Darkside ransomware Threat Intelligence Advisory

Published 07 April 2021


  • Darkside ransomware resurfaces on the dark web, involved in a new campaign.
  • The latest campaign by the operators look to spread a variant of the original Darkside ransomware, Darkside 2.0

Share this Threat Intel:

Advisory Type
Adversary Intelligence
Adversary 
Darkside Ransomware
Affected Industry
Every industry except Healthcare, Education, and Non-profit
TLP
GREEN

 

Executive Summary 

The Darkside ransomware, initially discovered in August 2020, has resurfaced on the dark web and its operators are now active on underground forums. Through their posts, they have launched a new campaign that involves the latest variant of the ransomware, namely Darkside 2.0. This version sports updated software infrastructure and better capabilities. 

The group responsible for the ransomware has explicitly stated that they will not target hospitals, schools, universities, and non profit organizations. However, they attack English speaking countries and avoid countries that were a part of the Soviet Union. The ransomware even deletes services such as vss, sql, svc, memtas, mepocs, sophos, veeam, and backup, that are responsible for security and backup.

 

Darkside 1.0 Campaign in Brief
  • The campaign used custom Salsa20 matrix and RSA-1024 encryption algorithms.
  • It used the COM interface to bypass UAC so as to elevate privileges.
  • The ransomware even deleted services such as vss, sql, svc, memtas, mepocs, sophos, veeam, and backup, that are responsible for security and backup.
  • The operators demanded ransoms between $200,000 and $2,000,000.
  • The decryption key was leaked and victims denied to pay ransom. The locked data was decrypted using security tools.

 

Indicators of Compromise

  • F87a2e1c3d148a67eaeb696b1ab69133 [md5]
  • 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297[sha256]
  • LOG.{userid}.txt
  • README.{userid}.txt

 

Darkside 2.0 Campaign

In March 2020, Darkside launched a new affiliate program to further a second ransomware campaign with updated code features both for Windows and Linux platforms. The call for affiliates indicates that the encryption is now faster and secure, with Active Directory integration. CIS countries including Georgia and Ukraine have been deliberately excluded.

Screenshot of affiliate programs, ransomware features and updates
Screenshot of affiliate programs, ransomware features, and updates

 

Mitigations

  • Secure RDP endpoints with complex passwords that are difficult to bruteforce.
  • Patch vulnerabilities in internet-facing assets, on time.
  • Strict segmentation and isolation of networks using firewalls and IDPS.
  • Educate users/ employees on cyber hygiene 
  • Proper endpoint monitoring to detect anomalies in ingress and egress traffic.

 

(Edited on: 26.05.2021)

Indicators of Compromise

Domain
sol-doc.xyz
los-web.xyz
lagrom.com
koliz.xyz
Darksidfqzcuhtk2.onion
darksidedxcftmqa.onion
athaliaoriginals.com
FileHash-MD5
f9fc1a1a95d5723c140c2a8effc93722
f913d43ba0a9f921b1376b26cd30fa34
f87a2e1c3d148a67eaeb696b1ab69133
f75ba194742c978239da2892061ba1b4
e44450150e8683a0addd5c686cd4d202
d6634959e4f9b42dfc02b270324fa6d9
cfcfb68901ffe513e9f0d76b17d02f96
c830512579b0e08f40bc1791fc10c582
c81dae5c67fb72a2c2f24b178aea50b7
c4f1a1b73e4af0fbb63af8ee89a5a7fe
c2764be55336f83a59aa0f63a0b36732
b9d04060842f71d1a8f3444316dc1843
b278d7ec3681df16a541cf9e34d3b70a
b0fd45162c2219e14bdccab76f33946e
a3d964aaf642d626474f02ba3ae4f49b
9e779da82d86bcd4cc43ab29f929f73f
9d418ecc0f3bf45029263b0944236884
91e2807955c5004f13006ff795cb803c
885fc8fb590b899c1db7b42fe83dddc3
84c1567969b86089cc33dccf41562bcd
7cdac4b82a7573ae825e5edb48f80be5
7c8553c74c135d6e91736291c8558ea8
6c9cda97d945ffb1b63fd6aabcb6e1a8
6a7fdab1c7f6c5a5482749be5c4bf1a4
69ec3d1368adbe75f3766fc88bc64afc
68ada5f6aa8e3c3969061e905ceb204c
66ddb290df3d510a6001365c3a694de2
5ff75d33080bb97a8e6b54875c221777
4d419dc50e3e4824c096f298e0fa885a
4c99af42d102c863bbae84db9f133a82
47a4420ad26f60bb6bba5645326fa963
3fd9b0117a0e79191859630148dcdc6d
29bcd459f5ddeeefad26fc098304e786
27dc9d3bcffc80ff8f1776f39db5f0a4
222792d2e75782516d653d5cccfcf33b
1c33dc87c6fdb80725d732a5323341f9
1a700f845849e573ab3148daef1a3b0b
181ab725468cc1a8f28883a95034e17d
130220f4457b9795094a21482d5f104b
0ed51a595631e9b4d60896ab5573332f
0e178c4808213ce50c2540468ce409d3
04fde4340cc79cd9e61340d4c1e8ddfb

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.