Darkside ransomware Threat Intelligence Advisory
Published 07 April 2021
- Darkside ransomware resurfaces on the dark web, involved in a new campaign.
- The latest campaign by the operators look to spread a variant of the original Darkside ransomware, Darkside 2.0
Share this Threat Intel:
|Every industry except Healthcare, Education, and Non-profit|
The Darkside ransomware, initially discovered in August 2020, has resurfaced on the dark web and its operators are now active on underground forums. Through their posts, they have launched a new campaign that involves the latest variant of the ransomware, namely Darkside 2.0. This version sports updated software infrastructure and better capabilities.
The group responsible for the ransomware has explicitly stated that they will not target hospitals, schools, universities, and non profit organizations. However, they attack English speaking countries and avoid countries that were a part of the Soviet Union. The ransomware even deletes services such as vss, sql, svc, memtas, mepocs, sophos, veeam, and backup, that are responsible for security and backup.
Darkside 1.0 Campaign in Brief
- The campaign used custom Salsa20 matrix and RSA-1024 encryption algorithms.
- It used the COM interface to bypass UAC so as to elevate privileges.
- The ransomware even deleted services such as vss, sql, svc, memtas, mepocs, sophos, veeam, and backup, that are responsible for security and backup.
- The operators demanded ransoms between $200,000 and $2,000,000.
- The decryption key was leaked and victims denied to pay ransom. The locked data was decrypted using security tools.
Indicators of Compromise
- F87a2e1c3d148a67eaeb696b1ab69133 [md5]
Darkside 2.0 Campaign
In March 2020, Darkside launched a new affiliate program to further a second ransomware campaign with updated code features both for Windows and Linux platforms. The call for affiliates indicates that the encryption is now faster and secure, with Active Directory integration. CIS countries including Georgia and Ukraine have been deliberately excluded.
- Secure RDP endpoints with complex passwords that are difficult to bruteforce.
- Patch vulnerabilities in internet-facing assets, on time.
- Strict segmentation and isolation of networks using firewalls and IDPS.
- Educate users/ employees on cyber hygiene
- Proper endpoint monitoring to detect anomalies in ingress and egress traffic.
(Edited on: 26.05.2021)
Indicators of Compromise