DarkSide (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.darkside (Back to overview)

DarkSide

aka: BlackMatter

FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable disks, or network shares. The malware can be customized by the affiliates to create a build for specific victims.

References

2022-09-22 ⋅ Broadcom ⋅ Symantec Threat Hunter Team
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
BlackCat BlackMatter DarkSide

2022-07-13 ⋅ GLIMPS ⋅ GLIMPS
Lockbit 3.0
BlackMatter DarkSide LockBit

2022-06-29 ⋅ Mandiant ⋅ Jared Wilson
Burrowing your way into VPNs, Proxies, and Tunnels
DarkSide SMOKEDHAM

2022-05-20 ⋅ AhnLab ⋅ ASEC
Why Remediation Alone Is Not Enough When Infected by Malware
Cobalt Strike DarkSide

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-04-13 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader

2022-03-23 ⋅ splunk ⋅ Shannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin

2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-02-21 ⋅ Brandefense ⋅ Brandefense
Darkside Ransomware Analysis Report
DarkSide

2022-01-25 ⋅ Nozomi Networks ⋅ Alexey Kleymenov
How to Analyze Malware for Technical Writing
DarkSide

2021-11-04 ⋅ CrowdStrike ⋅ Eric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 2
BlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader

2021-11-03 ⋅ Group-IB ⋅ Andrey Zhdanov
The Darker Things BlackMatter and their victims
BlackMatter DarkSide BlackMatter DarkSide

2021-11-01 ⋅ FBI ⋅ FBI
PIN Number 20211101-001: Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims
DarkSide RansomEXX DarkSide PyXie RansomEXX

2021-10-22 ⋅ The Record ⋅ Catalin Cimpanu
DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement
BlackMatter DarkSide BlackMatter DarkSide

2021-10-22 ⋅ HUNT & HACKETT ⋅ Krijn de Mik
Advanced IP Scanner: the preferred scanner in the A(P)T toolbox
Conti DarkSide Dharma Egregor Hades REvil Ryuk

2021-10-22 ⋅ Twitter (@GelosSnake) ⋅ Omri Segev Moyal
Tweet on List of wallets used by Darkside/Blackmatter Operator to split out the money
BlackMatter DarkSide BlackMatter DarkSide

2021-10-22 ⋅ Elliptic ⋅ Elliptic Intel
DarkSide bitcoins on the move following government cyberattack against REvil ransomware group
BlackMatter DarkSide BlackMatter DarkSide

2021-10-22 ⋅ Bleeping Computer ⋅ Ionut Ilascu
DarkSide ransomware rushes to cash out $7 million in Bitcoin
BlackMatter DarkSide BlackMatter DarkSide

2021-10-14 ⋅ YouTube (Uriel Kosayev) ⋅ Uriel Kosayev
DarkSide Ransomware Reverse Engineering
BlackMatter DarkSide BlackMatter DarkSide

2021-10-12 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil

2021-10-05 ⋅ Trend Micro ⋅ Fyodor Yarochkin, Janus Agcaoili, Byron Gelera, Nikko Tamana
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk

2021-09-23 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Threat Thursday: BlackMatter RaaS - Darker Than DarkSide?
BlackMatter DarkSide BlackMatter DarkSide

2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil

2021-09-02 ⋅ US Department of Health and Human Services ⋅ Health Sector Cybersecurity Coordination Center (HC3)
Demystifying BlackMatter
BlackMatter BlackMatter DarkSide

2021-08-30 ⋅ CrowdStrike ⋅ Eric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-08-06 ⋅ metabaseq ⋅ Miguel Gonzalez, Jesus Dominguez
Inside DarkSide, the ransomware that attacked Colonial Pipeline
DarkSide

2021-08-06 ⋅ Group-IB ⋅ Andrey Zhdanov
It's alive! The story behind the BlackMatter ransomware strain
BlackMatter DarkSide BlackMatter DarkSide

2021-08-05 ⋅ Symantec ⋅ Threat Hunter Team
Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet

2021-08-05 ⋅ cyble ⋅ Cyble
BlackMatter Under the Lens: An Emerging Ransomware Group Looking for Affiliates
DarkSide

2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet

2021-08-04 ⋅ Recorded Future ⋅ Insikt Group®
Protect Against BlackMatter Ransomware Before It’s Offered
BlackMatter DarkSide

2021-08-03 ⋅ Twitter (@sisoma2) ⋅ sisoma2
Python script for recovering the hashes hardcoded in different samples of the BlackMatter ransomware
DarkSide

2021-08-03 ⋅ Twitter (@sysopfb) ⋅ Jason Reaves
Tweet on python script to decode the blob from Blackmatter ransomware
DarkSide

2021-08-03 ⋅ Twitter (@ValthekOn) ⋅ Valthek
Tweet on blacklisted extensions & names of BlackMatter ransomware making the check against custom hashes values
DarkSide

2021-08-02 ⋅ The Record ⋅ Dmitry Smilyanets
An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil
DarkSide LockBit REvil

2021-08-01 ⋅ ID Ransomware ⋅ Andrew Ivanov
BlackMatter Ransomware
DarkSide

2021-07-31 ⋅ Bleeping Computer ⋅ Lawrence Abrams
DarkSide ransomware gang returns as new BlackMatter operation
DarkSide

2021-07-31 ⋅ Bleeping Computer ⋅ Lawrence Abrams
BlackMatter ransomware gang rises from the ashes of DarkSide, REvil
DarkSide REvil

2021-07-27 ⋅ Recorded Future ⋅ Insikt Group®
BlackMatter Ransomware Emerges As Successor to DarkSide, REvil
DarkSide LockBit REvil

2021-07-27 ⋅ ZAYOTEM ⋅ Halil Filik
DarkSide Ransomware Technical Analysis Report
DarkSide

2021-07-13 ⋅ Threat Post ⋅ Becky Bracken
Guess Fashion Brand Deals With Data Loss After Ransomware Attack
DarkSide

2021-07-08 ⋅ CISA ⋅ US-CERT
Malware Analysis Report (AR21-189A): DarkSide Ransomware
DarkSide

2021-07-03 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
US chemical distributor shares info on DarkSide ransomware data theft
DarkSide

2021-06-22 ⋅ Maltego ⋅ Maltego Team, Intel 471
Chasing DarkSide Affiliates: Identifying Threat Actors Connected to Darkside Ransomware Using Maltego & Intel 471
DarkSide DarkSide

2021-06-14 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV
A Step-by-Step Analysis of a New Version of DarkSide Ransomware
DarkSide

2021-06-13 ⋅ SecJuice ⋅ Secprentice
Blue Team Detection: DarkSide Ransomware
DarkSide

2021-06-10 ⋅ McAfee ⋅ ATR Operational Intelligence Team
Are Virtual Machines the New Gold for Cyber Criminals?
Babuk DarkSide

2021-06-04 ⋅ DeepInstinct ⋅ Bar Block
The Ransomware Conundrum – A Look into DarkSide
DarkSide

2021-06-03 ⋅ Medium s2wlab ⋅ Hyunmin Suh, Denise Dasom Kim, Jungyeon Lim, YH Jeong
W1 Jun | EN | Story of the week: Ransomware on the Darkweb
DarkSide Babuk DarkSide

2021-06-02 ⋅ CrowdStrike ⋅ Josh Dalman, Heather Smith
Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware
DarkSide Conti DarkSide REvil

2021-05-24 ⋅ MIT Technology Review ⋅ Daniel Golden, Renee Dudley
The Colonial pipeline ransomware hackers had a secret weapon: self-promoting cybersecurity firms
DarkSide DarkSide

2021-05-21 ⋅ 360 Total Security ⋅ kate
DarkSide’s Targeted Ransomware Analysis Report for Critical U.S. Infrastructure
DarkSide

2021-05-21 ⋅ Bleeping Computer ⋅ Ionut Ilascu
DarkSide affiliates claim gang's bitcoins in deposit on hacker forum
DarkSide

2021-05-20 ⋅ Digital Shadows ⋅ Stefano De Blasi
Ransomware-as-a-Service, Rogue Affiliates, and What’s Next
DarkSide DarkSide REvil

2021-05-20 ⋅ RiskIQ ⋅ Jennifer Grob
Analysis of Infrastructure used by DarkSide Affiliates
DarkSide

2021-05-19 ⋅ Nozomi Networks ⋅ Alexey Kleymenov
Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works
DarkSide

2021-05-19 ⋅ The Wall Street Journal ⋅ Collin Eaton
Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom
DarkSide DarkSide

2021-05-18 ⋅ Elliptic ⋅ Tom Robinson
DarkSide Ransomware has Netted Over $90 million in Bitcoin
DarkSide DarkSide

2021-05-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu
DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk

2021-05-18 ⋅ The Record ⋅ Catalin Cimpanu
Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk

2021-05-18 ⋅ KEYSIGHT TECHNOLOGIES ⋅ Radu Emanuel Chiscariu
DarkSide Ransomware Behavior and Techniques
DarkSide

2021-05-17 ⋅ splunk ⋅ Splunk Threat Research Team
DarkSide Ransomware: Splunk Threat Update and Detections
DarkSide

2021-05-17 ⋅ Gigamon ⋅ Joe Slowik
Tracking DarkSide and Ransomware: The Network View
DarkSide DarkSide

2021-05-17 ⋅ Fortinet ⋅ Fred Gutierrez, Gayathri Thirugnanasambandam, Val Saengphaibul
Newly Discovered Function in DarkSide Ransomware Variant Targets Disk Partitions
DarkSide

2021-05-14 ⋅ Intel 471 ⋅ Intel 471
The moral underground? Ransomware operators retreat after Colonial Pipeline hack
DarkSide DarkSide

2021-05-14 ⋅ Blue Team Blog ⋅ Auth 0r
DarkSide Ransomware Operations – Preventions and Detections.
Cobalt Strike DarkSide

2021-05-14 ⋅ Advanced Intelligence ⋅ Vitali Kremez
From Dawn to "Silent Night": "DarkSide Ransomware" Initial Attack Vector Evolution
DarkSide

2021-05-14 ⋅ Elliptic ⋅ Dr. Tom Robinson
Elliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other DarkSide Ransomware Victims
DarkSide DarkSide

2021-05-14 ⋅ Bleeping Computer ⋅ Lawrence Abrams
DarkSide ransomware servers reportedly seized, REvil restricts targets
DarkSide DarkSide

2021-05-13 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Popular Russian hacking forum XSS bans all ransomware topics
DarkSide DarkSide LockBit REvil

2021-05-13 ⋅ Bloomberg ⋅ William Turton, Michael Riley, Jennifer Jacobs
Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom
DarkSide

2021-05-13 ⋅ The Record ⋅ Catalin Cimpanu
Popular hacking forum bans ransomware ads
DarkSide DarkSide

2021-05-13 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Chemical distributor pays $4.4 million to DarkSide ransomware
DarkSide DarkSide

2021-05-12 ⋅ Palo Alto Networks Unit 42 ⋅ Ramarcus Baylor
DarkSide Ransomware Gang: An Overview
DarkSide

2021-05-12 ⋅ SecurityScorecard ⋅ Ryan Sherstobitoff
New Evidence Supports Assessment that DarkSide Likely Responsible for Colonial Pipeline Ransomware Attack; Others Targeted
DarkSide DarkSide

2021-05-12 ⋅ Trend Micro ⋅ Trend Micro Research
What We Know About Darkside Ransomware and the US Pipeline Attack
DarkSide

2021-05-12 ⋅ Zero Day ⋅ Kim Zetter
Anatomy of a $2 Million Darkside Ransomware Breach
DarkSide

2021-05-11 ⋅ Dragos ⋅ Mike Hoffman, Tom Winston
Recommendations Following the Colonial Pipeline Cyber Attack
DarkSide

2021-05-11 ⋅ CISA ⋅ US-CERT
Alert (AA21-131A) DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
DarkSide

2021-05-11 ⋅ Sophos ⋅ Sean Gallagher, Mark Loman, Peter Mackenzie, Yusuf Arslan Polat, Gabor Szappanos, Suriya Natarajan, Szabolcs Lévai, Ferenc László Nagy
A defender’s view inside a DarkSide ransomware attack
DarkSide

2021-05-11 ⋅ FireEye ⋅ Jordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Brendan McKeague, Jared Wilson
Shining a Light on DARKSIDE Ransomware Operations
Cobalt Strike DarkSide

