SYMBOLCOMMON_NAMEaka. SYNONYMS
win.darkside (Back to overview)

DarkSide

aka: BlackMatter

FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable disks, or network shares. The malware can be customized by the affiliates to create a build for specific victims.

References
2023-07-11Twitter (@embee_research)Embee_research
@online{embeeresearch:20230711:tweets:ab48f14, author = {Embee_research}, title = {{Tweets on Ransomware Infrastructure Analysis With Censys and GrabbrApp}}, date = {2023-07-11}, organization = {Twitter (@embee_research)}, url = {https://twitter.com/embee_research/status/1678631524374020098?s=46}, language = {English}, urldate = {2023-07-16} } Tweets on Ransomware Infrastructure Analysis With Censys and GrabbrApp
DarkSide
2022-09-22BroadcomSymantec Threat Hunter Team
@online{team:20220922:noberus:fc868b9, author = {Symantec Threat Hunter Team}, title = {{Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics}}, date = {2022-09-22}, organization = {Broadcom}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps}, language = {English}, urldate = {2022-09-26} } Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
BlackCat BlackMatter DarkSide
2022-07-13GLIMPSGLIMPS
@online{glimps:20220713:lockbit:c4e0803, author = {GLIMPS}, title = {{Lockbit 3.0}}, date = {2022-07-13}, organization = {GLIMPS}, url = {https://www.glimps.fr/lockbit3-0/}, language = {French}, urldate = {2022-07-18} } Lockbit 3.0
BlackMatter DarkSide LockBit
2022-06-29MandiantJared Wilson
@online{wilson:20220629:burrowing:d5ca9f1, author = {Jared Wilson}, title = {{Burrowing your way into VPNs, Proxies, and Tunnels}}, date = {2022-06-29}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/burrowing-your-way-into-vpns}, language = {English}, urldate = {2022-07-05} } Burrowing your way into VPNs, Proxies, and Tunnels
DarkSide SMOKEDHAM
2022-05-20AhnLabASEC
@online{asec:20220520:why:c6efba7, author = {ASEC}, title = {{Why Remediation Alone Is Not Enough When Infected by Malware}}, date = {2022-05-20}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/34549/}, language = {English}, urldate = {2022-05-24} } Why Remediation Alone Is Not Enough When Infected by Malware
Cobalt Strike DarkSide
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-13MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20220413:dismantling:ace8546, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware}}, date = {2022-04-13}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/}, language = {English}, urldate = {2022-04-14} } Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader
2022-03-23splunkShannon Davis
@online{davis:20220323:gone:56f570f, author = {Shannon Davis}, title = {{Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed}}, date = {2022-03-23}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html}, language = {English}, urldate = {2022-03-25} } Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-23splunkShannon Davis, SURGe
@techreport{davis:20220223:empirically:fe03729, author = {Shannon Davis and SURGe}, title = {{An Empirically Comparative Analysis of Ransomware Binaries}}, date = {2022-02-23}, institution = {splunk}, url = {https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf}, language = {English}, urldate = {2022-03-25} } An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-02-21BrandefenseBrandefense
@online{brandefense:20220221:darkside:98639e6, author = {Brandefense}, title = {{Darkside Ransomware Analysis Report}}, date = {2022-02-21}, organization = {Brandefense}, url = {https://brandefense.io/darkside-ransomware-analysis-report/}, language = {English}, urldate = {2022-05-03} } Darkside Ransomware Analysis Report
DarkSide
2022-01-25Nozomi NetworksAlexey Kleymenov
@online{kleymenov:20220125:how:3c38376, author = {Alexey Kleymenov}, title = {{How to Analyze Malware for Technical Writing}}, date = {2022-01-25}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/how-to-analyze-malware-for-technical-writing/}, language = {English}, urldate = {2022-02-02} } How to Analyze Malware for Technical Writing
DarkSide
2021-11-04CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20211104:carbon:e3ef021, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 2}}, date = {2021-11-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/}, language = {English}, urldate = {2021-11-08} } CARBON SPIDER Embraces Big Game Hunting, Part 2
BlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader
2021-11-03Group-IBAndrey Zhdanov
@online{zhdanov:20211103:darker:fb1a211, author = {Andrey Zhdanov}, title = {{The Darker Things BlackMatter and their victims}}, date = {2021-11-03}, organization = {Group-IB}, url = {https://blog.group-ib.com/blackmatter2}, language = {English}, urldate = {2022-01-25} } The Darker Things BlackMatter and their victims
BlackMatter DarkSide BlackMatter DarkSide
2021-11-01FBIFBI
@techreport{fbi:20211101:pin:a9b78d3, author = {FBI}, title = {{PIN Number 20211101-001: Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims}}, date = {2021-11-01}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211101.pdf}, language = {English}, urldate = {2021-11-03} } PIN Number 20211101-001: Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims
DarkSide RansomEXX DarkSide PyXie RansomEXX
2021-10-22The RecordCatalin Cimpanu
@online{cimpanu:20211022:darkside:27f49ba, author = {Catalin Cimpanu}, title = {{DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement}}, date = {2021-10-22}, organization = {The Record}, url = {https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/}, language = {English}, urldate = {2021-11-02} } DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement
BlackMatter DarkSide BlackMatter DarkSide
2021-10-22HUNT & HACKETTKrijn de Mik
@online{mik:20211022:advanced:e22d6f6, author = {Krijn de Mik}, title = {{Advanced IP Scanner: the preferred scanner in the A(P)T toolbox}}, date = {2021-10-22}, organization = {HUNT & HACKETT}, url = {https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox}, language = {English}, urldate = {2021-11-02} } Advanced IP Scanner: the preferred scanner in the A(P)T toolbox
Conti DarkSide Dharma Egregor Hades REvil Ryuk
2021-10-22Twitter (@GelosSnake)Omri Segev Moyal
@online{moyal:20211022:list:7934934, author = {Omri Segev Moyal}, title = {{Tweet on List of wallets used by Darkside/Blackmatter Operator to split out the money}}, date = {2021-10-22}, organization = {Twitter (@GelosSnake)}, url = {https://twitter.com/GelosSnake/status/1451465959894667275}, language = {English}, urldate = {2021-11-02} } Tweet on List of wallets used by Darkside/Blackmatter Operator to split out the money
BlackMatter DarkSide BlackMatter DarkSide
2021-10-22EllipticElliptic Intel
@online{intel:20211022:darkside:8c61341, author = {Elliptic Intel}, title = {{DarkSide bitcoins on the move following government cyberattack against REvil ransomware group}}, date = {2021-10-22}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group}, language = {English}, urldate = {2021-11-02} } DarkSide bitcoins on the move following government cyberattack against REvil ransomware group
BlackMatter DarkSide BlackMatter DarkSide
2021-10-22Bleeping ComputerIonut Ilascu
@online{ilascu:20211022:darkside:89e4ee2, author = {Ionut Ilascu}, title = {{DarkSide ransomware rushes to cash out $7 million in Bitcoin}}, date = {2021-10-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/}, language = {English}, urldate = {2021-11-02} } DarkSide ransomware rushes to cash out $7 million in Bitcoin
BlackMatter DarkSide BlackMatter DarkSide
2021-10-14YouTube (Uriel Kosayev)Uriel Kosayev
@online{kosayev:20211014:darkside:c4648ce, author = {Uriel Kosayev}, title = {{DarkSide Ransomware Reverse Engineering}}, date = {2021-10-14}, organization = {YouTube (Uriel Kosayev)}, url = {https://www.youtube.com/watch?v=NIiEcOryLpI}, language = {English}, urldate = {2021-11-02} } DarkSide Ransomware Reverse Engineering
BlackMatter DarkSide BlackMatter DarkSide
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
@online{team:20211012:ecx:5540ee9, author = {CrowdStrike Intelligence Team}, title = {{ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity}}, date = {2021-10-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/}, language = {English}, urldate = {2021-11-02} } ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-10-05Trend MicroFyodor Yarochkin, Janus Agcaoili, Byron Gelera, Nikko Tamana
@online{yarochkin:20211005:ransomware:e5f5375, author = {Fyodor Yarochkin and Janus Agcaoili and Byron Gelera and Nikko Tamana}, title = {{Ransomware as a Service: Enabler of Widespread Attacks}}, date = {2021-10-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks}, language = {English}, urldate = {2021-10-20} } Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk
2021-09-23BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20210923:threat:e44c44f, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: BlackMatter RaaS - Darker Than DarkSide?}}, date = {2021-09-23}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service}, language = {English}, urldate = {2021-10-11} } Threat Thursday: BlackMatter RaaS - Darker Than DarkSide?
BlackMatter DarkSide BlackMatter DarkSide
2021-09-14CrowdStrikeCrowdStrike Intelligence Team
@online{team:20210914:big:b345561, author = {CrowdStrike Intelligence Team}, title = {{Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack}}, date = {2021-09-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/}, language = {English}, urldate = {2021-09-19} } Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil
2021-09-02US Department of Health and Human ServicesHealth Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20210902:demystifying:afc61dc, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Demystifying BlackMatter}}, date = {2021-09-02}, institution = {US Department of Health and Human Services}, url = {https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf}, language = {English}, urldate = {2021-11-02} } Demystifying BlackMatter
BlackMatter BlackMatter DarkSide
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20210830:carbon:66be3f3, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 1}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/}, language = {English}, urldate = {2021-08-31} } CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-06metabaseqMiguel Gonzalez, Jesus Dominguez
@online{gonzalez:20210806:inside:073bbcb, author = {Miguel Gonzalez and Jesus Dominguez}, title = {{Inside DarkSide, the ransomware that attacked Colonial Pipeline}}, date = {2021-08-06}, organization = {metabaseq}, url = {https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline#}, language = {Spanish}, urldate = {2022-04-05} } Inside DarkSide, the ransomware that attacked Colonial Pipeline
DarkSide
2021-08-06Group-IBAndrey Zhdanov
@online{zhdanov:20210806:its:e5b4483, author = {Andrey Zhdanov}, title = {{It's alive! The story behind the BlackMatter ransomware strain}}, date = {2021-08-06}, organization = {Group-IB}, url = {https://blog.group-ib.com/blackmatter#}, language = {English}, urldate = {2021-08-09} } It's alive! The story behind the BlackMatter ransomware strain
BlackMatter DarkSide BlackMatter DarkSide
2021-08-05SymantecThreat Hunter Team
@techreport{team:20210805:attacks:c2d7348, author = {Threat Hunter Team}, title = {{Attacks Against Critical Infrastructure: A Global Concern}}, date = {2021-08-05}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf}, language = {English}, urldate = {2021-08-06} } Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2021-08-05cybleCyble
@online{cyble:20210805:blackmatter:f0b08a4, author = {Cyble}, title = {{BlackMatter Under the Lens: An Emerging Ransomware Group Looking for Affiliates}}, date = {2021-08-05}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/}, language = {English}, urldate = {2021-08-06} } BlackMatter Under the Lens: An Emerging Ransomware Group Looking for Affiliates
DarkSide
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-12-13} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-08-04Recorded FutureInsikt Group®
@techreport{group:20210804:protect:283486d, author = {Insikt Group®}, title = {{Protect Against BlackMatter Ransomware Before It’s Offered}}, date = {2021-08-04}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf}, language = {English}, urldate = {2021-08-06} } Protect Against BlackMatter Ransomware Before It’s Offered
BlackMatter DarkSide
2021-08-03Twitter (@sisoma2)sisoma2
