BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

DarkSide

68
Global rank
77 infographic chevron month
Month rank
80 infographic chevron week
Week rank
49
IOCs

DarkSide ransomware is a novel ransomware strain involved in high-profile incidents. Its attacks lead to data theft and encryption, causing significant damage to victims.

Ransomware
Type
Ex-USSR
Origin
10 August, 2020
First seen
7 June, 2024
Last seen

How to analyze DarkSide with ANY.RUN

Type
Ex-USSR
Origin
10 August, 2020
First seen
7 June, 2024
Last seen

IOCs

Hashes
2de09a815efcc64810046de69b8e0aa1c9e9beee77b66560a0b15d737485e3c5
f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef
1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a
1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb
a82aec54cad176b368967fa8e41e41a8129ffafe6ab627312e111e63605b8478
e1a226846bb5504a5a6a69f1dae456b6219c7d95d47a2fec8a7c5e506888851c
cc54647e8c3fe7b701d78a6fa072c52641ac11d395a6d2ffaf05f38f53112556
6931b124d38d52bd7cdef48121fda457d407b63b59bb4e6ead4ce548f4bbb971
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc
e0c0cbc50a9ed4d01a176497c8dba913cbbba515ea701a67ef00dcb7c8a84368
4098b54c9d27b00ce34d04ffac24213ed28993a2854827851b157d63407c2e4e
ac092962654b46a670b030026d07f5b8161cecd2abd6eece52b7892965aa521b
43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa
0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9
27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f
fb76b4a667c6d790c39fcc93a3aac8cd2a224f0eb9ece4ecfd7825f606c2a8b6
973dfafc3051d8c2849f62c556ab8057da706f15d1ffd8871de894ae3a24d86b
151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5
bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893
URLs
https://temisleyes.com/8lFBwHzt
https://securebestapp20.com/B9D9NXMx
https://temisleyes.com/Uf2x1fMQxJh
https://securebestapp20.com/0bzwK2ZOAzx
Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 171
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 190
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 341
comments 0

What is DarkSide Ransomware

DarkSide is a cybercriminal group — and a ransomware of the same name — believed to have originated from Eastern Europe.

DarkSide operates as a Ransomware-as-a-Service (RaaS) — essentially, it is offered to affiliates who then conduct the attacks. These affiliates, vetted through an interview process, reportedly agree to a revenue split of 25% for ransoms under $500,000, and 10% for amounts exceeding $5 million. In exchange, they gain access to the control panel.

The DarkSide's code is not publicly accessible and bears similarities to another notorious ransomware threat — REvil. This correlation could suggest that DarkSide is either a derivative or a partner of REvil. Both groups have their origins in the ex-USSR, employ similar techniques and tactics, and use similarly structured ransom notes.

Like most threats originating from the Commonwealth of Independent States (CIS), DarkSide conducts a pre-attack check to ensure that the potential victim is not located in ex-USSR territories or Arabic states. This is achieved by accessing the system languages. The kill switch is activated if the language setting is set to:

  • Russian
  • Ukrainian
  • Belarusian
  • Tajik
  • Armenian
  • Azerbaijani
  • Georgian
  • Kazakh
  • Kyrgyz
  • Turkmen
  • Uzbek
  • Tatar
  • Moldovan Romanian
  • Or Syrian Arabic

Note that ANY.RUN interactive cloud sandbox enables you to set system language —among other settings — before launching a virtual machine. This can help to observe how DarkSide behaves under different device configurations.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

When it comes to victim geography, DarkSide primarily targets the US, with Canada, France, Belgium, and other Western European countries following closely. This threat is notorious for executing high-profile attacks across various business sectors. It's worth noting, however, that DarkSide steers clear of targeting charitable organizations, healthcare facilities, educational institutions, and non-profits, presumably adhering to an internal code of conduct.

