Security Researchers Released Detail Analysis On DarkSide Ransomware Attacks

Security researchers have released a detailed 

 of DarkSide ransomware attacks. The DarkSide campaign uses customized ransomware executables for different targets with Salsa20 with the custom matrix and RSA-1024 encryption algorithms. The operators behind the DarkSide ransomware harvest the data in clear text from the victim’s server before encrypting it. The plain text data stolen is then uploaded to DarkSide’s leak website, which is used as a powerful extortion tool. Let’s see what analysis tells about the DarkSide ransomware attacks in this article.

What Is The DarkSide Ransomware?

“Ransomware is designed to encrypt the victim’s files to extort and ransom for their recovery. DarkSide is a ransomware-as-a-service(RaaS)–the developers of the ransomware received a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.” This DarkSide ransomware variant executes a dynamic-link library (DLL) program used to delete Volume Shadow copies available on the system. The malware collects, encrypts, and sends system information to the threat actor’s command and control (C2)domains and generates a ransom note to the victim.

According to the analysis of DarkSide ransomware attacks, the malware collects information which includes the operating system, username, hostname, domain, default language, and operating system (OS) architecture.

Where Does DarkSide Ransomware Originate?

In Aug 2020, the DarkSide ransomware group announced RaaS (Ransome as a Service) through a press release. They are running the DarkSide Inc like a professional organization. They call their victims ‘clients’. They provide web chat support to victims to recover their data. The group will carry out a detailed analysis of the victim’s financial data before the attack to set the ransom amount.

The research also revealed that Darkside’s malware would check victim’s device language settings to ensure they don’t attack Russia-based organizations. They have posted about their interests in hiring Russian-speaking partners in many Q&A forums. This would make the world think that the DarkSide ransomware could be originated in Russia. 

Did DarkSide Get The Ransom?

Picture #1: DarkSide ransomware attack message

Yes. DarkSide ransomware drops a text note with the name ‘README.<UniqueID>.TXT’ in each encrypted directory. The note contains the instructions for the user to recover files. Here you can see an example of recovery instructions. The note just tells about the recovery process. You may not see about the ransom demand. DrakSide has no standard ransom policy. It all depends on the type of victim. They have made a public announcement that hospitals, schools, non-profits, and governments are not in their attack interest. However, they try targeting big organizations that can afford to pay large ransoms.

Picture #2: DarkSide ransomware attack message

What Stealth Techniques Used In DarkSide Ransomware Attacks?

DarkSide ransomware attack campaigns are known for their stealth techniques to evade detection. Some common stealth techniques are:

How Does DarkSide Ransomware Attack Work?

The anatomy of DarkSide ransomware attacks is not simple enough to tell. DarkSide ransomware uses custom codes, payloads, tools, and tactics with different victims. We tried to describe its work in simple steps. If you want to see the DarkSide ransomware attacks in detail, please visit this page.