Login

***harlan4096*** · 14 May 21, 07:36

Quote:

DarkSide is a ransomware strain that primarily targets large organizations in the private sector. The group has been highly active since it emerged in August 2020 and has already claimed hundreds of victims, with ransom demands typically falling in the six- and seven-figure range. DarkSide operates with a thin veneer of professionalism and follows corporate-style processes similar to those found in legitimate enterprises. Since DarkSide was first observed, there have been 114 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files. We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 456 DarkSide incidents since the ransomware’s inception. During this time, the group has also published on its leak site the stolen data of more than 80 organizations.

What is DarkSide?

DarkSide is a ransomware variant that encrypts files using SALSA20 and RSA-1024 encryption and demands a ransom typically ranging from $200,000 to $2,000,000 for their decryption. The group claims that their encryption methods are the fastest on the market, with versions of the ransomware available for both Windows and Linux environments. As with many other ransomware groups, DarkSide utilizes double extortion, whereby threat actors not only encrypt the target’s data, but also exfiltrate and threaten to release it if the ransom demand is not paid.

DarkSide operates under the ransomware-as-a-service (Raas) model, whereby affiliates receive a portion of ransom payments in exchange for dropping the malware onto victims’ networks. DarkSide affiliates earn 75 percent to 90 percent of the ransom payments they generate, with the remaining portion going to the DarkSide group.

DarkSide takes many of its operational cues from legitimate businesses. Much like a real company, the group issues press releases, provides real-time chat
support, posts software updates and offers deals to attract new affiliates. The group also claims to enforce a code of conduct which prohibits affiliates from targeting certain sectors, performing actions that would cause damage to the reputation of DarkSide, and deploying a competitor’s ransomware in the same campaign.

Like other types of ransomware, DarkSide performs an automatic language check – unusually, using both GetSystemDefaultUILanguage and GetUserDefaultLangID – and will quit without encrypting data if one of the following languages is detected.
Russian

Ukrainian

Belarusian

Tajik

Armenian – Armenia

Azeri (Latin)

Georgian

Kazakh

Kyrgyz (Cyrillic)

Turkmen

Uzbek (Latin)

Tatar

Romanian – Moldava

Russian – Moldava

Azeri (Cyrillic)

Uzbek (Cyrillic)

Arabi – Syria

For additional technical details, see Chuong Dong’s analysis.

The history of DarkSide

DarkSide was created by a collective of cybercriminals who claim to have made millions of dollars working as affiliates of other ransomware operations. The group came together to create a new ransomware variant after failing to find the “perfect product” for their needs. DarkSide was extremely active since it was first observed in August 2020, impacting hundreds of organizations across multiple verticals.

In October 2020, DarkSide announced that the group had donated $10,000 in bitcoin to two charities – Children International and The Water Project. In a blog post published on the dark web, the group wrote: “We think it’s fair that some of the money the companies have paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped change someone’s life.” As it’s illegal to receive funds obtained as a result of a crime, it’s likely that both donations were seized or returned.

DarkSide ransom note

After encrypting the target system, DarkSide drops a customized ransom note titled “README.{userid}.TXT” in all infected directories. The note contains an overview of how much data was stolen, the type of data that was stolen, a link to where the stolen data will be leaked and instructions on how to communicate with DarkSide operators via a TOR browser.

Decryptor performance

According to our performance tests, DarkSide’s decryption tool decrypts files at an average of 231.40MB per second. In comparison, Emsisoft’s universal decryptor tool decrypts DarkSide-encrypted files at an average of 608.70MB per second. For context, decrypting 1 TB of encrypted files would take about 72 minutes with DarkSide’s decryptor and approximately 27 minutes with Emsisfot’s decryption tool.

Emsisoft’s universal decryptor can be customized to decrypt almost any type of ransomware, provided that the decryption keys are supplied. The following table shows the performance of the Emsisoft universal decryptor compared with the decryption tools provided by the DarkSide, Defray and Ryuk ransomware groups.
...

Login
Username/Email:
Password:	Lost Password?
	Remember me