Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

DarkSide

96
Global rank
93 infographic chevron month
Month rank
104 infographic chevron week
Week rank
0
IOCs

DarkSide ransomware is a novel ransomware strain involved in high-profile incidents. Its attacks lead to data theft and encryption, causing significant damage to victims.

Ransomware
Type
Ex-USSR
Origin
10 August, 2020
First seen
22 September, 2025
Last seen

How to analyze DarkSide with ANY.RUN

Type
Ex-USSR
Origin
10 August, 2020
First seen
22 September, 2025
Last seen

IOCs

Hashes
bc32a2ccf158ebe2b76646be865a4c6dd91da6b8e5bb0dd9520102a9bfea5439
2de09a815efcc64810046de69b8e0aa1c9e9beee77b66560a0b15d737485e3c5
f42bcc81c05e8944649958f8b9296c5523d1eb8ab00842d66530702e476561ef
874332105033870e0351d1ea4e9bcb1718cd229a8637643998aba1936c99160d
f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4
1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a
508dd6f7ed6c143cf5e1ed6a4051dd8ee7b5bf4b7f55e0704d21ba785f2d5add
6d656f110246990d10fe0b0132704b1323859d4003f2b1d5d03f665c710b8fd3
1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb
a82aec54cad176b368967fa8e41e41a8129ffafe6ab627312e111e63605b8478
e1a226846bb5504a5a6a69f1dae456b6219c7d95d47a2fec8a7c5e506888851c
cc54647e8c3fe7b701d78a6fa072c52641ac11d395a6d2ffaf05f38f53112556
6931b124d38d52bd7cdef48121fda457d407b63b59bb4e6ead4ce548f4bbb971
0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
2c7d10f64dc39ea9bd6f18d9d1e1204f0c62324e8da148354d557bba17e3c615
8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc
6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff
b6855793aebdd821a7f368585335cb132a043d30cb1f8dccceb5d2127ed4b9a4
78782fd324bc98a57274bd3fff8f756217c011484ebf6b614060115a699ee134
URLs
https://temisleyes.com/8lFBwHzt
https://temisleyes.com/Uf2x1fMQxJh
https://securebestapp20.com/0bzwK2ZOAzx
https://securebestapp20.com/B9D9NXMx
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 411
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1808
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 912
comments 0

What is DarkSide Ransomware

DarkSide is a cybercriminal group — and a ransomware of the same name — believed to have originated from Eastern Europe.

DarkSide operates as a Ransomware-as-a-Service (RaaS) — essentially, it is offered to affiliates who then conduct the attacks. These affiliates, vetted through an interview process, reportedly agree to a revenue split of 25% for ransoms under $500,000, and 10% for amounts exceeding $5 million. In exchange, they gain access to the control panel.

The DarkSide's code is not publicly accessible and bears similarities to another notorious ransomware threat — REvil. This correlation could suggest that DarkSide is either a derivative or a partner of REvil. Both groups have their origins in the ex-USSR, employ similar techniques and tactics, and use similarly structured ransom notes.

Like most threats originating from the Commonwealth of Independent States (CIS), DarkSide conducts a pre-attack check to ensure that the potential victim is not located in ex-USSR territories or Arabic states. This is achieved by accessing the system languages. The kill switch is activated if the language setting is set to:

  • Russian
  • Ukrainian
  • Belarusian
  • Tajik
  • Armenian
  • Azerbaijani
  • Georgian
  • Kazakh
  • Kyrgyz
  • Turkmen
  • Uzbek
  • Tatar
  • Moldovan Romanian
  • Or Syrian Arabic

Note that ANY.RUN interactive cloud sandbox enables you to set system language —among other settings — before launching a virtual machine. This can help to observe how DarkSide behaves under different device configurations.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

When it comes to victim geography, DarkSide primarily targets the US, with Canada, France, Belgium, and other Western European countries following closely. This threat is notorious for executing high-profile attacks across various business sectors. It's worth noting, however, that DarkSide steers clear of targeting charitable organizations, healthcare facilities, educational institutions, and non-profits, presumably adhering to an internal code of conduct.

Some of the most notable incidents DarkSide was involved in include the Colonial Pipeline ransomware attack in May 2021. This attack led to a voluntary shutdown of a pipeline supplying 45% of fuel to the East Coast of the United States. The group extorted about 75 Bitcoin, nearly $5 million. Another notable incident includes the Ransomware attack on IT managed services provider CompuCom in March 2021. This attack resulted in over $20 million in restoration expenses, causing significant financial damage to the company.

DarkSide Ransomware technical details

After DarkSide ransomware gains initial access, it establishes command and control primarily through an RDP client over port 443, routed through TOR. Some samples may use Cobalt Strike as a secondary command and control mechanism, with customized stagers deployed on targeted devices.

The group uses various tools such as Advanced IP Scanner, psexec, and Mimikatz to scan networks, run commands, and steal credentials. After a reconnaissance phase, an Active Directory reconnaissance tool is used to gather additional information about users, groups, and privileges.

The attackers mine credentials from user profile folders and use a script named Invoke-mimikatXz.ps1 to extract credentials from servers. Once domain admin credentials are obtained, they perform a DCSync attack to replicate AD information, gaining access to password data for the entire domain.

The group uses an active Windows server as a hub to store data before exfiltration. Data from servers is compressed into 7zip archives with a simple naming convention. They also relax permissions on file systems to access files with any domain user account.

DarkSide infection

Workstation’s desktop after the DarkSide infection

Before deploying ransomware, DarkSide maps the environment, exfiltrates data, gains control of privileged accounts, and identifies backup systems, servers, and applications. The ransomware code is delivered through established backdoors and is customized for each victim. The ransomware evades signature-based detection mechanisms by using unique executables and extensions and employs anti-forensics and anti-debugging techniques.

The ransomware first copies itself to a temporary path and injects its code into the existing process. If it detects debugging or VM, it stops. The ransomware then dynamically loads its libraries to avoid detection by AV and EDR solutions.

The malware deletes the shadow copies on the victim device using an obfuscated PowerShell command. After the deletion, the malware closes specific processes to avoid locked files and begins its encryption routine, appending an 8-character string to the end of the encrypted file names. It avoids encrypting files with certain extensions and creates a ransom instructions file for decryption.

Analyzing a Dark Side ransomware sample in ANY.RUN

The execution process of DarkSide is typical for ransomware. For comparison, you may take a look in most popular ones - Phobos or Maze. First, the executable file makes its way into the infected system and runs, then the main malicious activity begins. After the start of execution, the ransomware may delete shadow copies and stop execution of the security software. When all targeted files get encrypted, DarkSide drops a ransom note and changes wallpaper on the desktop, like in the following sample.

Darkside’s ransom note

DarkSide’s ransom note

DarkSide Ransomware distribution

DarkSide ransomware primarily distributes through phishing campaigns and leverages Remote Desktop Protocol (RDP) abuse and known vulnerabilities for initial access.

Ransomware operators employ social engineering and highly targeted spear phishing campaigns to trick users into downloading malicious content. Alternatively, they are known to exploit weakly secured RDP endpoints. The group also targets unpatched servers and remotely exploitable systems, sometimes accessing Virtual Desktop Infrastructure (VDI) via compromised contractor accounts.

DarkSide Ransomware: conclusions

As early as May 2021, the DarkSide group announced that they had lost access to part of their hacking infrastructure due to "significant pressure from the U.S.," pledging to shut down their operations.

However, if the similarities with REvil (and by extension, GandCrab its precursor) indeed indicate a connection between these groups, it is highly improbable that DarkSide's ransomware activities will diminish.

We will likely continue to observe the use of this ransomware code, making the study of the tactics and techniques deployed by this operation vitally important.

To expedite your results — like acquiring strings and malware configurations — consider analyzing DarkSide samples in ANY.RUN. Our cloud malware sandbox can detect this threat and extract its configuration automatically, saving you hours of manual deobfuscation and code reversal. You can also experiment with system configurations to observe how this threat behaves under different conditions.

Ready to give it a shot? Create a free ANY.RUN account a free ANY.RUN account.

HAVE A LOOK AT

Godfather screenshot
Godfather
godfather
The Godfather malware is an Android banking Trojan capable of bypassing MFA that targets mobile banking and cryptocurrency applications. Known for its ability to evade detection and mimic legitimate software, it poses a significant threat to individuals and organizations by stealing sensitive data and enabling financial fraud.
Read More
Botnet screenshot
Botnet
botnet
A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.
Read More
EvilProxy screenshot
EvilProxy
evilproxy
EvilProxy is a phishing-as-a-service (PhaaS) platform that enables cybercriminals to bypass multi-factor authentication (MFA) and hijack user sessions. It leverages reverse proxy techniques to harvest credentials and session cookies, posing a serious threat to both individuals and enterprises.
Read More
Sliver screenshot
Sliver
sliver
Sliver is an open-source command-and-control (C2) framework that has been increasingly adopted by threat actors as an alternative to tools like Cobalt Strike. Developed by security firm Bishop Fox, Sliver was initially intended for legitimate security testing and red teaming exercises. However, its robust features and open-source nature have made it attractive to malicious actors seeking to control compromised systems.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More