{ "id": "c99d031b-5148-4663-8779-5671469c2c44", "created_at": "2026-04-06T01:30:53.855006Z", "updated_at": "2026-04-10T03:20:56.945947Z", "deleted_at": null, "sha1_hash": "5589a10f3df0674cfc918bb8bf358c4854c5f891", "title": "Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4252705, "plain_text": "Colonial Pipeline Ransomware Attack: Revealing How DarkSide\r\nWorks\r\nBy Nozomi Networks\r\nPublished: 2025-03-26 · Archived: 2026-04-06 01:22:33 UTC\r\nroughout the last two weeks, the entire cybersecurity community has been riveted by the Colonial Pipeline\r\nransomware attack. It is one of the most notable attacks on critical infrastructure of the past few years and has\r\ndirectly and indirectly impacted multiple industries in the U.S economy. Thankfully, operations are up and running\r\nafter an approximately week-long outage and reported payment of a $5 million ransom.1\r\nDarkSide, the Ransomware as a Service (RaaS) deployed against Colonial Pipeline, is a good example of similar\r\nmalware attacking organizations around the globe. Carefully prepared and deployed, it uses a combination of\r\ntechniques to successfully extort its victims.\r\nNozomi Networks Labs has studied the internals of the DarkSide executable and today we’re sharing our findings\r\nto reveal the techniques used by its machine code in three areas: the selection of victims and files, ensuring\r\nanonymity and anti-detection, and preventing data restoration. We also provide IoCs and a decryption script to\r\nhelp you detect DarkSide.\r\nIt’s important to remember that the sum of Darkside’s code translates to devastating consequences in the physical\r\nworld. We encourage you to understand DarkSide’s techniques to help you assess both your own defenses and\r\nyour incident response capabilities.\r\nDarkSide Ransomware: Technical Analysis\r\nVictim Validation\r\nThe malware first collects basic information about its victim’s computer systems to learn the details of the\r\ntechnical environment.\r\nThe malware obtains the affected computer’s name.\r\nhttps://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/\r\nPage 1 of 12\n\nDarkSide collects the victim’s basic system information.\r\nIn addition, it skips victims from certain geographical regions by checking the language used by their systems.\r\n(Notably, DarkSide does not attack systems that use Russian or other Eastern European languages.2)\r\nThe ransomware checks if the system language is the one used in CIS countries.\r\nSelection of Files for Encryption\r\nNext, DarkSide determines what files to encrypt. If malware attempts to encrypt all the files available on the\r\nsystem, it quickly makes the system unusable – and leaves the victim without information on how contact the\r\nattackers. In addition, it takes significantly more time to do the encryption than is needed for the purposes of\r\nexecuting the attack. DarkSide is particularly selective about what files it encrypts, selecting them mainly by\r\nexamining their file directories, file names and file extensions.\r\nhttps://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/\r\nPage 2 of 12\n\nThe list of directories, file names and file extensions skipped during the encryption.\r\nAnonymity\r\nTo remain anonymous and prevent prompt shutdown, websites for contacting ransomware threat actors are hosted\r\nin the Tor network.\r\nA section of DarkSide’s instructions describing how to access the Tor-based website.\r\nAnti-Detection Techniques\r\nTo stay under the radar until the victim’s systems are impacted, DarkSide incorporates various commonly used\r\ntechniques.\r\nSelf-Encryption\r\nMost of the Darkside’s critical strings are encrypted to avoid triggering detection.\r\nThe XOR-based decryption algorithm.\r\nFor the same reason, the malware’s main configuration is also encrypted. It is compressed with aPLib, with\r\nindividual configuration values encoded with a Base64 algorithm.\r\nhttps://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/\r\nPage 3 of 12\n\nDecryption and decompression of the configuration block.\r\nBase64-encoded configuration values in the malware.