{
	"id": "47febed1-b006-4f7b-a401-4bfeac92e649",
	"created_at": "2026-04-06T00:09:32.519707Z",
	"updated_at": "2026-04-10T03:20:18.302243Z",
	"deleted_at": null,
	"sha1_hash": "4f48cb1a2a6a154570f2e5eadd2542a43a648015",
	"title": "The Ransomware Conundrum – A Look into DarkSide",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 377848,
	"plain_text": "The Ransomware Conundrum – A Look into DarkSide\r\nBy Bar BlockThreat Intelligence Researcher\r\nPublished: 2021-06-04 · Archived: 2026-04-05 14:56:19 UTC\r\nBy now most of you should be familiar with the Colonial Pipeline ransomware incident that shut down a mission-critical\r\nU.S. fuel pipeline. The breach and subsequent disruption of services took the company offline for days and a $4.4M ransom\r\nwas paid.\r\nRansomware has been gaining attention both in the U.S. and around the world not only because of the severe business\r\nimpact an attack can have on target companies, but also because the frequency and significance of these attacks are growing\r\nin scope and scale.\r\nIn this post we will provide context into the DarkSide attack.\r\nDarkSide Ransomware-as-a-Service (RaaS) Takes Center Stage\r\nDarkSide has been observed in more than 15 countries since first being spotted in the wild in August 2020. DarkSide, sold\r\nusing the nickname “Darksupp,” is part of a disturbing – and growing – trend called Ransomware-as-a-Service (RaaS)\r\nwhere ransomware is sold on darknet sites. DarkSide itself was listed on Russian darknet forums exploit.in and xss.is. RaaS\r\nhas been gaining momentum for the past several years with some of the most prolific ransomware attacks, including Satan,\r\nstemming from similar origins.\r\nIn this RaaS model, buyers or “affiliates,” are provided an interface from which they can costume their own DarkSide\r\nvariant, manage victims, and write content for the DarkSide blog, where victim information and data is published and where\r\naffiliates can pressure for payment. In exchange, affiliates give the malware creators a stake of the ransom payment, which\r\nvaries in percentage based on the ransom request amount.\r\nIn reported attack scenarios, threat actors, which could be affiliates or the creators of DarkSide themselves, infiltrated an\r\norganization using various methods, including exploiting known organizational VPN vulnerabilities and using legitimate\r\nuser credentials. Once the exploit has taken place, the DarkSide payload is downloaded and copied into different locations\r\non local and network drives. Once the victim, patient zero, has been fully infected, the threat actors set off on their quest to\r\nfind the network’s holy grail – the Domain Controller (DC). If they successfully reach their destination, the attackers then\r\ncollect more sensitive information and files. They could also dump the SAM registry hive, to extract passwords.\r\nWhen the exfiltration is completed, the DC is infected with the malware, as well as the associated network. The malicious\r\nactors can then use it later in the attack to infect other targets in the network. Finally, an execution mechanism, such as\r\nWindows Scheduled Task, runs the ransomware payload, which will be discussed in length later in this post.\r\nVictims are informed of the attack by a ransom note, which is typically placed on the desktop and in affected folders. If\r\nvictim companies refuse to pay the ransom their data remains encrypted and the attackers may make stolen artifacts\r\navailable for public access.\r\nBringing DarkSide into the Light – The Colonial Pipeline Attack and its Consequences\r\nOn May 7, 2021, the Colonial Pipeline Company was attacked by DarkSide. The pipeline the company operates (of the same\r\nname) carries 45 percent of the fuel used to supply the U.S. East Coast, so any disruption of this pipeline will invariably\r\ncause fuel and supply chain problems. The brunt of the attack impacted the company’s data systems, but Colonial Pipeline\r\nchose to disable the operational technology systems as well to mitigate any larger damage or disruption – a decision which\r\ncreated its own set of compounding challenges. This decision may not have been taken if the company had a network\r\nisolation solution it could count on to prevent the ransomware from reaching the operational systems. Not only did this\r\nthreaten the supply of fuel and gasoline to the most populous region of the U.S., but it also led to immediate gas shortages,\r\nlong gas station lines, panic, and price hikes.\r\nOn the same day of the attack, Colonial Pipeline Company, which is a private company, chose to pay the ransom, about $4.4\r\nmillion USD in Bitcoin, despite the FBI’s discouragement to do so (the logic being that large ransomware payments only\r\nincentivize more ransomware attacks and larger ransomware payouts).\r\nOn May 12, five days following the attack, the company successfully brought the pipeline back online, with normal activity\r\nresuming in the following days.\r\nBut the fallout from this attack will likely last much longer.\r\nGiven the high-profile nature of this attack, and the chain reaction it had on gas supply, business operations, consumer\r\nconfidence, and the larger, interconnected supply chain, ransomware has gained the attention of business executives and the\r\nU.S. government alike. In the days following the attack, DarkSide became an immediate target of U.S. President Biden and\r\nthe DarkSide website was shut down in short order. Fearing further repercussions and investigation, DarkSide and other\r\nhttps://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/\r\nPage 1 of 4\n\nransomware groups, including Babuk, which had attacked the Washington D.C. police department in the same month,\r\nannounced their dissolution later that week.\r\nAn Analysis of a DarkSide Sample\r\nDarkSide RaaS models provide affiliates with an infrastructure from which they can create their own ransomware builds and\r\nlead attacks at their own discretion. Using this console, affiliates can decide how their variant will act by choosing the\r\nencryption mode, deciding whether a language check will be performed to determine if the victim is from a CIS country,\r\ndisabling or enabling network drives encryption, shadow copies deletion, and more.\r\nThe analyzed sample, which is referred to in this section, unless specified otherwise, has a SHA256 value of\r\n6931b124d38d52bd7cdef48121fda457d407b63b59bb4e6ead4ce548f4bbb971.\r\nWhen this DarkSide variant runs, it creates a file in which it logs its actions in the directory it runs from called\r\nLOG.victim_extension.TXT. The “victim_extension” is an 8-character pseudo-random string that DarkSide variants generate\r\nand use as the extension for encrypted files on infected machines. This string is also used in the names of the ransom and log\r\nfiles.\r\nFigure 1:\r\nDarkSide's log file\r\nAs can be seen in the above image, before starting the encryption, DarkSide took some measures to ensure the encrypted\r\nfiles could not be replaced by local backups – it uninstalled backup services, terminated certain processes that had handles\r\non files it wished to encrypt, emptied the recycle bin, and for the final nail in the coffin, deleted the shadow copies using the\r\nfollowing PowerShell command:\r\npowershell -ep bypass -c \"(0..61)|%{$s+=[char][byte]\r\n('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C6574\r\n$s\"\r\nVariable “s” contained the following: Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}\r\nNext, DarkSide began encrypting all the files on the file system, except those which resided in certain directories, such as\r\n“Windows,” “ProgramData,” and “AppData,” were of specified types, for example: “exe,” “bat,” and “bin,” or had one of a\r\nset of names to ignore, such as “thumbs.db” and “netuser.dat.”\r\nThe following ransom note was dropped in all the directories the ransomware had visited:\r\nhttps://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/\r\nPage 2 of 4\n\nFigure 2: DarkSide's ransom note\r\nAs previously mentioned, DarkSide’s website had been taken down, therefore the automatically generated URLs did not\r\nlead to any page and no data was actually exfiltrated. In any case, even if the servers were still up, 100GB of data could not\r\nhave been stolen, since the used file system did not contain this amount of data and no attempts to connect to a remote server\r\nwere observed during the analysis. It is safe to say this number is fixed, at least per variant (other analyzed samples\r\nmentioned different amounts of stolen data, such as 400GB), and cannot be counted on to estimate the amount of stolen data.\r\nDeep Instinct vs DarkSide\r\nDeep Instinct’s endpoint solution prevents DarkSide variants execution both statically, via our deep learning brain, and\r\ndynamically via our behavioral analysis mechanisms. As such, Deep Instinct offers the world’s most advanced prevention\r\nagainst all known and unknown ransomware attacks.\r\nFigure 3:\r\nstatic prevention event on DarkSide\r\nFigure 4: the PowerShell command used to delete shadow copies was identified as malicious and prevented.\r\nhttps://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/\r\nPage 3 of 4\n\nFigure\r\n5: DarkSide was prevented due to identified ransomware behavior, before any file was encrypted.\r\nConclusion\r\nRaaS-based attacks are far from over. As the technology and the expertise of lone hackers or larger syndicates grow in\r\nsophistication, we are likely to see more diverse and sinister ransomware attacks. And their profile companies could move\r\nupstream, impacting global brands with larger purses from which to pay ransoms.\r\nBut there is a solution to ransomware – using Deep Instinct to predict and prevent ransomware, stopping it before it can\r\nimpact your system and operations. DarkSide has left a permanent mark on Colonial Pipeline Company and cost it dearly in\r\nrevenue and reputation. Invest in your security posture and better prepare your network defense to prevent ransomware.\r\nIf you’d like to learn more about our industry-leading approach to stopping malware, backed by a $3M guarantee,\r\nplease download our new eBook, Ransomware: Why Prevention is better than the Cure.\r\nSource: https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/\r\nhttps://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/"
	],
	"report_names": [
		"the-ransomware-conundrum-a-look-into-darkside"
	],
	"threat_actors": [],
	"ts_created_at": 1775434172,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f48cb1a2a6a154570f2e5eadd2542a43a648015.pdf",
		"text": "https://archive.orkl.eu/4f48cb1a2a6a154570f2e5eadd2542a43a648015.txt",
		"img": "https://archive.orkl.eu/4f48cb1a2a6a154570f2e5eadd2542a43a648015.jpg"
	}
}