{
	"id": "205b1ca9-2770-4149-a3ae-6a09c5c6d962",
	"created_at": "2026-04-06T00:06:39.467871Z",
	"updated_at": "2026-04-10T03:21:15.751889Z",
	"deleted_at": null,
	"sha1_hash": "2bd349354217b192470b9df76fd69cffaecf8f57",
	"title": "DarkSide Ransomware: Splunk Threat Update and Detections | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8682011,
	"plain_text": "DarkSide Ransomware: Splunk Threat Update and Detections |\r\nSplunk\r\nBy Splunk Threat Research Team\r\nPublished: 2021-05-17 · Archived: 2026-04-05 17:20:59 UTC\r\nSplunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we\r\nno longer use. For more information on our updated terminology and our stance on biased language, please visit\r\nour blog post. We appreciate your understanding as we work towards making our community more inclusive for\r\neveryone.\r\nA regional state of emergency has been declared, it is important to note that this pipeline not only supplies\r\nautomotive vehicles fuel but jet fuel as well, so not only land transportation is affected but air transportation as\r\nwell. Another possible effect of this cyberattack is the increase of fuel prices all along the chain of affected goods\r\nand services.\r\nhttps://twitter.com/GasBuddy/status/1392107671889850370\r\nReplicating the DarkSide Ransomware Attack\r\nThe Splunk Threat Research Team (STRT) has addressed this threat and produced an Analytic Story with several\r\ndetection searches directed at community shared IOCs. STRT was able to replicate the execution of this payload\r\nvia the attack range. The following screens show the initial execution of this malicious payload.\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 1 of 16\n\nThe execution of this file as many other ransomware payloads creates a note where it explains to the victim what\r\nhappened, demands a ransom payment, and also threatens to publish sensitive information extracted during the\r\nattack in what is known as double extortion.\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 2 of 16\n\nThe ransomware note also presents a personal leak page where partial exfiltrated information is shown and\r\npresents a web page to input a key to receive further instructions.\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 3 of 16\n\nThis ransomware payload also includes a log that shows current execution items as the following screenshot\r\nshows.\r\nOne of the TOR URI addresses presented in the note appears to be targeted to the victim, we found that the site to\r\ninput key was similar in different samples. The DarkSide group had a website on the dark web accessible via TOR\r\nor TOR Proxy. Several company logos were found on this site and in what appears to be sensitive information\r\nmade public from their campaigns.\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 4 of 16\n\nFile Encryption:\r\nThis ransomware is capable of encrypting files in the network shares and local drive of the compromised host.\r\nEnumerates network shares\r\nEnumerates local and removable drives\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 5 of 16\n\nWhitelisted Folders, Files, and File Extension\r\nThis ransomware payload has a configuration feature consisting of a list of folder names, files, and file extensions\r\nit skips during encryption.\r\nFolder names skipped during the encryption process\r\nFiles and File Extensions skipped during the encryption process\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 6 of 16\n\nTerminating Processes and Services\r\nSimilar to other ransomware payloads it also tries to kill processes or services that may cause access failure to the\r\nfiles targeted for encryption. Below is the decrypted list of strings related to the process name and service name\r\ntargeted for termination.\r\nProcess names list targeted for termination\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 7 of 16\n\nService name it terminates:\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 8 of 16\n\nPrivilege Escalation\r\nThis ransomware checks if its process instance is running under admin privileges, if not, it will try to elevate\r\nprivileges by using cmstplua.dll COM OBJECT CLSID to elevate its privileges.\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 9 of 16\n\nAside from encrypting files, killing processes, services, and elevating privileges it will also delete files in the\r\nrecycle bin, as seen in the following screenshot.\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 10 of 16\n\nIt also has a feature where it runs a hex-encoded PowerShell script to delete the shadow copy in the compromised\r\nmachine. Below is the screen capture of the decrypted PowerShell command.\r\nThe DarkSide Ransomware also used the machine guid of the compromised host to generate a (4 rounds) crc32\r\nchecksum that will be used as a file extension of the encrypted files.\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 11 of 16\n\nUsing the DarkSide Ransomware Analytic Story\r\nAs seen above in the replication of this threat via the attack range, we used a specific sysmon configuration to get\r\nthe data needed to create these detections. The new Analytic Story “DarkSide Ransomware” is composed of the\r\nfollowing searches from current analytical stories and new detection searches:\r\nModified Ransomware Notes Bulk Creation\r\n`sysmon` EventCode=11 file_name IN (\"*\\.txt\",\"*\\.html\",\"*\\.hta\") |bin _time\r\n span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename)\r\n as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer\r\n Image file_name | where unique_readme_path_count \u003e= 15 | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 12 of 16\n\nNew detections:\r\nDelete Shadow copy with Powershell (Detects deletion of shadow copy)\r\npowershell` EventCode=4104 Message= \"*ShadowCopy*\" Message = \"*Delete*\"\r\n stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nCMLUA or CMSTPLUA UAC bypass (Detects privilege escalation)\r\n`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\CMLUA.dll\", \"*\\\\CMSTPLUA.dll\", \"*\\\\CMLUAUTIL.dll\") NOT(process_name I\r\n NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\"))\r\n | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventC\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nDetect RClone Command-Line Usage\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime\r\n max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*copy*\", \"*mega*\", \"*pcl\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 13 of 16\n\nProcesses.process Processes.process_id Processes.parent_process_id\r\n | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`\r\nDetect Renamed RClone\r\n`sysmon` EventID=1 OriginalFileName=rclone.exe NOT process_name=rclone.exe | stats\r\n count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name,\r\n process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest\r\n | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`\r\nExtract SAM from Registry\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg.exe (Processes.process=*save* O\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 14 of 16\n\nSLUI RunAs Elevated\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe\r\n (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest\r\n Processes.user Processes.parent_process Processes.process_name Processes.process\r\n Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`\r\nSLUI Spawning a Process\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe\r\n (Processes.process_name!=*slui* OR Processes.process_name=!firefox.exe OR Processes.process_name!=chrome.exe O\r\n Processes.user Processes.parent_process Processes.process_name Processes.process\r\n Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 15 of 16\n\nHashes:\r\nSample A:\r\nSha1: 03c1f7458f3983c03a0f8124a01891242c3cc5df\r\nSha256: 6931b124d38d52bd7cdef48121fda457d407b63b59bb4e6ead4ce548f4bbb971\r\nSample B:\r\nSha1: d1dfe82775c1d698dd7861d6dfa1352a74551d35\r\nSha256: 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297\r\nAbout the Splunk Threat Research Team\r\nThe Splunk Threat Research Team will continue updating our detection content and addressing the threat of\r\nransomware payloads as these campaigns continue affecting different verticals, especially those involving critical\r\ninfrastructure. For our newest content please download Splunk Security Essentials, Splunk ES Content Update\r\napplication, or visit Splunk Threat Research page.\r\nSource: https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html"
	],
	"report_names": [
		"darkside-ransomware-splunk-threat-update-and-detections.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433999,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2bd349354217b192470b9df76fd69cffaecf8f57.pdf",
		"text": "https://archive.orkl.eu/2bd349354217b192470b9df76fd69cffaecf8f57.txt",
		"img": "https://archive.orkl.eu/2bd349354217b192470b9df76fd69cffaecf8f57.jpg"
	}
}