@online{sisoma2:20210803:python:1bb11e4, author = {sisoma2}, title = {{Python script for recovering the hashes hardcoded in different samples of the BlackMatter ransomware}}, date = {2021-08-03}, organization = {Twitter (@sisoma2)}, url = {https://github.com/sisoma2/malware_analysis/tree/master/blackmatter}, language = {English}, urldate = {2021-08-06} } Python script for recovering the hashes hardcoded in different samples of the BlackMatter ransomware
DarkSide
2021-08-03Twitter (@sysopfb)Jason Reaves
@online{reaves:20210803:python:3eef2f9, author = {Jason Reaves}, title = {{Tweet on python script to decode the blob from Blackmatter ransomware}}, date = {2021-08-03}, organization = {Twitter (@sysopfb)}, url = {https://twitter.com/sysopfb/status/1422280887274639375}, language = {English}, urldate = {2021-08-06} } Tweet on python script to decode the blob from Blackmatter ransomware
DarkSide
2021-08-03Twitter (@ValthekOn)Valthek
@online{valthek:20210803:blacklisted:4126206, author = {Valthek}, title = {{Tweet on blacklisted extensions & names of BlackMatter ransomware making the check against custom hashes values}}, date = {2021-08-03}, organization = {Twitter (@ValthekOn)}, url = {https://twitter.com/ValthekOn/status/1422385890467491841?s=20}, language = {English}, urldate = {2021-08-06} } Tweet on blacklisted extensions & names of BlackMatter ransomware making the check against custom hashes values
DarkSide
2021-08-02The RecordDmitry Smilyanets
@online{smilyanets:20210802:interview:b42389c, author = {Dmitry Smilyanets}, title = {{An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil}}, date = {2021-08-02}, organization = {The Record}, url = {https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/}, language = {English}, urldate = {2021-08-03} } An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil
DarkSide LockBit REvil
2021-08-01ID RansomwareAndrew Ivanov
@online{ivanov:20210801:blackmatter:a344018, author = {Andrew Ivanov}, title = {{BlackMatter Ransomware}}, date = {2021-08-01}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html}, language = {Russian}, urldate = {2021-08-02} } BlackMatter Ransomware
DarkSide
2021-07-31Bleeping ComputerLawrence Abrams
@online{abrams:20210731:darkside:1d6ac34, author = {Lawrence Abrams}, title = {{DarkSide ransomware gang returns as new BlackMatter operation}}, date = {2021-07-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/}, language = {English}, urldate = {2021-08-02} } DarkSide ransomware gang returns as new BlackMatter operation
DarkSide
2021-07-31Bleeping ComputerLawrence Abrams
@online{abrams:20210731:blackmatter:924d440, author = {Lawrence Abrams}, title = {{BlackMatter ransomware gang rises from the ashes of DarkSide, REvil}}, date = {2021-07-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/}, language = {English}, urldate = {2021-08-02} } BlackMatter ransomware gang rises from the ashes of DarkSide, REvil
DarkSide REvil
2021-07-27Recorded FutureInsikt Group®
@online{group:20210727:blackmatter:db85bfb, author = {Insikt Group®}, title = {{BlackMatter Ransomware Emerges As Successor to DarkSide, REvil}}, date = {2021-07-27}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/}, language = {English}, urldate = {2021-07-29} } BlackMatter Ransomware Emerges As Successor to DarkSide, REvil
DarkSide LockBit REvil
2021-07-27ZAYOTEMHalil Filik
@techreport{filik:20210727:darkside:1a80ce5, author = {Halil Filik}, title = {{DarkSide Ransomware Technical Analysis Report}}, date = {2021-07-27}, institution = {ZAYOTEM}, url = {https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf}, language = {English}, urldate = {2021-08-18} } DarkSide Ransomware Technical Analysis Report
DarkSide
2021-07-13Threat PostBecky Bracken
@online{bracken:20210713:guess:eafaf32, author = {Becky Bracken}, title = {{Guess Fashion Brand Deals With Data Loss After Ransomware Attack}}, date = {2021-07-13}, organization = {Threat Post}, url = {https://threatpost.com/guess-fashion-data-loss-ransomware/167754/}, language = {English}, urldate = {2021-07-20} } Guess Fashion Brand Deals With Data Loss After Ransomware Attack
DarkSide
2021-07-08CISAUS-CERT
@online{uscert:20210708:malware:5341e6c, author = {US-CERT}, title = {{Malware Analysis Report (AR21-189A): DarkSide Ransomware}}, date = {2021-07-08}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a}, language = {English}, urldate = {2021-07-19} } Malware Analysis Report (AR21-189A): DarkSide Ransomware
DarkSide
2021-07-03Bleeping ComputerSergiu Gatlan
@online{gatlan:20210703:us:6685629, author = {Sergiu Gatlan}, title = {{US chemical distributor shares info on DarkSide ransomware data theft}}, date = {2021-07-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/}, language = {English}, urldate = {2021-07-11} } US chemical distributor shares info on DarkSide ransomware data theft
DarkSide
2021-06-22MaltegoMaltego Team, Intel 471
@online{team:20210622:chasing:91032a1, author = {Maltego Team and Intel 471}, title = {{Chasing DarkSide Affiliates: Identifying Threat Actors Connected to Darkside Ransomware Using Maltego & Intel 471}}, date = {2021-06-22}, organization = {Maltego}, url = {https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/}, language = {English}, urldate = {2021-06-23} } Chasing DarkSide Affiliates: Identifying Threat Actors Connected to Darkside Ransomware Using Maltego & Intel 471
DarkSide DarkSide
2021-06-14CYBER GEEKS All Things InfosecCyberMasterV
@online{cybermasterv:20210614:stepbystep:6b4b871, author = {CyberMasterV}, title = {{A Step-by-Step Analysis of a New Version of DarkSide Ransomware}}, date = {2021-06-14}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/}, language = {English}, urldate = {2021-06-22} } A Step-by-Step Analysis of a New Version of DarkSide Ransomware
DarkSide
2021-06-13SecJuiceSecprentice
@online{secprentice:20210613:blue:49dbef0, author = {Secprentice}, title = {{Blue Team Detection: DarkSide Ransomware}}, date = {2021-06-13}, organization = {SecJuice}, url = {https://www.secjuice.com/blue-team-detection-darkside-ransomware/}, language = {English}, urldate = {2021-06-22} } Blue Team Detection: DarkSide Ransomware
DarkSide
2021-06-10McAfeeATR Operational Intelligence Team
@online{team:20210610:are:14ab8d0, author = {ATR Operational Intelligence Team}, title = {{Are Virtual Machines the New Gold for Cyber Criminals?}}, date = {2021-06-10}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/}, language = {English}, urldate = {2021-06-21} } Are Virtual Machines the New Gold for Cyber Criminals?
