{
	"id": "ba3fe958-b5fc-4f77-be7f-7d9e5ca734aa",
	"created_at": "2026-04-06T00:14:48.468751Z",
	"updated_at": "2026-04-10T03:21:33.706106Z",
	"deleted_at": null,
	"sha1_hash": "73056151fc6a0e11d451b41821f95352f890185d",
	"title": "DarkSide Ransomware Behavior and Techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51643,
	"plain_text": "DarkSide Ransomware Behavior and Techniques\r\nBy Radu Emanuel Chiscariu\r\nArchived: 2026-04-05 21:12:28 UTC\r\n \r\nA modern ransomware, DarkSide offers their ransomware-as-a-service to other cyber-criminal groups for a percentage of the\r\nprofits. Both Windows and Linux versions of the ransomware have been found in the wild. It encrypts files using the\r\nlightweight Salsa20 encryption algorithm with an RSA-1024 public key. Victims are presented with Bitcoin and Monero\r\nwallets to pay the cyber-criminal sums varying from two thousand to two million dollars for the decryption key. According\r\nto TrendMicro, the actor behind this ransomware family is believed to be Eastern European.\r\nGroups leveraging DarkSide have recently been targeting manufacturing, insurance, healthcare, and energy organizations.\r\nMultiple strains of the ransomware were released either to attack specific high-value targets or to hamper the detection\r\neffort. Following the attack on Colonial Pipeline, another DarkSide strain also managed to successfully infected a Toshiba\r\nTech business unit in France. Meanwhile, another eastern-European ransomware (calling themselves Conti) has infected the\r\nIreland’s national health service.\r\nDarkSide uses phishing, weak credentials, and exploitation of known vulnerabilities (such as CVE-2021-20016, a SQL\r\ninjection in the SonicWall SMA100 SSL VPN product) as tactics to gain system access.\r\nKeysight's Application and Threat Intelligence (ATI) research team has released a DarkSide kill chain assessment,\r\nsimulating the malware’s behavior. In this blog post, we'll walk you through what happens when the DarkSide malware\r\ninfects a system, in terms of MITRE ATT\u0026CK techniques.\r\nT1082 - System Information Discovery\r\nThe malware checks whether its process is being debugged by a user-mode debugger. If that is the case, then the malware\r\nwill exit. It is a common malware anti-debugging mechanism.\r\nOther WIN APIs associated with system information discovery that this malware showcases include:\r\nGetSystemInfo: Used to return the processor count. This API can be used to determine if the malware is being run in\r\na virtualized environment.\r\nCheckRemoteDebuggerPresent: Used to determine if a remote process is being debugged.\r\nGetSystemDefaultUILanguage, GetUserDefaultLangID: Used to detect the configured language on the system.\r\nThe malware will not infect the host if the following languages are installed:\r\nT1543.003: Create or Modify System Process: Windows Service\r\nThe malware will attempt to attain persistence by calling the CreateServiceA WIN API that creates a system service pointing\r\nto the malware executable file, which will start automatically after restart:\r\nThe malicious service hides itself using the name .021e895b, a pseudo-random string of eight lowercase hexadecimal\r\ncharacters, generated based on either the system’s MAC address or MachineGuid registry value.\r\nT1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control\r\nIf the operating system is Windows 10 or newer, the malware attempts a UAC bypass through a CMSTPLUA COM\r\ninterface. A proof of concept is available here.\r\nT1553.002: Subvert Trust Controls, Code Signing\r\nTo be able to run on systems where only signed code is allowed to execute, the malware is signed with Cobalt Strike stager’s\r\ncertificate.\r\nT1490: Inhibit System Recovery\r\nBefore encrypting the files on the system, the ransomware uses the CreateProcess API to execute the following command:\r\npowershell -ep bypass -c \"(0..61)|%{$s+=[char][byte]\r\n('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.S\r\n$s\"\r\nhttps://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html\r\nPage 1 of 2\n\nBy decoding the content of the byte stream, we obtain:\r\nThe PowerShell command is querying the WMI to obtain the list of the system’s shadow copies and deletes them before\r\nencrypting the user files, thus avoiding post-infection system recovery.\r\nT1486: Data Encrypted for Impact\r\nThe found system files are encrypted using the lightweight Salsa20 encryption algorithm. Each key is encrypted using the\r\nembedded RSA-1024 public key. In each traversed directory, the malware writes the ransom note shown below.\r\nConclusion\r\nDarkside has above-average anti-VM/anti-debugging protections. Written in C and highly modular, it was released in\r\ndifferent versions, with multiple packers, which made it hard to pin down with signature-based detection. For more details,\r\nplease inspect joint CISA-FBI cybersecurity advisory on the DarkSide ransomware.\r\nUsing the knowledge gleaned from reverse engineering, we have released a complete Darkcloud killchain assessment for\r\nour Threat Simulator customers. Now you can test your endpoint and network security controls for coverage of this and\r\nmany other threats in your production environment safely.\r\nSource: https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html\r\nhttps://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html"
	],
	"report_names": [
		"darkside_ransomware-QfsV.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434488,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73056151fc6a0e11d451b41821f95352f890185d.pdf",
		"text": "https://archive.orkl.eu/73056151fc6a0e11d451b41821f95352f890185d.txt",
		"img": "https://archive.orkl.eu/73056151fc6a0e11d451b41821f95352f890185d.jpg"
	}
}