2021-05-11 ⋅ Flashpoint ⋅ Flashpoint
DarkSide Ransomware Links to REvil Group Difficult to Dismiss
DarkSide REvil

2021-05-11 ⋅ KrebsOnSecurity ⋅ Brian Krebs
A Closer Look at the DarkSide Ransomware Gang
DarkSide

2021-05-11 ⋅ splunk ⋅ James Brodsky
The DarkSide of the Ransomware Pipeline
DarkSide

2021-05-10 ⋅ SecurityIntelligence ⋅ Limor Kessem
Shedding Light on the DarkSide Ransomware Attack
DarkSide

2021-05-10 ⋅ Anheng Threat Intelligence Center ⋅ Hunting Shadow Lab
Analysis of U.S. Oil Products Pipeline Operators Suspended by Ransomware Attacks
DarkSide

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-05-10 ⋅ Intel 471 ⋅ Intel 471
Here’s what we know about DarkSide ransomware
DarkSide

2021-05-10 ⋅ SentinelOne ⋅ SentinelOne
Meet DarkSide and Their Ransomware – SentinelOne Customers Protected
DarkSide

2021-05-08 ⋅ Reuters ⋅ Christopher Bing, Stephanie Kelly
Cyber attack shuts down top U.S. fuel pipeline network
DarkSide

2021-05-06 ⋅ Chuongdong blog ⋅ Chuong Dong
Darkside Ransomware
DarkSide

2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX

2021-05-01 ⋅ Twitter (@JAMESWT_MHT) ⋅ JamesWT
Tweet on linux version of DarkSide ransomware
DarkSide DarkSide

2021-04-28 ⋅ La Repubblica ⋅ Andrea Greco
Un sospetto attacco telematico blocca le filiali della Bcc di Roma
DarkSide

2021-04-26 ⋅ CoveWare ⋅ CoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt

2021-04-25 ⋅ Vulnerability.ch Blog ⋅ Corsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil

2021-04-22 ⋅ The Record ⋅ Catalin Cimpanu
Ransomware gang wants to short the stock price of their victims
DarkSide

2021-04-12 ⋅ DataBreaches.net ⋅ Dissent
A chat with DarkSide
DarkSide

2021-04-01 ⋅ Cybereason ⋅ Cybereason Nocturnus
Cybereason vs. DarkSide Ransomware
DarkSide

2021-03-18 ⋅ Varonis ⋅ Snir Ben Shimol
Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign
DarkSide

2021-03-09 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Eric Loui, Sergei Frankoff
Jackpotting ESXi Servers For Maximum Encryption | Eric Loui & Sergei Frankoff | SANS CTI Summit 2021
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT

2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-01-25 ⋅ SOC Prime ⋅ Emanuele De Lucia
Affiliates vs Hunters: Fighting the DarkSide
DarkSide

2021-01-11 ⋅ Bitdefender ⋅ Bitdefender Team
Darkside Ransomware Decryption Tool
DarkSide

2021 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD WATERFALL
Cobalt Strike DarkSide GOLD WATERFALL

2020-12-16 ⋅ Accenture ⋅ Paul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt

2020-12-03 ⋅ Medium GhouLSec ⋅ GhouLSec
[Mal Series #13] Darkside Ransom
DarkSide

2020-11-13 ⋅ Bleeping Computer ⋅ Lawrence Abrams
DarkSide ransomware is creating a secure data leak service in Iran
DarkSide

2020-11-12 ⋅ databreachtoday ⋅ Mathew J. Schwartz
Darkside Ransomware Gang Launches Affiliate Program
DarkSide

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-10-05 ⋅ Zawadi Done ⋅ Zawadi Done
DarkSide ransomware analysis
DarkSide

2020-09-22 ⋅ Digital Shadows ⋅ Stefano De Blasi
DarkSide: The New Ransomware Group Behind Highly Targeted Attacks
DarkSide

2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet

2020-08-10 ⋅ ID Ransomware ⋅ Andrew Ivanov
DarkSide Ransomware
DarkSide

2020-08 ⋅ Acronis ⋅ Acronis Security
DarkSide Ransomware Does Not Attack Hospitals, Schools and Governments
DarkSide

