt to exploit that service) followed\r\nby scanning or authentication activity from that victim host to other, internal hosts within the network can flag\r\nlikely initial intrusion actions and adversary attempts to expand access. By linking the discrete observations into a\r\ncomplex, high-confidence analytic of malicious behavior, defenders can not only ensure response to only high-severity, high-confidence events, but also alert on tradecraft linked to numerous threat actors.\r\nSimilar methodologies apply to credential stuffing, brute force, or guessing activity. Again, a variety of scanners\r\nand other items will likely be engaged in such activity on a daily basis. But identifying instances of dedicated\r\nscanning or brute forcing from a single source, or such activity followed by anomalous network traffic from the\r\nrecipient of such activity, can narrow observations to likely compromise scenarios. Defenders can then vector\r\nresources and efforts appropriately to these events to initiate incident response operations, minimizing time to\r\ndetection and time to recovery.\r\nOther possibilities exist related to specific services and protocols. For example, in DarkSide operations deploying\r\nparties tunnel RDP via TOR in order to mask operations. While evading attempts to identify external RDP\r\nconnections, this still requires communication to TOR nodes. Tracking and identifying TOR nodes and related\r\nhttps://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/\r\nPage 4 of 7\n\ntraffic can serve as a potentially powerful way to either enable more robust monitoring or, if blocked, reduce\r\nnetwork attack surface. Similarly, and as stated above, by identifying combinations of activity such as network\r\ntraffic flows indicative of large-scale data movement or exfiltration to untrusted or unfamiliar network\r\ninfrastructure or ASNs, key portions of the “double extortion” model can be flagged prior to completion.\r\nInternal Network Communication\r\nNetwork monitoring and defense does not end at the perimeter; to deal with current threats (whether criminal\r\nactors or APTs) such visibility and response must extend to internal network communications. By leveraging a\r\nvisibility fabric or deploying dedicated sensors inside the perimeter to track host-to-host traffic and similar flows,\r\ndefenders can gain valuable visibility into adversary behavior that can identify intrusions in progress that\r\nboundary monitoring or EDR solutions otherwise miss.\r\nFor example, DarkSide deployment, along with multiple other actor behaviors, frequently uses credential theft\r\nfollowed by mapping a share over SMB for file transfer, then execution, via a tool such as PSExec. Identifying the\r\nconcrete behaviors behind this activity and establishing alerts when these events are identified in sequence\r\n(authentication to host, SMB share mapped to another host, followed by file transfer of an executable or scripting\r\nobject to the newly mapped host) can reveal instances of lateral movement. While it is possible such actions could\r\nidentify legitimate system administrator activity, in well-orchestrated environments such instances can be rapidly\r\ndispositioned, while the existence of an analytic identifying these linked network-specific events can flag actions\r\nrelated to a variety of threat actors.\r\nAdditional opportunities include monitoring of traffic flows and authentication activity, such as when an adversary\r\ndeploys legitimate tools such as RDP. In these cases, identifying a number of attempted or successful\r\nauthentication attempts from a single host to multiple hosts inside the network can indicate an adversary\r\nattempting to break out of an initial network foothold. Further visibility, including being able to track precisely\r\nwhat credentials or user accounts are used, can reveal compromised accounts and other valuable response\r\ninformation.\r\nOverall, the goal is to establish a combination of visibility into internal network traffic flows and combine this\r\nwith an understanding of adversary tradecraft and operations to produce high-confidence alerting on observed\r\nactivity. When paired with external network monitoring and endpoint defense, network defenders can severely\r\nimpede adversary operations, ensuring multiple potential detection points throughout the attacker’s lifecycle.\r\nWhat Role Does Gigamon Play in Ransomware Defense?\r\nNetwork Traffic Visibility and Network Detection and Response\r\nWhile SIEMs and EDRs have increased SOC and incident response (IR) team’s effectiveness in identifying active\r\ninfections, visibility gaps to devices, networks, and traffic remain. The result is that analysts are left in the dark\r\nwhen trying to identify all adversary activity described across the MITRE ATT\u0026CK framework.\r\nGigamon Hawk Visibility and Analytics Fabric\r\nhttps://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/\r\nPage 5 of 7\n\nAt the heart of an effective security posture is visibility, which in this case means access to all network traffic.\r\nGigamon visibility fabric collects and aggregates all data in motion and eliminates blind spots:\r\nSingle point of access to any infrastructure: physical, virtual, and cloud, including container traffic\r\nAggregation of traffic collected via physical and virtual TAPs across the network\r\nFlow Mapping®, GigaStream® traffic distribution, and base stripping and tunneling for sending traffic to\r\nany destination\r\nInline Bypass and physical bypass for failsafe traffic access, traffic forwarding, and inline security tool\r\noperation\r\nTraffic transformation and optimization, such as packet de-duplication, NetFlow generation, packet and\r\nflow slicing, etc.\r\nGigamon TLS Decryption\r\nAdversaries increasingly leverage SSL/TLS encrypted channels for C2 and similar activity, and many of the\r\ndetection techniques mentioned above require access to decrypted traffic. Most Fortune 1000 companies and\r\ngovernment agencies rely on Gigamon for TLS inspection:\r\nDecrypts once and shares with all security and monitoring tools, with support for automatic SSL and TLS\r\ndetection on any TCP port, with 10 Mb to 100Gig interface support\r\nStrong crypto support including Diffie-Hellman Ephemeral, elliptic curves, Poly1305/ChaCha20\r\nAll advanced ciphers, including TLS 1.3 with Perfect Forward Secrecy\r\nDiffie-Hellman Ephemeral, elliptic curves, Poly1305/ChaCha20 crypto\r\nInline or man-in-the-middle, and passive or out-of-band decryption\r\nPolicy-based selective decryption privacy and support for URL categorization and FIPS 140-2 Level 2 cert\r\nGigamon ThreatINSIGHT\r\nThe synergy between SSL/TLS inspection and network detection and response techniques is an effective means to\r\ncombat this threat vector and regain visibility over adversary operations. Gigamon ThreatINSIGHT™ Guided-SaaS NDR is a technology built by incident responders, for incident responders, that:\r\nProvides near packet-level visibility and recording of:\r\nAny device: Managed/unmanaged/IOT\r\nAny networks: Core/cloud/remote WFH\r\nAny traffic: North-South, East-West, and encrypted\r\nDelivers high-fidelity adversary detection methodology and techniques, and is\r\nEfficient: High-fidelity and QA’d proprietary threat intelligence\r\nEffective: ML and behavioral analysis of uniquely malicious activity\r\nCrowdsourced: To discover hidden and emerging threats\r\nIncludes threat context:\r\nEnriched metadata with near packet-level context\r\nIndexed for powerful searching and investigation\r\nhttps://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/\r\nPage 6 of 7\n\nFlexible retention options of 7-, 30-, and unlimited-day options\r\nEmbeds recommendations for analysts and responders:\r\nGuided: Threat-specific next steps for response\r\nGuided: Powerful threat hunting and full investigation/incident management workflows seek to\r\nextend their visibility beyond logs and frontline security alerts in SIEMS and beyond EDR solutions\r\nWebinar on Ransomware\r\nJoin us on Tuesday, June 8 at 10 a.m. Pacific/1 p.m. Eastern for the Ransomware Loitering Presents an\r\nOpportunity for Network Detection webinar. Bassam Khan, VP of Product and Technical Marketing at Gigamon,\r\nwill explore how ransomware loitering lets security analysts use network detection and response capabilities to\r\ndiscover malicious activity between initial compromise and encryption.\r\nRegister here \u003e\u003e\r\nSource: https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/\r\nhttps://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/" ], "report_names": [ "tracking-darkside-and-ransomware-the-network-view" ], "threat_actors": [ { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438976, "ts_updated_at": 1775826730, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/35a840dd6b7d802d912c0977430c8da18d1eb771.pdf", "text": "https://archive.orkl.eu/35a840dd6b7d802d912c0977430c8da18d1eb771.txt", "img": "https://archive.orkl.eu/35a840dd6b7d802d912c0977430c8da18d1eb771.jpg" } }