{
	"id": "f4a63e62-b968-457c-abd7-9b14a5906c4d",
	"created_at": "2026-04-06T00:07:23.562904Z",
	"updated_at": "2026-04-10T13:11:41.321886Z",
	"deleted_at": null,
	"sha1_hash": "663ed75abdda45ab3c34f0142981fe3fe2a48428",
	"title": "Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 858344,
	"plain_text": "Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign\r\nBy Snir Ben Shimol\r\nPublished: 2021-03-18 · Archived: 2026-04-05 18:41:11 UTC\r\nOur team has recently led several high-profile investigations of attacks attributed to an up-and-coming cybercrime group,\r\nDarkside. These highly targeted campaigns were conducted in several phases over weeks or months, ultimately targeting\r\ntheft and encryption of sensitive data, including backups. In this technical blog post, we will review the tactics, techniques,\r\nand procedures (TTPs) we’ve observed.\r\nAbout Darkside, inc.\r\nThe Darkside ransomware group announced their RaaS (Ransomware-as-a-Service) in August of 2020 via a “press release.”\r\nSince then, they have become known for their professional operations and large ransoms. They provide web chat support to\r\nvictims, build intricate data leak storage systems with redundancy, and perform financial analysis of victims prior to\r\nattacking.\r\nThe group’s name, Darkside, evokes the image of a good guy (or gal) that has turned from the light. While we can’t\r\nconclude that the group is comprised of former IT security professionals, their attacks reveal a deep knowledge of their\r\nvictims’ infrastructure, security technologies, and weaknesses.\r\nThey have publicly stated that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big\r\norganizations that can afford to pay large ransoms.\r\nOur reverse engineering revealed that Darkside’s malware will check device language settings to ensure they don’t attack\r\nRussia-based organizations. They have also answered questions on Q\u0026A forums in Russian and are actively recruiting\r\nRussian-speaking partners.\r\nThe group has both Windows and Linux toolsets. Much like NetWalker and REvil, Darkside has an affiliate program that\r\noffers anyone who helps spread their malware 10-25% of the payout.\r\nAnatomy of an Attack\r\nThe Darkside ransomware attack campaigns stood out for their use of stealthy techniques, especially in the early stages. The\r\ngroup performed careful reconnaissance and took steps to ensure that their attack tools and techniques would evade\r\ndetection on monitored devices and endpoints.\r\nWhile their initial entry vectors vary, their techniques are more standardized once inside, and their endgame is coldly\r\nefficient.\r\nStealth tactics include:\r\nCommand and control over TOR\r\nAvoiding nodes where EDR is running\r\nWaiting periods \u0026 saving noisier actions for later stages\r\nCustomized code and connection hosts for each victim\r\nObfuscation techniques like encoding and dynamic library loading\r\nAnti-forensics techniques like deleting log files\r\nDuring the later stages of their attack sequence, they:\r\nHarvest credentials stored in files, in memory, and on domain controllers\r\nUtilize file shares to distribute attack tools and store file archives\r\nRelax permissions on file shares for easy harvesting\r\nDelete backups, including shadow copies\r\nDeploy customized ransomware\r\nInitial Access: Finding the Weak Link\r\nDarkside ransomware gained initial entry through weak links – remotely exploitable accounts and systems.\r\nWe observed Darkside use compromised contractor accounts to access Virtual Desktop Infrastructure (VDI) that had been\r\nput in place to facilitate remote access during the pandemic. Though, contractor accounts did not.\r\nWe also observed them exploit servers, and then quickly deploy an additional RDP that would preserve access should the\r\nvulnerable server be patched.\r\nhttps://www.varonis.com/blog/darkside-ransomware/\r\nPage 1 of 6\n\nWhile neither of these vectors is novel, they should serve as a warning that sophisticated threat actors are easily bypassing\r\nperimeter defenses. They illustrate the need for multi-factor authentication on all internet-facing accounts and rapid patching\r\nof internet-facing systems.\r\nCommand and Control\r\nThe Darkside ransomware attackers established command and control primarily with an RDP client running over port\r\n443, routed through TOR.  After installing a Tor browser, they modified its configuration to run as a persistent service,\r\nredirecting traffic sent to a local (dynamic) port through TOR via HTTPS over port 443, so it would be indistinguishable\r\nfrom normal web traffic. These connections were persistent, so the attackers could establish RDP sessions to and through the\r\ncompromised hosts, facilitating lateral movement.  \r\nWe found traces of TOR clients across many servers and observed dozens of active TOR connections.  \r\nThe attackers used Cobalt Strike as a secondary command and control mechanism. We observed dozens of customized\r\nstagers that downloaded customized beacons that connected to specific servers. The stagers (named file.exe) were deployed\r\nremotely on specific targeted devices using WinRM, each one configured differently. Cobalt-Strike stagers\r\nestablished connections to a dedicated C2 server to download the Cobalt Strike Beacon.  \r\nThreat actors commonly use only a few C2 servers per victim, but Darkside configured each beacon to connect to a different\r\nC2 server with a different user agent. This would indicate that Darkside operates a large, well-established attack\r\ninfrastructure.   \r\nThe stagers and TOR executables were stored in network shares for easy distribution. The actors avoided installing\r\nbackdoors on systems monitored by EDR solutions. \r\n×\r\nDetection of the beacon being downloaded into a compromised server\r\nWe observed the threat actors log into the Virtual Desktop environment with many accounts, sometimes concurrently. Each\r\ntime the threat actor logged on, .lnk files were created in the compromised user’s home folders. The .lnk file activity helped\r\ndetermine which accounts and VDI environments had been compromised and when each account was used in the attack.\r\nhttps://www.varonis.com/blog/darkside-ransomware/\r\nPage 2 of 6\n\nRecon and Credential Harvesting\r\nDarkside ransomware is known for living off the land (LOtL), but we observed them to scan networks, run commands,\r\ndump processes, and steal credentials. Like the command and control code, the attack tools were also executed on hosts that\r\nhad minimal detection and blocking capabilities. Well-known tools included advanced_ip_scanner.exe, psexec, Mimikatz,\r\nand more.\r\nFrom the initial set of compromised hosts, ticket requests, and NTLM connections to gain access to additional systems and\r\naccounts. After a waiting period, the actor used an Active Directory reconnaissance tool (ADRecon.ps1) to gather additional\r\ninformation about users, groups, and privilege, storing results in a file called, DC.txt. Each of their attack tools was deleted\r\nafter use. The attacker temporarily stored the recon results and credential information on a very active windows server.\r\nInteresting file names written and deleted on the server included: Typed_history.zip, Appdata.zip, IE_Passwords.zip,\r\nAD_intel, and ProcessExplorer.zip.\r\nIn addition to credential harvesting, the attacker mined credentials from User profile folders, including:\r\nUsers\\\u003cuser name\u003e\\Appdata\\[Roaming\\Local]\\Microsoft [Credentials\\Vault]\r\nUsers\\\u003cuser name\u003e\\Appdata\\Roaming\\Mozilla\\Firefox\\Profiles\r\nUsers\\\u003cuser name\u003e\\\\Appdata\\Local\\Google\\Chrome\r\nThe threat actor used Invoke-mimikatXz.ps1 to extract credentials from unmonitored servers and stored them in a file called\r\n“dump.txt.” This operation was performed on a high-value target with minimal detective capabilities.\r\nOnce the attacker obtained domain admin credentials, accessed domain controllers. In later stages they performed the well-known DCSync attack, where the attacker pretends to be a legitimate domain controller and utilizes the Directory\r\nReplication Service to replicate AD information, gaining access to password data for the entire domain, including the\r\nKRBTGT HASH.\r\nData Collection and Staging\r\nThe active Windows server also served as a hub to store data before exfiltration. Data was mined from hundreds of servers\r\nwith a batch routine (dump.bat) located in \\Desktop\\Dump, writing files to the same location, compressing them into 7zip\r\narchives with a simple naming convention, *.7z.[001]-[999].\r\nThough they had accumulated elevated privileges, we observed the attacker relax the permissions on file systems, opening\r\nthem up so that they could access the files with any domain user account.  The batch file, target data, and the archives were\r\ndeleted by the attackers within hours of collection\r\nEncryption\r\nDarkside doesn’t deploy ransomware until they’ve mapped the environment, exfiltrated interesting data, gained control of\r\nprivileged accounts, and identified all backup systems, servers, and applications. We observed several connections to\r\nprimary backup repositories using compromised services accounts shortly before encryption. By holding off on the\r\nencryption phase of the attack, they put themselves in a position to maximize damage and profit.\r\nThe ransomware code is delivered through established backdoors (TOR-RDP or Cobalt Strike) and is customized for each\r\nvictim. The payload includes the executable, a unique extension, and a unique victim ID that allows the victim to access\r\nDarkside’s website and make payment.\r\nBy using unique executables and extensions, the ransomware easily evades signature-based detection mechanisms. Darkside\r\nalso provides customized ransomware to other threat actors (Ransomware as a Service) and takes a part of the profit in\r\nsuccessful attacks.\r\nOne version of the customized code was named, “Homie.exe.” In addition to being customized, we found it also uses anti-forensics and anti-debugging techniques, such as self-injection, virtual machine detection, and dynamic library loading. It\r\nalso deletes shadow copies on victim devices.\r\nDarkside Ransomware Stage 1 – Self Injection\r\nOn execution, the malware copies itself to the path “C:\\Users\\admin\\AppData\\Local\\Temp\\” and injects its code into the\r\nexisting process with a CMD command:\r\nhttps://www.varonis.com/blog/darkside-ransomware/\r\nPage 3 of 6\n\nIf the malware finds indications that it is being debugged or run in a VM, it immediately stops.\r\nTo avoid detection by AV and EDR solutions, the ransomware dynamically loads its libraries, without registering them in its\r\nimports section:\r\nOnly 3 libraries are imported, which indicates that other libraries’ names resolved dynamically during the malware’s run\r\ninstead of being explicitly imported.\r\nRansomware Stage 2 – Deletion of Shadow Copies\r\nUsing an obfuscated PowerShell command, the malware attempts to delete the shadow copies on the victim device. The\r\nobfuscated command:\r\nThe de-obfuscated command:\r\nRansomware Stage 3 – Encryption of Files\r\nAfter the deletion of the shadow copies, the malware first closes specific processes to avoid locked files that can delay\r\nencryption, and then begins its encryption routine.\r\nList of processes:\r\nsql\r\noracle\r\nocssd\r\ndbsnmp\r\nsynctime\r\nagntsvc\r\nisqlplussvc\r\nxfssvccon\r\nmydesktopservice\r\nocautoupds\r\nencsvc\r\nfirefox\r\ntbirdconfig\r\nmydesktopqos\r\nocomm\r\ndbeng50\r\nsqbcoreservice \r\nexcel\r\ninfopath\r\nmsaccess\r\nmspub\r\nonenote\r\noutlook\r\npowerpnt\r\nsteam\r\nthebat\r\nthunderbird\r\nhttps://www.varonis.com/blog/darkside-ransomware/\r\nPage 4 of 6\n\nvisio\r\nwinword\r\nwordpad\r\nnotepad\r\nDuring encryption, the malware appends an 8-character string to the end of the encrypted file names.\r\nDark side ransomware avoids encrypting files with the following extensions:\r\n386,adv,ani,bat,bin,cab,cmd,com,cpl,cur,deskthemepack,diagcab,diagcfg,diagpkg,dll,drv,exe,hlp,icl,icns,ico,ics,idx,ldf,lnk,mod,mpa,msc,msp,msstyles,ms\r\nIt creates a ransom instructions (“README…txt”) to contact the ransomware creator for decryption:\r\nHow to Prepare for Threat Actors in 2021\r\nFind and fix the weak links before attackers do\r\nAny internet-facing account that doesn’t require MFA is a brute-force attack away from a compromise. Any unpatched\r\ninternet-facing server is an exploit away from script-kiddie payday.\r\nAssume breach and fix weak links inside\r\nThreat actors look for quick ways to obtain domain admin credentials. Service or admin accounts with SPNs that also have\r\nweak encryption, or worse still, privileged accounts with weak or no password requirements are too-easy targets.\r\nIn too many organizations, attackers don’t even need elevated credentials to harvest data – the average employee has access\r\nto far more data than they require. Lockdown sensitive data so that only the right accounts have access, and then monitor file\r\nsystems for unusual access and change events.\r\nMore lights, please, especially on stuff that matters\r\nOrganizations with comprehensive monitoring solutions detect and investigate attacks like these more quickly. If you have\r\nblind spots on core data stores, in Active Directory, DNS, remote access systems, or in web connections, you’ll struggle to\r\ndetermine which systems were compromised and whether sensitive data was stolen.\r\nIf you detect a breach, let Active Directory triangulate the blast radius         \r\nActive Directory events can help you quickly identify compromised accounts and devices. Instead of focusing on one\r\nendpoint at a time, once one compromised account or system has been identified, query Active Directory for signs of lateral\r\nmovement by that account or accounts used on that system.\r\nhttps://www.varonis.com/blog/darkside-ransomware/\r\nPage 5 of 6\n\nIf you wait for a breach to occur, it's too late. Strengthen your cloud security today and stay ahead of emerging threats with\r\nVaronis. Learn more about our comprehensive cloud security solutions and take advantage of our free Data Risk Assessment\r\nto help you safeguard your digital assets. \r\nA special thanks to Rotem Tzadok for leading our Darkside investigations and analysis.\r\nSource: https://www.varonis.com/blog/darkside-ransomware/\r\nhttps://www.varonis.com/blog/darkside-ransomware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.varonis.com/blog/darkside-ransomware/"
	],
	"report_names": [
		"darkside-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434043,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/663ed75abdda45ab3c34f0142981fe3fe2a48428.pdf",
		"text": "https://archive.orkl.eu/663ed75abdda45ab3c34f0142981fe3fe2a48428.txt",
		"img": "https://archive.orkl.eu/663ed75abdda45ab3c34f0142981fe3fe2a48428.jpg"
	}
}