DarkSide ransomware has been around since August 2020, but only hit the headlines when the cyber gang behind it caused the halt pipeline operations by the Colonial Pipeline Company. They breached the company’s network, forcing Colonial to stop pipeline operations and eventually to pay a ransom of $5 Million.
After the Colonial Pipeline breach, as well as a number of other successful attacks earning them at least $90 Million, members of the DarkSide group supposedly went their separate ways. But once a malicious infrastructure, always a malicious infrastructure (in most cases anyway). ThreatSTOP is constantly monitoring DarkSide-related infrastructure, and our team has seen constant activity on DarkSide domains.
Earlier this month, we posted about a wave of blocked communication attempts between devices protected by ThreatSTOP and the domains fotoeuropa[.]ro and catsdegree[.]com. Since then, we saw more waves of traffic attempts from four other domains also related to DarkSide - lagrom[.]com, gosleepaddict[.]com, securebestapp20[.]com, kgtwiakkdooplnihvali[.]com. Between these six domains, we have seen an accumulated 16+ Million blocked connection attempts in our customer logs. All of these domains are active in our threat targets, which include aggregated threat intelligence from numerous sources.
Image: ThreatSTOP CheckIOC
We recommend blocking all inbound AND outbound traffic to IOCs related to DarkSide (see list below). If the attackers somehow manage to breach your network don't let their malware exfiltrate your data. Blocking outbound traffic is a critical layer of defense against cyber attacks.
DarkSide Infrastructure Domains
athaliaoriginals[.]com | ironnetworks[.]xyz |
auth[.]athaliaoriginals[.]com | kgtwiakkdooplnihvali[.]com |
baa[.]stage[.]8886370[.]pop[.]athaliaoriginals[.]com | koliz[.]xyz |
caa[.]stage[.]8886370[.]pop[.]athaliaoriginals[.]com | lagrom[.]com |
iaa[.]stage[.]8886370[.]pop[.]athaliaoriginals[.]com | los-web[.]xyz |
imap[.]athaliaoriginals[.]com | openmsdn[.]xyz |
baroquetees[.]com | rumahsia[.]com |
catsdegree[.]com | securebestapp20[.]com |
ctxinit[.]azureedge[.]net | skolibri13[.]azureedge[.]net |
darksidedxcftmqa[.]onion | sol-doc[.]xyz |
darksidfqzcuhtk2[.]onion | yeeterracing[.]com |
fotoeuropa[.]ro | 7cats[.]ch |
gosleepaddict[.]com |
DarkSide Infrastructure IPs
104[.]193[.]252[.]197 | 185[.]203[.]116[.]7 | 23[.]95[.]85[.]176 |
108[.]62[.]118[.]232 | 185[.]203[.]117[.]159 | 45[.]14[.]12[.]108 |
159[.]65[.]225[.]72 | 185[.]243[.]214[.]107 | 45[.]147[.]197[.]220 |
162[.]244[.]34[.]152 | 185[.]92[.]151[.]150 | 45[.]61[.]138[.]171 |
162[.]244[.]81[.]253 | 192[.]3[.]141[.]157 | 45[.]84[.]0[.]127 |
176[.]123[.]2[.]216 | 198[.]54[.]117[.]197 | 46[.]166[.]128[.]144 |
185[.]105[.]109[.]19 | 198[.]54[.]117[.]199 | 51[.]210[.]138[.]71 |
185[.]180[.]197[.]86 | 212[.]109[.]221[.]205 | 80[.]209[.]241[.]4 |
185[.]203[.]116[.]28 | 213[.]252[.]247[.]18 | 81[.]91[.]177[.]54 |
Protect against this threat by adding the indicators above to your network perimeter access and protective DNS rules. Preventing communication with these IP addresses and domains, and identifying the machines needing remediation will prevent damage and losses from this ransomware. ThreatSTOP automates this for companies and security teams like yours.
For more information about the DarkSide gang, see our earlier blog post.
Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?