\r\nDynamic API Resolution\r\nWinAPIs are the standard way programs interact with the Windows operating system to access certain\r\nfunctionality, including file and network operations. Therefore, use of these interfaces quickly reveals the actual\r\npurpose of the malware to security systems. \r\nhttps://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/\r\nPage 4 of 12\n\nTo prevent detection, DarkSide does not immediately have all the APIs used available in the import table, as\r\nlegitimate executables do. Instead, it resolves them dynamically before using them, some by hashed names and\r\nsome by encrypted names.\r\nThe dynamic WinAPI resolution used by DarkSide.\r\nPreventing Data Restoration\r\nIf system administrators could quickly and easily restore the affected data without paying money to criminals,\r\nransomware attacks would not succeed. The authors of DarkSide incorporate multiple techniques to ensure\r\nransom is paid.\r\nDealing with Backups\r\nRansomware makes sure that standard backup solutions are unusable on the targeted machines. Windows has a\r\nfeature called Shadow Copy aimed at dealing with such situations. It allows the creation of backup copies of\r\ncomputer files so they can be restored when needed. The main limitation of this approach is that the backup files\r\nare stored on the same system as the original files. If malware compromises the system, the backup files are\r\nreadily deleted.\r\nhttps://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/\r\nPage 5 of 12\n\nThe commands used to get a list of Shadow Copy backups.\r\nIn addition, the malware can search for backups by name:\r\nThe ransomware’s search for and deletion of backups.\r\nFinally, DarkSide attempts to disable various backup solutions, searching for them by name.\r\nThe list of services to terminate from the embedded configuration.\r\nhttps://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/\r\nPage 6 of 12\n\nThe process DarkSide uses to stop and delete backup-related services.\r\nCorrect Use of Symmetric and Asymmetric Encryption\r\nMany first generations of ransomware lacked proper encryption, which made it possible for victims to recover\r\nfiles on their systems for free. Unfortunately, those days are long gone, and modern malware families do not\r\nrepeat this mistake.\r\nThe main difference now is that symmetric encryption has been enhanced with focused use of asymmetric\r\nencryption. The former uses the same secret key for both encrypting and decrypting the data, therefore\r\nintercepting it is enough to restore access to the data.\r\nhttps://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/\r\nPage 7 of 12\n\nOn the other hand, asymmetric encryption uses a notion of private and public keys. While the encryption is done\r\nusing a public key, the decryption is impossible without a private key. DarkSide malware implements this\r\nfunctionality properly by only embedding the public key in the malware and keeping the private key confidential.\r\n The main disadvantage of asymmetric encryption over symmetric is the encryption speed. To get the best of both\r\nworlds, the authors of DarkSide encrypt victims’ files using a symmetric encryption algorithm (Salsa20 with a\r\ncustom matrix) and then encrypt the corresponding symmetric keys with their asymmetric public key (RSA-1024).\r\nThe symmetric Salsa20 encryption algorithm with a custom matrix.\r\nDarkSide Demonstrates Modern Ransomware Techniques\r\nDarkSide is just one example of a modern ransomware family that combines multiple time-tested techniques to\r\nachieve its goal. It also highlights the effectiveness of the RaaS model, which is gaining in popularity. With this\r\nmodel, multiple parties are involved in each attack, with a division of effort that plays to the strengths of each\r\nparty.\r\nhttps://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/\r\nPage 8 of 12\n\nWith RaaS, experienced malware writers focus on the development of the core ransomware code, leaving\r\ndeployment to affiliates who specialize in gaining access to the networks of targeted organizations. In the case of\r\nDarkSide, it is estimated that their more than 40 victims have paid $90 million in total bitcoin, with $15.5 million\r\ngoing to the development group and $74.7 million going to its affiliates.3\r\nWe hope that this technical analysis of DarkSide helps you better understand ransomware techniques and evaluate\r\nyour own defenses and incident response capabilities. And, to help you detect DarkSide, IoCs and a script for\r\ndecrypting embedded strings is provided at the end of this article.\r\nIt goes without saying that using network monitoring tools that help you detect unusual behavior and activity early\r\nin the malware kill chain gives you the best chance to contain ransomware before the final payload is executed.\r\nSuch tools also provide actionable forensic information, as well as logs and pcaps, to assist with a timely response.\r\nReferences:\r\n1. “Colonial Pipeline Paid $5 Million Ransom to Hackers,” CNBC, May 13, 2021.\r\n2. “Colonial pipeline hack claimed by Russian group DarkSide spurs emergency order from White\r\nHouse,” NBC News, May 10, 2021.\r\n3. “DarkSide Ransomware has Netted Over $90 million in Bitcoin,” Elliptic, May 18, 2021.\r\nIOCs\r\n0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9\r\nbaroquetees[.]com\r\nrumahsia[.]com\r\nScript\r\nHere is an IDAPython script to decrypt embedded strings, it requires the cursor to stay at the decryption routine:\r\n# Author: Nozomi Networks Labs\r\nimport idautils\r\nimport idaapi\r\nimport idc\r\nimport struct\r\ndef is_utf16_heur(string):\r\n counter = 0\r\n for val in string:\r\nhttps://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/\r\nPage 9 of 12\n\nif val == '\\x00':\r\ncounter += 1\r\n if counter/float(len(string)) \u003e 0.4:\r\n return True\r\n return False\r\ndef chunks(lst, n):\r\n for i in range(0, len(lst), n):\r\n yield lst[i:i + n]\r\ndef decrypt_block(enc_string, key_matrix):\r\n dec_string = []\r\n for enc_block in chunks(list(enc_string), 255):\r\n temp_key_matrix = key_matrix.copy()\r\n bl = 0\r\n for i in range(len(enc_block)):\r\n bl = (bl +temp_key_matrix[i+1]) \u0026 0xFF\r\n al = temp_key_matrix[i+1]\r\n ch = temp_key_matrix[bl]\r\n temp_key_matrix[bl] = al\r\n temp_key_matrix[i+1] = ch\r\n al = (al+ ch) \u0026 0xFF\r\n al= temp_key_matrix[al]\r\n enc_block[i]= enc_block[i] ^ al\r\n dec_string += enc_block\r\n dec_string = ''.join(map(lambda x: chr(x), dec_string))\r\n return dec_string\r\ndef guess_encoding(dec_string):\r\nhttps://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/\r\nPage 10 of 12\n\nutf16_flag = False\r\nif is_utf16_heur(dec_string):\r\n try:\r\n dec_string_print =dec_string.encode('latin-1').decode('utf-16le')\r\n idc.set_inf_attr(INF_STRTYPE,STRTYPE_C_16)\r\n utf16_flag = True\r\n except Exception as e:\r\n pass\r\n if not utf16_flag:\r\n dec_string_print = dec_string\r\n idc.set_inf_attr(INF_STRTYPE, STRTYPE_C)\r\n # dec_string_print = dec_string_print.replace('\\r','\\\\r').replace('\\n', '\\\\n')\r\n return dec_string_print\r\ndef decrypt_all(enc_func, key_matrix):\r\n for ref in idautils.CodeRefsTo(enc_func, True):\r\n arg_addr = idc.prev_head(ref)\r\n if idc.print_insn_mnem(arg_addr) == 'push':\r\n enc_string_addr =idc.get_operand_value(arg_addr, 0)\r\n if enc_string_addr == 0:\r\n print('Warning:wrong address of the encrypted string at %x: %x' % (arg_addr,\r\nenc_string_addr))\r\n continue\r\n enc_string_size =struct.unpack('\u003cI', idc.get_bytes(enc_string_addr-4, 4))[0]\r\n if enc_string_size \u003c0xFFFF:\r\n enc_string =idc.get_bytes(enc_string_addr, enc_string_size)\r\n else:\r\nhttps://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/\r\nPage 11 of 12\n\nprint('Warning:excessively long encrypted string at %x - %x' % (arg_addr,\r\nenc_string_addr))\r\n exit(1)\r\n dec_string =decrypt_block(enc_string, key_matrix)\r\n dec_string_print =guess_encoding(dec_string)\r\n print('%x: %s' %(enc_string_addr, dec_string_print))\r\n idaapi.patch_bytes(enc_string_addr, dec_string.encode('latin-1'))\r\n idc.create_strlit(enc_string_addr, enc_string_addr+enc_string_size)\r\n else:\r\n print('Warning: non-standardargument at %x: %x' % (ref, arg_addr))\r\nprint('Start decryption')\r\nwith open('c:\\\\work\\\\key_matrix.bin', 'rb') as fi:\r\n key_matrix = list(fi.read())\r\ndecrypt_all(idc.get_screen_ea(), key_matrix)\r\nprint('Done!')\r\nSource: https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/\r\nhttps://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/" ], "report_names": [ "colonial-pipeline-ransomware-attack-revealing-how-darkside-works" ], "threat_actors": [], "ts_created_at": 1775439053, "ts_updated_at": 1775791256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5589a10f3df0674cfc918bb8bf358c4854c5f891.pdf", "text": "https://archive.orkl.eu/5589a10f3df0674cfc918bb8bf358c4854c5f891.txt", "img": "https://archive.orkl.eu/5589a10f3df0674cfc918bb8bf358c4854c5f891.jpg" } }