2020-05-28 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
DarkSide Pipeline Attack Shakes Up the Ransomware-as-a-Service Landscape
DarkSide DarkSide

2020-05-18 ⋅ CrowdStrike ⋅ Karan Sood, Shaun Hurley, Liviu Arsene
DarkSide Goes Dark: How CrowdStrike Falcon Customers Were Protected
DarkSide DarkSide

Yara Rules

[TLP:WHITE] win_darkside_auto (20230125 | Detects win.darkside.)

rule win_darkside_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.darkside."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 81c7ff000000 4b 85db 75ea 85d2 }
            // n = 6, score = 1100
            //   e8????????           |                     
            //   81c7ff000000         | add                 edi, 0xff
            //   4b                   | dec                 ebx
            //   85db                 | test                ebx, ebx
            //   75ea                 | jne                 0xffffffec
            //   85d2                 | test                edx, edx

        $sequence_1 = { 8b4508 8b10 8b5804 8b7808 8b400c }
            // n = 5, score = 1100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8b5804               | mov                 ebx, dword ptr [eax + 4]
            //   8b7808               | mov                 edi, dword ptr [eax + 8]
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]

        $sequence_2 = { 89540e0c 89440e08 895c0e04 893c0e 81ea10101010 2d10101010 }
            // n = 6, score = 1100
            //   89540e0c             | mov                 dword ptr [esi + ecx + 0xc], edx
            //   89440e08             | mov                 dword ptr [esi + ecx + 8], eax
            //   895c0e04             | mov                 dword ptr [esi + ecx + 4], ebx
            //   893c0e               | mov                 dword ptr [esi + ecx], edi
            //   81ea10101010         | sub                 edx, 0x10101010
            //   2d10101010           | sub                 eax, 0x10101010

        $sequence_3 = { 8b7d08 8b450c b9ff000000 33d2 f7f1 85c0 7418 }
            // n = 7, score = 1100
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   b9ff000000           | mov                 ecx, 0xff
            //   33d2                 | xor                 edx, edx
            //   f7f1                 | div                 ecx
            //   85c0                 | test                eax, eax
            //   7418                 | je                  0x1a

        $sequence_4 = { be???????? 8b4508 8b10 8b5804 8b7808 8b400c }
            // n = 6, score = 1100
            //   be????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8b5804               | mov                 ebx, dword ptr [eax + 4]
            //   8b7808               | mov                 edi, dword ptr [eax + 8]
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]

        $sequence_5 = { 4b 85db 75ea 85d2 7407 }
            // n = 5, score = 1100
            //   4b                   | dec                 ebx
            //   85db                 | test                ebx, ebx
            //   75ea                 | jne                 0xffffffec
            //   85d2                 | test                edx, edx
            //   7407                 | je                  9

        $sequence_6 = { 7306 fec1 75da eb06 33db fec1 75d2 }
            // n = 7, score = 1100
            //   7306                 | jae                 8
            //   fec1                 | inc                 cl
            //   75da                 | jne                 0xffffffdc
            //   eb06                 | jmp                 8
            //   33db                 | xor                 ebx, ebx
            //   fec1                 | inc                 cl
            //   75d2                 | jne                 0xffffffd4

        $sequence_7 = { 81ef10101010 83e910 79d5 33d2 33c9 8b750c 33db }
            // n = 7, score = 1100
            //   81ef10101010         | sub                 edi, 0x10101010
            //   83e910               | sub                 ecx, 0x10
            //   79d5                 | jns                 0xffffffd7
            //   33d2                 | xor                 edx, edx
            //   33c9                 | xor                 ecx, ecx
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   33db                 | xor                 ebx, ebx

        $sequence_8 = { 33db fec1 75d2 5f 5e 5a }
            // n = 6, score = 1100
            //   33db                 | xor                 ebx, ebx
            //   fec1                 | inc                 cl
            //   75d2                 | jne                 0xffffffd4
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5a                   | pop                 edx

        $sequence_9 = { 59 5b 5d c20c00 }
            // n = 4, score = 1100
            //   59                   | pop                 ecx
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c20c00               | ret                 0xc

    condition:
        7 of them and filesize < 286720
}

Download all Yara Rules

DarkSide Propose Change

References

Yara Rules

DarkSide