Babuk DarkSide
2021-06-04DeepInstinctBar Block
@online{block:20210604:ransomware:9b1bb93, author = {Bar Block}, title = {{The Ransomware Conundrum – A Look into DarkSide}}, date = {2021-06-04}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/}, language = {English}, urldate = {2021-06-22} } The Ransomware Conundrum – A Look into DarkSide
DarkSide
2021-06-03Medium s2wlabHyunmin Suh, Denise Dasom Kim, Jungyeon Lim, YH Jeong
@online{suh:20210603:w1:f034ac8, author = {Hyunmin Suh and Denise Dasom Kim and Jungyeon Lim and YH Jeong}, title = {{W1 Jun | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-06-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b}, language = {English}, urldate = {2021-06-16} } W1 Jun | EN | Story of the week: Ransomware on the Darkweb
DarkSide Babuk DarkSide
2021-06-02CrowdStrikeJosh Dalman, Heather Smith
@online{dalman:20210602:under:2e7083b, author = {Josh Dalman and Heather Smith}, title = {{Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware}}, date = {2021-06-02}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/}, language = {English}, urldate = {2021-06-09} } Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware
DarkSide Conti DarkSide REvil
2021-05-24MIT Technology ReviewDaniel Golden, Renee Dudley
@online{golden:20210524:colonial:5724053, author = {Daniel Golden and Renee Dudley}, title = {{The Colonial pipeline ransomware hackers had a secret weapon: self-promoting cybersecurity firms}}, date = {2021-05-24}, organization = {MIT Technology Review}, url = {https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/}, language = {English}, urldate = {2021-06-16} } The Colonial pipeline ransomware hackers had a secret weapon: self-promoting cybersecurity firms
DarkSide DarkSide
2021-05-21360 Total Securitykate
@online{kate:20210521:darksides:fd45119, author = {kate}, title = {{DarkSide’s Targeted Ransomware Analysis Report for Critical U.S. Infrastructure}}, date = {2021-05-21}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/}, language = {English}, urldate = {2021-05-26} } DarkSide’s Targeted Ransomware Analysis Report for Critical U.S. Infrastructure
DarkSide
2021-05-21Bleeping ComputerIonut Ilascu
@online{ilascu:20210521:darkside:13af9fa, author = {Ionut Ilascu}, title = {{DarkSide affiliates claim gang's bitcoins in deposit on hacker forum}}, date = {2021-05-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/}, language = {English}, urldate = {2021-05-26} } DarkSide affiliates claim gang's bitcoins in deposit on hacker forum
DarkSide
2021-05-20Digital ShadowsStefano De Blasi
@online{blasi:20210520:ransomwareasaservice:c7173c4, author = {Stefano De Blasi}, title = {{Ransomware-as-a-Service, Rogue Affiliates, and What’s Next}}, date = {2021-05-20}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/}, language = {English}, urldate = {2021-05-26} } Ransomware-as-a-Service, Rogue Affiliates, and What’s Next
DarkSide DarkSide REvil
2021-05-20RiskIQJennifer Grob
@online{grob:20210520:analysis:1b7ae0b, author = {Jennifer Grob}, title = {{Analysis of Infrastructure used by DarkSide Affiliates}}, date = {2021-05-20}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/fdf74f23}, language = {English}, urldate = {2021-05-26} } Analysis of Infrastructure used by DarkSide Affiliates
DarkSide
2021-05-19Nozomi NetworksAlexey Kleymenov
@online{kleymenov:20210519:colonial:e537383, author = {Alexey Kleymenov}, title = {{Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works}}, date = {2021-05-19}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/}, language = {English}, urldate = {2021-05-26} } Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works
DarkSide
2021-05-19The Wall Street JournalCollin Eaton
@online{eaton:20210519:colonial:8185b82, author = {Collin Eaton}, title = {{Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom}}, date = {2021-05-19}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636}, language = {English}, urldate = {2021-05-19} } Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom
DarkSide DarkSide
2021-05-18EllipticTom Robinson
@online{robinson:20210518:darkside:c1451b1, author = {Tom Robinson}, title = {{DarkSide Ransomware has Netted Over $90 million in Bitcoin}}, date = {2021-05-18}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin}, language = {English}, urldate = {2021-05-19} } DarkSide Ransomware has Netted Over $90 million in Bitcoin
DarkSide DarkSide
2021-05-18Bleeping ComputerIonut Ilascu
@online{ilascu:20210518:darkside:d8e345b, author = {Ionut Ilascu}, title = {{DarkSide ransomware made $90 million in just nine months}}, date = {2021-05-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/}, language = {English}, urldate = {2021-06-07} } DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-05-18The RecordCatalin Cimpanu
@online{cimpanu:20210518:darkside:14b6690, author = {Catalin Cimpanu}, title = {{Darkside gang estimated to have made over $90 million from ransomware attacks}}, date = {2021-05-18}, organization = {The Record}, url = {https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/}, language = {English}, urldate = {2021-05-19} } Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk
2021-05-18KEYSIGHT TECHNOLOGIESRadu Emanuel Chiscariu
@online{chiscariu:20210518:darkside:a38ef87, author = {Radu Emanuel Chiscariu}, title = {{DarkSide Ransomware Behavior and Techniques}}, date = {2021-05-18}, organization = {KEYSIGHT TECHNOLOGIES}, url = {https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html}, language = {English}, urldate = {2021-09-20} } DarkSide Ransomware Behavior and Techniques
DarkSide
2021-05-17splunkSplunk Threat Research Team
@online{team:20210517:darkside:e7a3747, author = {Splunk Threat Research Team}, title = {{DarkSide Ransomware: Splunk Threat Update and Detections}}, date = {2021-05-17}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html}, language = {English}, urldate = {2021-05-19} } DarkSide Ransomware: Splunk Threat Update and Detections
DarkSide
2021-05-17GigamonJoe Slowik
@online{slowik:20210517:tracking:060c759, author = {Joe Slowik}, title = {{Tracking DarkSide and Ransomware: The Network View}}, date = {2021-05-17}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/}, language = {English}, urldate = {2021-05-17} } Tracking DarkSide and Ransomware: The Network View
DarkSide DarkSide
2021-05-17FortinetFred Gutierrez, Gayathri Thirugnanasambandam, Val Saengphaibul
@online{gutierrez:20210517:newly:65d872f, author = {Fred Gutierrez and Gayathri Thirugnanasambandam and Val Saengphaibul}, title = {{Newly Discovered Function in DarkSide Ransomware Variant Targets Disk Partitions}}, date = {2021-05-17}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions}, language = {English}, urldate = {2021-05-19} } Newly Discovered Function in DarkSide Ransomware Variant Targets Disk Partitions
DarkSide
2021-05-14Intel 471Intel 471
@online{471:20210514:moral:83d138a, author = {Intel 471}, title = {{The moral underground? Ransomware operators retreat after Colonial Pipeline hack}}, date = {2021-05-14}, organization = {Intel 471}, url = {https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime}, language = {English}, urldate = {2021-05-17} } The moral underground? Ransomware operators retreat after Colonial Pipeline hack
DarkSide DarkSide
2021-05-14Blue Team BlogAuth 0r
@online{0r:20210514:darkside:bf9c5bc, author = {Auth 0r}, title = {{DarkSide Ransomware Operations – Preventions and Detections.}}, date = {2021-05-14}, organization = {Blue Team Blog}, url = {https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections}, language = {English}, urldate = {2021-05-17} } DarkSide Ransomware Operations – Preventions and Detections.
Cobalt Strike DarkSide
2021-05-14Advanced IntelligenceVitali Kremez
@online{kremez:20210514:from:958e38d, author = {Vitali Kremez}, title = {{From Dawn to "Silent Night": "DarkSide Ransomware" Initial Attack Vector Evolution}}, date = {2021-05-14}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution}, language = {English}, urldate = {2021-05-17} } From Dawn to "Silent Night": "DarkSide Ransomware" Initial Attack Vector Evolution
DarkSide
2021-05-14EllipticDr. Tom Robinson
@online{robinson:20210514:elliptic:0c14d0e, author = {Dr. Tom Robinson}, title = {{Elliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other DarkSide Ransomware Victims}}, date = {2021-05-14}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims}, language = {English}, urldate = {2021-05-17} } Elliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other DarkSide Ransomware Victims
DarkSide DarkSide
2021-05-14Bleeping ComputerLawrence Abrams
@online{abrams:20210514:darkside:5169afb, author = {Lawrence Abrams}, title = {{DarkSide ransomware servers reportedly seized, REvil restricts targets}}, date = {2021-05-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/}, language = {English}, urldate = {2021-05-17} } DarkSide ransomware servers reportedly seized, REvil restricts targets
DarkSide DarkSide
2021-05-13Bleeping ComputerLawrence Abrams
@online{abrams:20210513:popular:62e98c8, author = {Lawrence Abrams}, title = {{Popular Russian hacking forum XSS bans all ransomware topics}}, date = {2021-05-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/}, language = {English}, urldate = {2021-05-17} } Popular Russian hacking forum XSS bans all ransomware topics
DarkSide DarkSide LockBit REvil
2021-05-13BloombergWilliam Turton, Michael Riley, Jennifer Jacobs
@online{turton:20210513:colonial:fa273fe, author = {William Turton and Michael Riley and Jennifer Jacobs}, title = {{Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom}}, date = {2021-05-13}, organization = {Bloomberg}, url = {https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom}, language = {English}, urldate = {2021-05-13} } Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom
DarkSide
2021-05-13The RecordCatalin Cimpanu
@online{cimpanu:20210513:popular:278e039, author = {Catalin Cimpanu}, title = {{Popular hacking forum bans ransomware ads}}, date = {2021-05-13}, organization = {The Record}, url = {https://therecord.media/popular-hacking-forum-bans-ransomware-ads/}, language = {English}, urldate = {2021-05-17} } Popular hacking forum bans ransomware ads
DarkSide DarkSide
2021-05-13Bleeping ComputerLawrence Abrams
@online{abrams:20210513:chemical:86f4f4a, author = {Lawrence Abrams}, title = {{Chemical distributor pays $4.4 million to DarkSide ransomware}}, date = {2021-05-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/}, language = {English}, urldate = {2021-05-17} } Chemical distributor pays $4.4 million to DarkSide ransomware
DarkSide DarkSide
2021-05-12Palo Alto Networks Unit 42Ramarcus Baylor
@online{baylor:20210512:darkside:f63c2c2, author = {Ramarcus Baylor}, title = {{DarkSide Ransomware Gang: An Overview}}, date = {2021-05-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/darkside-ransomware/}, language = {English}, urldate = {2021-05-13} } DarkSide Ransomware Gang: An Overview
DarkSide
2021-05-12SecurityScorecardRyan Sherstobitoff
@online{sherstobitoff:20210512:new:06b17ad, author = {Ryan Sherstobitoff}, title = {{New Evidence Supports Assessment that DarkSide Likely Responsible for Colonial Pipeline Ransomware Attack; Others Targeted}}, date = {2021-05-12}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted}, language = {English}, urldate = {2021-05-17} } New Evidence Supports Assessment that DarkSide Likely Responsible for Colonial Pipeline Ransomware Attack; Others Targeted
DarkSide DarkSide
2021-05-12Trend MicroTrend Micro Research
@online{research:20210512:what:cf1638f, author = {Trend Micro Research}, title = {{What We Know About Darkside Ransomware and the US Pipeline Attack}}, date = {2021-05-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html}, language = {English}, urldate = {2021-05-13} } What We Know About Darkside Ransomware and the US Pipeline Attack
DarkSide
2021-05-12Zero DayKim Zetter
@online{zetter:20210512:anatomy:f5df5c4, author = {Kim Zetter}, title = {{Anatomy of a $2 Million Darkside Ransomware Breach}}, date = {2021-05-12}, organization = {Zero Day}, url = {https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside}, language = {English}, urldate = {2021-05-13} } Anatomy of a $2 Million Darkside Ransomware Breach
DarkSide
2021-05-11DragosMike Hoffman, Tom Winston
@online{hoffman:20210511:recommendations:d69cee0, author = {Mike Hoffman and Tom Winston}, title = {{Recommendations Following the Colonial Pipeline Cyber Attack}}, date = {2021-05-11}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/}, language = {English}, urldate = {2021-05-13} } Recommendations Following the Colonial Pipeline Cyber Attack
DarkSide
2021-05-11CISAUS-CERT
@online{uscert:20210511:alert:a9224cc, author = {US-CERT}, title = {{Alert (AA21-131A) DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks}}, date = {2021-05-11}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-131a}, language = {English}, urldate = {2021-05-13} } Alert (AA21-131A) DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
DarkSide
2021-05-11SophosSean Gallagher, Mark Loman, Peter Mackenzie, Yusuf Arslan Polat, Gabor Szappanos, Suriya Natarajan, Szabolcs Lévai, Ferenc László Nagy
@online{gallagher:20210511:defenders:a4c7f9c, author = {Sean Gallagher and Mark Loman and Peter Mackenzie and Yusuf Arslan Polat and Gabor Szappanos and Suriya Natarajan and Szabolcs Lévai and Ferenc László Nagy}, title = {{A defender’s view inside a DarkSide ransomware attack}}, date = {2021-05-11}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/}, language = {English}, urldate = {2021-05-13} } A defender’s view inside a DarkSide ransomware attack
DarkSide
2021-05-11FireEyeJordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Brendan McKeague, Jared Wilson
@online{nuce:20210511:shining:339d137, author = {Jordan Nuce and Jeremy Kennelly and Kimberly Goody and Andrew Moore and Alyssa Rahman and Brendan McKeague and Jared Wilson}, title = {{Shining a Light on DARKSIDE Ransomware Operations}}, date = {2021-05-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html}, language = {English}, urldate = {2021-05-13} } Shining a Light on DARKSIDE Ransomware Operations
Cobalt Strike DarkSide
2021-05-11FlashpointFlashpoint
@online{flashpoint:20210511:darkside:32c4e89, author = {Flashpoint}, title = {{DarkSide Ransomware Links to REvil Group Difficult to Dismiss}}, date = {2021-05-11}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/}, language = {English}, urldate = {2021-05-13} } DarkSide Ransomware Links to REvil Group Difficult to Dismiss
DarkSide REvil
2021-05-11KrebsOnSecurityBrian Krebs
@online{krebs:20210511:closer:aa8982f, author = {Brian Krebs}, title = {{A Closer Look at the DarkSide Ransomware Gang}}, date = {2021-05-11}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/}, language = {English}, urldate = {2021-05-13} } A Closer Look at the DarkSide Ransomware Gang
DarkSide
2021-05-11splunkJames Brodsky
@online{brodsky:20210511:darkside:9c81721, author = {James Brodsky}, title = {{The DarkSide of the Ransomware Pipeline}}, date = {2021-05-11}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html}, language = {English}, urldate = {2021-05-13} } The DarkSide of the Ransomware Pipeline
DarkSide
2021-05-10SecurityIntelligenceLimor Kessem
@online{kessem:20210510:shedding:c49ddab, author = {Limor Kessem}, title = {{Shedding Light on the DarkSide Ransomware Attack}}, date = {2021-05-10}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/}, language = {English}, urldate = {2021-05-11} } Shedding Light on the DarkSide Ransomware Attack
DarkSide
2021-05-10Anheng Threat Intelligence CenterHunting Shadow Lab
@online{lab:20210510:analysis:7cf4e42, author = {Hunting Shadow Lab}, title = {{Analysis of U.S. Oil Products Pipeline Operators Suspended by Ransomware Attacks}}, date = {2021-05-10}, organization = {Anheng Threat Intelligence Center}, url = {http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/}, language = {Chinese}, urldate = {2021-06-22} } Analysis of U.S. Oil Products Pipeline Operators Suspended by Ransomware Attacks
DarkSide
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-10Intel 471Intel 471
@online{471:20210510:heres:ebc6e81, author = {Intel 471}, title = {{Here’s what we know about DarkSide ransomware}}, date = {2021-05-10}, organization = {Intel 471}, url = {https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack}, language = {English}, urldate = {2021-05-13} } Here’s what we know about DarkSide ransomware
DarkSide
2021-05-10SentinelOneSentinelOne
@online{sentinelone:20210510:meet:e3c28b4, author = {SentinelOne}, title = {{Meet DarkSide and Their Ransomware – SentinelOne Customers Protected}}, date = {2021-05-10}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/}, language = {English}, urldate = {2021-05-13} } Meet DarkSide and Their Ransomware – SentinelOne Customers Protected
DarkSide
2021-05-08ReutersChristopher Bing, Stephanie Kelly
@online{bing:20210508:cyber:0adb323, author = {Christopher Bing and Stephanie Kelly}, title = {{Cyber attack shuts down top U.S. fuel pipeline network}}, date = {2021-05-08}, organization = {Reuters}, url = {https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/}, language = {English}, urldate = {2021-05-11} } Cyber attack shuts down top U.S. fuel pipeline network
DarkSide
2021-05-06Chuongdong blogChuong Dong
@online{dong:20210506:darkside:461faf9, author = {Chuong Dong}, title = {{Darkside Ransomware}}, date = {2021-05-06}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/}, language = {English}, urldate = {2021-05-13} } Darkside Ransomware
DarkSide
2021-05-06Chuongdong blogChuong Dong
@online{dong:20210506:darkside:adaa792, author = {Chuong Dong}, title = {{Darkside Ransomware}}, date = {2021-05-06}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/}, language = {English}, urldate = {2021-05-11} } Darkside Ransomware
DarkSide
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-05-01Twitter (@JAMESWT_MHT)JamesWT
@online{jameswt:20210501:linux:150fb0f, author = {JamesWT}, title = {{Tweet on linux version of DarkSide ransomware}}, date = {2021-05-01}, organization = {Twitter (@JAMESWT_MHT)}, url = {https://twitter.com/JAMESWT_MHT/status/1388301138437578757}, language = {English}, urldate = {2021-05-13} } Tweet on linux version of DarkSide ransomware
DarkSide DarkSide
2021-04-28La RepubblicaAndrea Greco
@online{greco:20210428:un:2464b6b, author = {Andrea Greco}, title = {{Un sospetto attacco telematico blocca le filiali della Bcc di Roma}}, date = {2021-04-28}, organization = {La Repubblica}, url = {https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/}, language = {Italian}, urldate = {2021-05-03} } Un sospetto attacco telematico blocca le filiali della Bcc di Roma
DarkSide
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-25Vulnerability.ch BlogCorsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-04-22The RecordCatalin Cimpanu
@online{cimpanu:20210422:ransomware:1186cfb, author = {Catalin Cimpanu}, title = {{Ransomware gang wants to short the stock price of their victims}}, date = {2021-04-22}, organization = {The Record}, url = {https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/}, language = {English}, urldate = {2021-04-28} } Ransomware gang wants to short the stock price of their victims
DarkSide
2021-04-12DataBreaches.netDissent
@online{dissent:20210412:chat:fa8aec8, author = {Dissent}, title = {{A chat with DarkSide}}, date = {2021-04-12}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/a-chat-with-darkside/}, language = {English}, urldate = {2021-04-16} } A chat with DarkSide
DarkSide
2021-04-01CybereasonCybereason Nocturnus
@online{nocturnus:20210401:cybereason:9e1c43e, author = {Cybereason Nocturnus}, title = {{Cybereason vs. DarkSide Ransomware}}, date = {2021-04-01}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware}, language = {English}, urldate = {2021-05-11} } Cybereason vs. DarkSide Ransomware
DarkSide
2021-03-18VaronisSnir Ben Shimol
@online{shimol:20210318:return:a27bb0b, author = {Snir Ben Shimol}, title = {{Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign}}, date = {2021-03-18}, organization = {Varonis}, url = {https://www.varonis.com/blog/darkside-ransomware/}, language = {English}, urldate = {2021-03-19} } Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign
DarkSide
2021-03-09Youtube (SANS Digital Forensics and Incident Response)Eric Loui, Sergei Frankoff
@online{loui:20210309:jackpotting:1dcc95b, author = {Eric Loui and Sergei Frankoff}, title = {{Jackpotting ESXi Servers For Maximum Encryption | Eric Loui & Sergei Frankoff | SANS CTI Summit 2021}}, date = {2021-03-09}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=qxPXxWMI2i4}, language = {English}, urldate = {2021-05-31} } Jackpotting ESXi Servers For Maximum Encryption | Eric Loui & Sergei Frankoff | SANS CTI Summit 2021
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-25SOC PrimeEmanuele De Lucia
@online{lucia:20210125:affiliates:cd12c6f, author = {Emanuele De Lucia}, title = {{Affiliates vs Hunters: Fighting the DarkSide}}, date = {2021-01-25}, organization = {SOC Prime}, url = {https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/}, language = {English}, urldate = {2021-01-26} } Affiliates vs Hunters: Fighting the DarkSide
DarkSide
2021-01-11BitdefenderBitdefender Team
@online{team:20210111:darkside:96759f7, author = {Bitdefender Team}, title = {{Darkside Ransomware Decryption Tool}}, date = {2021-01-11}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/}, language = {English}, urldate = {2021-01-18} } Darkside Ransomware Decryption Tool
DarkSide
2021CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:2021:hypervisor:ade976a, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/}, language = {English}, urldate = {2021-05-31} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT
2021SecureworksSecureWorks
@online{secureworks:2021:threat:45f61e0, author = {SecureWorks}, title = {{Threat Profile: GOLD WATERFALL}}, date = {2021}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-waterfall}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD WATERFALL
Cobalt Strike DarkSide GOLD WATERFALL
2020-12-16AccenturePaul Mansfield
@online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-12-03Medium GhouLSecGhouLSec
@online{ghoulsec:20201203:mal:8f39c1a, author = {GhouLSec}, title = {{[Mal Series #13] Darkside Ransom}}, date = {2020-12-03}, organization = {Medium GhouLSec}, url = {https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6}, language = {English}, urldate = {2021-01-26} } [Mal Series #13] Darkside Ransom
DarkSide
2020-11-13Bleeping ComputerLawrence Abrams
@online{abrams:20201113:darkside:82cdb5f, author = {Lawrence Abrams}, title = {{DarkSide ransomware is creating a secure data leak service in Iran}}, date = {2020-11-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/}, language = {English}, urldate = {2020-11-18} } DarkSide ransomware is creating a secure data leak service in Iran
DarkSide
2020-11-12databreachtodayMathew J. Schwartz
@online{schwartz:20201112:darkside:baeed17, author = {Mathew J. Schwartz}, title = {{Darkside Ransomware Gang Launches Affiliate Program}}, date = {2020-11-12}, organization = {databreachtoday}, url = {https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968}, language = {English}, urldate = {2020-11-18} } Darkside Ransomware Gang Launches Affiliate Program
DarkSide
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-05Zawadi DoneZawadi Done
@online{done:20201005:darkside:d3005ca, author = {Zawadi Done}, title = {{DarkSide ransomware analysis}}, date = {2020-10-05}, organization = {Zawadi Done}, url = {https://zawadidone.nl/darkside-ransomware-analysis/}, language = {English}, urldate = {2022-02-17} } DarkSide ransomware analysis
DarkSide
2020-09-22Digital ShadowsStefano De Blasi
@online{blasi:20200922:darkside:67c758a, author = {Stefano De Blasi}, title = {{DarkSide: The New Ransomware Group Behind Highly Targeted Attacks}}, date = {2020-09-22}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/}, language = {English}, urldate = {2020-11-17} } DarkSide: The New Ransomware Group Behind Highly Targeted Attacks
DarkSide
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-10ID RansomwareAndrew Ivanov
@online{ivanov:20200810:darkside:2c93936, author = {Andrew Ivanov}, title = {{DarkSide Ransomware}}, date = {2020-08-10}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html}, language = {English}, urldate = {2020-11-17} } DarkSide Ransomware
DarkSide
2020-08AcronisAcronis Security
@online{security:202008:darkside:8913035, author = {Acronis Security}, title = {{DarkSide Ransomware Does Not Attack Hospitals, Schools and Governments}}, date = {2020-08}, organization = {Acronis}, url = {https://www.acronis.com/en-us/articles/darkside-ransomware/}, language = {English}, urldate = {2020-11-17} } DarkSide Ransomware Does Not Attack Hospitals, Schools and Governments
DarkSide
2020-05-28CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200528:darkside:d2622a9, author = {The Crowdstrike Intel Team}, title = {{DarkSide Pipeline Attack Shakes Up the Ransomware-as-a-Service Landscape}}, date = {2020-05-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/}, language = {English}, urldate = {2021-06-09} } DarkSide Pipeline Attack Shakes Up the Ransomware-as-a-Service Landscape
DarkSide DarkSide
2020-05-18CrowdStrikeKaran Sood, Shaun Hurley, Liviu Arsene
@online{sood:20200518:darkside:a32cfcd, author = {Karan Sood and Shaun Hurley and Liviu Arsene}, title = {{DarkSide Goes Dark: How CrowdStrike Falcon Customers Were Protected}}, date = {2020-05-18}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/}, language = {English}, urldate = {2021-06-09} } DarkSide Goes Dark: How CrowdStrike Falcon Customers Were Protected
DarkSide DarkSide
Yara Rules
[TLP:WHITE] win_darkside_auto (20230715 | Detects win.darkside.)
rule win_darkside_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.darkside."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85db 75ea 85d2 7407 }
            // n = 4, score = 1100
            //   85db                 | test                ebx, ebx
            //   75ea                 | jne                 0xffffffec
            //   85d2                 | test                edx, edx
            //   7407                 | je                  9

        $sequence_1 = { 8b4508 8b10 8b5804 8b7808 8b400c 89540e0c 89440e08 }
            // n = 7, score = 1100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8b5804               | mov                 ebx, dword ptr [eax + 4]
            //   8b7808               | mov                 edi, dword ptr [eax + 8]
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   89540e0c             | mov                 dword ptr [esi + ecx + 0xc], edx
            //   89440e08             | mov                 dword ptr [esi + ecx + 8], eax

        $sequence_2 = { e8???????? 81c7ff000000 4b 85db 75ea 85d2 }
            // n = 6, score = 1100
            //   e8????????           |                     
            //   81c7ff000000         | add                 edi, 0xff
            //   4b                   | dec                 ebx
            //   85db                 | test                ebx, ebx
            //   75ea                 | jne                 0xffffffec
            //   85d2                 | test                edx, edx

        $sequence_3 = { fec1 75d2 5f 5e 5a 59 5b }
            // n = 7, score = 1100
            //   fec1                 | inc                 cl
            //   75d2                 | jne                 0xffffffd4
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5a                   | pop                 edx
            //   59                   | pop                 ecx
            //   5b                   | pop                 ebx

        $sequence_4 = { fec1 75d2 5f 5e 5a 59 }
            // n = 6, score = 1100
            //   fec1                 | inc                 cl
            //   75d2                 | jne                 0xffffffd4
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5a                   | pop                 edx
            //   59                   | pop                 ecx

        $sequence_5 = { fec1 75da eb06 33db fec1 75d2 }
            // n = 6, score = 1100
            //   fec1                 | inc                 cl
            //   75da                 | jne                 0xffffffdc
            //   eb06                 | jmp                 8
            //   33db                 | xor                 ebx, ebx
            //   fec1                 | inc                 cl
            //   75d2                 | jne                 0xffffffd4

        $sequence_6 = { 8b7d08 8b450c b9ff000000 33d2 f7f1 }
            // n = 5, score = 1100
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   b9ff000000           | mov                 ecx, 0xff
            //   33d2                 | xor                 edx, edx
            //   f7f1                 | div                 ecx

        $sequence_7 = { b9f0000000 be???????? 8b4508 8b10 8b5804 8b7808 }
            // n = 6, score = 1100
            //   b9f0000000           | mov                 ecx, 0xf0
            //   be????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8b5804               | mov                 ebx, dword ptr [eax + 4]
            //   8b7808               | mov                 edi, dword ptr [eax + 8]

        $sequence_8 = { 8bd8 68ff000000 57 e8???????? 81c7ff000000 4b 85db }
            // n = 7, score = 1100
            //   8bd8                 | mov                 ebx, eax
            //   68ff000000           | push                0xff
            //   57                   | push                edi
            //   e8????????           |                     
            //   81c7ff000000         | add                 edi, 0xff
            //   4b                   | dec                 ebx
            //   85db                 | test                ebx, ebx

        $sequence_9 = { 8bd8 68ff000000 57 e8???????? 81c7ff000000 }
            // n = 5, score = 1100
            //   8bd8                 | mov                 ebx, eax
            //   68ff000000           | push                0xff
            //   57                   | push                edi
            //   e8????????           |                     
            //   81c7ff000000         | add                 edi, 0xff

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules