Ransomware Profile: DarkSide

DarkSide Profile

DarkSide is a ransomware strain that primarily targets large organizations in the private sector. The group has been highly active since it emerged in August 2020 and has already claimed hundreds of victims, with ransom demands typically falling in the six- and seven-figure range. DarkSide operates with a thin veneer of professionalism and follows corporate-style processes similar to those found in legitimate enterprises. 

darkside ransomware submissions

Number of DarkSide submissions to ID Ransomware.

Since DarkSide was first observed, there have been 114 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files (not that not all victims use ID Ransomware, so this number should not be taken to be the total number of successful attacks.) During this time, the group has also published on its leak site the stolen data of more than 80 organizations which presumably refused to pay the demand. 

What is DarkSide?

DarkSide is a ransomware variant that encrypts files using SALSA20 and RSA-1024 encryption and demands a ransom typically ranging from $200,000 to $2,000,000 for their decryption. The group claims that their encryption methods are the fastest on the market, with versions of the ransomware available for both Windows and Linux environments. As with many other ransomware groups, DarkSide utilizes double extortion, whereby threat actors not only encrypt the target’s data, but also exfiltrate and threaten to release it if the ransom demand is not paid. 

DarkSide operates under the ransomware-as-a-service (Raas) model, whereby affiliates receive a portion of ransom payments in exchange for dropping the malware onto victims’ networks. DarkSide affiliates earn 75 percent to 90 percent of the ransom payments they generate, with the remaining portion going to the DarkSide group. 

DarkSide takes many of its operational cues from legitimate businesses. Much like a real company, the group issues press releases, provides real-time chat support, posts software updates and offers deals to attract new affiliates. The group also claims to enforce a code of conduct which prohibits affiliates from targeting certain sectors, performing actions that would cause damage to the reputation of DarkSide, and deploying a competitor’s ransomware in the same campaign.

Like other types of ransomware, DarkSide performs an automatic language check – unusually, using both GetSystemDefaultUILanguage and GetUserDefaultLangID – and will quit without encrypting data if one of the following languages is detected.

For additional technical details, see Chuong Dong’s analysis.

The history of DarkSide 

DarkSide was created by a collective of cybercriminals who claim to have made millions of dollars working as affiliates of other ransomware operations. The group came together to create a new ransomware variant after failing to find the “perfect product” for their needs. DarkSide was extremely active since it was first observed in August 2020, impacting hundreds of organizations across multiple verticals. 

In October 2020, DarkSide announced that the group had donated $10,000 in bitcoin to two charities – Children International and The Water Project. In a blog post published on the dark web, the group wrote: “We think it’s fair that some of the money the companies have paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped change someone’s life.” As it’s illegal to receive funds obtained as a result of a crime, it’s likely that both donations were seized or returned. 

DarkSide ransom note 

After encrypting the target system, DarkSide drops a customized ransom note titled “README.{userid}.TXT” in all infected directories. The note contains an overview of how much data was stolen, the type of data that was stolen, a link to where the stolen data will be leaked and instructions on how to communicate with DarkSide operators via a TOR browser. 

Decryptor performance 

According to our performance tests, DarkSide’s decryption tool decrypts files at an average of 231.40MB per second, meaning it would take 72 minutes to decrypt 1 TB of encrypted data. In comparison, our Universal Decryptor tool could recover that data in only 27 minutes. 

Our Universal Decryptor can be customized to decrypt almost any type of ransomware, provided that the decryption keys are supplied. The following chart shows the performance of the Emsisoft universal decryptor compared with the decryption tools provided by the Conti, DarkSide, Defray and Ryuk ransomware groups.

Encrypted dataset: 56 GB collection of 2,234 files ranging from 1 byte to 10 GB in size.

Who does DarkSide target?    

Like many other big-game ransomware, DarkSide primarily targets big organizations that have the resources to pay large ransom demands. 

However, unlike most other ransomware operations, DarkSide prohibits its affiliates from targeting organizations in the public sector. In fact, according to DarkSide’s code of conduct, there’s quite a long list of prohibited targets, including: 

How does DarkSide spread?    

DarkSide infections typically start with the exploitation of a vulnerable remote service. After the network has been breached, attackers establish command and control via an RDP client routed through TOR, and/or Cobalt Strike. In the reconnaissance stage, attackers use well-known tools such as Mimikatz, advanced_ip_scanner.exe and psexec, among others, to steal credentials and spread laterally until domain admin credentials are obtained. 

The ransomware isn’t deployed until the threat actors have mapped out the target environment, exfiltrated data and prepared the system for encryption. The ransomware is delivered in the form of a unique executable customized for the specific organization being attacked. The malware then attempts to delete shadow copies on the target system, terminates processes that could delay encryption and finally begins the encryption process. Encrypted files are appended with a unique extension made using a custom checksum of the victim’s MAC address.

As DarkSide is a RaaS that can be delivered in a multitude of ways, the specific anatomy of an attack can vary from incident to incident. 

Major DarkSide attacks   

How to protect the network from DarkSide and other ransomware  

The following practices may help organizations reduce the risk of a DarkSide incident.    

How to remove DarkSide and other ransomware    

DarkSide uses sophisticated encryption methods that currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Victims of DarkSide should be prepared to restore their systems from backups, using processes that should be defined in the organization’s incident response plan. The following actions are recommended:  

Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next