Some of the most notable incidents DarkSide was involved in include the Colonial Pipeline ransomware attack in May 2021. This attack led to a voluntary shutdown of a pipeline supplying 45% of fuel to the East Coast of the United States. The group extorted about 75 Bitcoin, nearly $5 million. Another notable incident includes the Ransomware attack on IT managed services provider CompuCom in March 2021. This attack resulted in over $20 million in restoration expenses, causing significant financial damage to the company.

DarkSide Ransomware technical details

After DarkSide ransomware gains initial access, it establishes command and control primarily through an RDP client over port 443, routed through TOR. Some samples may use Cobalt Strike as a secondary command and control mechanism, with customized stagers deployed on targeted devices.

The group uses various tools such as Advanced IP Scanner, psexec, and Mimikatz to scan networks, run commands, and steal credentials. After a reconnaissance phase, an Active Directory reconnaissance tool is used to gather additional information about users, groups, and privileges.

The attackers mine credentials from user profile folders and use a script named Invoke-mimikatXz.ps1 to extract credentials from servers. Once domain admin credentials are obtained, they perform a DCSync attack to replicate AD information, gaining access to password data for the entire domain.

The group uses an active Windows server as a hub to store data before exfiltration. Data from servers is compressed into 7zip archives with a simple naming convention. They also relax permissions on file systems to access files with any domain user account.

DarkSide infection

Workstation’s desktop after the DarkSide infection

Before deploying ransomware, DarkSide maps the environment, exfiltrates data, gains control of privileged accounts, and identifies backup systems, servers, and applications. The ransomware code is delivered through established backdoors and is customized for each victim. The ransomware evades signature-based detection mechanisms by using unique executables and extensions and employs anti-forensics and anti-debugging techniques.

The ransomware first copies itself to a temporary path and injects its code into the existing process. If it detects debugging or VM, it stops. The ransomware then dynamically loads its libraries to avoid detection by AV and EDR solutions.

The malware deletes the shadow copies on the victim device using an obfuscated PowerShell command. After the deletion, the malware closes specific processes to avoid locked files and begins its encryption routine, appending an 8-character string to the end of the encrypted file names. It avoids encrypting files with certain extensions and creates a ransom instructions file for decryption.

Analyzing a Dark Side ransomware sample in ANY.RUN

The execution process of DarkSide is typical for ransomware. For comparison, you may take a look in most popular ones - Phobos or Maze. First, the executable file makes its way into the infected system and runs, then the main malicious activity begins. After the start of execution, the ransomware may delete shadow copies and stop execution of the security software. When all targeted files get encrypted, DarkSide drops a ransom note and changes wallpaper on the desktop, like in the following sample.

Darkside’s ransom note

DarkSide’s ransom note

DarkSide Ransomware distribution

DarkSide ransomware primarily distributes through phishing campaigns and leverages Remote Desktop Protocol (RDP) abuse and known vulnerabilities for initial access.

Ransomware operators employ social engineering and highly targeted spear phishing campaigns to trick users into downloading malicious content. Alternatively, they are known to exploit weakly secured RDP endpoints. The group also targets unpatched servers and remotely exploitable systems, sometimes accessing Virtual Desktop Infrastructure (VDI) via compromised contractor accounts.

DarkSide Ransomware: conclusions

As early as May 2021, the DarkSide group announced that they had lost access to part of their hacking infrastructure due to "significant pressure from the U.S.," pledging to shut down their operations.

However, if the similarities with REvil (and by extension, GandCrab its precursor) indeed indicate a connection between these groups, it is highly improbable that DarkSide's ransomware activities will diminish.

We will likely continue to observe the use of this ransomware code, making the study of the tactics and techniques deployed by this operation vitally important.

To expedite your results — like acquiring strings and malware configurations — consider analyzing DarkSide samples in ANY.RUN. Our cloud malware sandbox can detect this threat and extract its configuration automatically, saving you hours of manual deobfuscation and code reversal. You can also experiment with system configurations to observe how this threat behaves under different conditions.

Ready to give it a shot? Create a free ANY.RUN account a free ANY.RUN account.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy