Darkside ransomware Threat Intelligence Advisory

Published 07 April 2021


  • Darkside ransomware resurfaces on the dark web, involved in a new campaign.
  • The latest campaign by the operators look to spread a variant of the original Darkside ransomware, Darkside 2.0

Share this Threat Intel:

Advisory Type
Adversary Intelligence
Adversary 
Darkside Ransomware
Affected Industry
Every industry except Healthcare, Education, and Non-profit
TLP
GREEN

 

Executive Summary 

The Darkside ransomware, initially discovered in August 2020, has resurfaced on the dark web and its operators are now active on underground forums. Through their posts, they have launched a new campaign that involves the latest variant of the ransomware, namely Darkside 2.0. This version sports updated software infrastructure and better capabilities. 

The group responsible for the ransomware has explicitly stated that they will not target hospitals, schools, universities, and non profit organizations. However, they attack English speaking countries and avoid countries that were a part of the Soviet Union. The ransomware even deletes services such as vss, sql, svc, memtas, mepocs, sophos, veeam, and backup, that are responsible for security and backup.

 

Darkside 1.0 Campaign in Brief
  • The campaign used custom Salsa20 matrix and RSA-1024 encryption algorithms.
  • It used the COM interface to bypass UAC so as to elevate privileges.
  • The ransomware even deleted services such as vss, sql, svc, memtas, mepocs, sophos, veeam, and backup, that are responsible for security and backup.
  • The operators demanded ransoms between $200,000 and $2,000,000.
  • The decryption key was leaked and victims denied to pay ransom. The locked data was decrypted using security tools.

 

Indicators of Compromise

  • F87a2e1c3d148a67eaeb696b1ab69133 [md5]
  • 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297[sha256]
  • LOG.{userid}.txt
  • README.{userid}.txt

 

Darkside 2.0 Campaign

In March 2020, Darkside launched a new affiliate program to further a second ransomware campaign with updated code features both for Windows and Linux platforms. The call for affiliates indicates that the encryption is now faster and secure, with Active Directory integration. CIS countries including Georgia and Ukraine have been deliberately excluded.

Screenshot of affiliate programs, ransomware features and updates
Screenshot of affiliate programs, ransomware features, and updates

 

Mitigations

  • Secure RDP endpoints with complex passwords that are difficult to bruteforce.
  • Patch vulnerabilities in internet-facing assets, on time.
  • Strict segmentation and isolation of networks using firewalls and IDPS.
  • Educate users/ employees on cyber hygiene 
  • Proper endpoint monitoring to detect anomalies in ingress and egress traffic.

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.