{
	"id": "e5c5579d-573d-4205-8c3f-06d133a59451",
	"created_at": "2026-04-06T00:16:42.733345Z",
	"updated_at": "2026-04-10T13:12:23.085852Z",
	"deleted_at": null,
	"sha1_hash": "79b03f0d9ab3f9d24b9713f3d9f068246884a6b5",
	"title": "DarkSide on Linux: Virtual Machines Targeted",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1556238,
	"plain_text": "DarkSide on Linux: Virtual Machines Targeted\r\nBy By: Mina Naiim May 28, 2021 Read time: 5 min (1371 words)\r\nPublished: 2021-05-28 · Archived: 2026-04-05 16:06:27 UTC\r\nRansomware\r\nWe focus on the behavior of the DarkSide variant that targets Linux. We discuss how it targets virtual machine-related\r\nfiles on VMware ESXI servers, parses its embedded configuration, kills virtual machines (VMs), encrypts files on the\r\ninfected machine, collects system information, and sends it to the remote server.\r\nUpdated June 1, 2021, 12:02 am ET: This article has been updated to remove the Command-and-Control (C\u0026C) URI\r\nString field in Table 1. Further study showed that it does not apply consistently to a number of samples.\r\nAs we discussed in our previous blog, the DarkSide ransomware is targeting organizations in manufacturing, finance,\r\nand critical infrastructures in regions such as the United States, France, Belgium, and Canada. The DarkSide ransomware\r\ntargets both Windows and Linux platforms. We also noticed that the Linux variant, in particular, targets ESXI servers.\r\nIn this blog, we focus on the behavior of the variant that targets Linux. This entry also discusses how this variant targets\r\nvirtual machine-related files on VMware ESXI servers, parses its embedded configuration, kills virtual machines (VMs),\r\nencrypts files on the infected machine, collects system information, and sends it to the remote server.\r\nThis table  summarizes some of the differences between the behavior of the DarkSide ransomware on Windows and on\r\nLinux:\r\nTable 1. Comparison of DarkSide variants on Windows and Linux\r\n  Windows Variant Linux Variant\r\nEncryption\r\nMechanism\r\nSalsa20 with RSA-1024 ChaCha20 with RSA-4096\r\nCipher Blocks\r\nSalsa20 matrix is custom and randomly generated\r\nusing “RtlRandomExW”\r\nChaCha20 initial block is standard, built\r\nusing “expand 32-byte k” as a constant\r\nstring\r\nConfiguration Encrypted Not encrypted\r\nTerminates\r\nVMs?\r\nNo Yes\r\nTarget Files\r\nAll files on the system except the files, folders,\r\nand file extensions mentioned in the\r\nconfiguration\r\nVM-related files on VMware ESXI\r\nservers, with specific file extensions\r\nmentioned in the configuration\r\nNew Extension Generated by applying CRC32 several times on\r\nthe HWID of the victim machine as “.4731c768”\r\nHard-coded in the embedded\r\nconfiguration as “.darkside” or passed by\r\nhttps://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\r\nPage 1 of 11\n\nexecution parameters\r\nRansom Note\r\nFile Name\r\nConsists of hard-coded part in the configuration\r\nas “README.” and the generated ID mentioned\r\npreviously:  for example, “README.\r\n4731c768.TXT”\r\nHard-coded in the embedded\r\nconfiguration as “darkside_readme.txt”\r\nor passed by execution parameters\r\nAnalysis of the Linux Variant\r\nTargets\r\nAs we noted earlier, DarkSide also has a Linux variant to infect more machines and cause more damage in the victim\r\nnetwork. However, this variant is quite specific, as its main configuration targets VM-related files on VMware ESXI\r\nservers as seen in the following figure:\r\nFigure 1. Target file extensions\r\nConfiguration\r\nUnlike the Windows variant, the Linux variant’s strings and configuration are not obfuscated. The configuration of the\r\nLinux variant specifies features of the sample, such as the extension for encrypted files, C\u0026C URL, number of threads,\r\nand a constraint on a minimum size of the target files to be encrypted.\r\nNote that the root path — the starting point for encryption — in the following figure is “/vmfs/volumes/”, which is the\r\ndefault location for the VM files on ESXI hosts. \r\nFigure 2. Configuration of the Linux variant\r\nIn addition to the hard-coded configuration, the ransomware executable can accept parameters to infect more files and\r\nchange its default settings. Figure 3 shows where the malware parses execution parameters.\r\nhttps://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\r\nPage 2 of 11\n\nFigure 3. Linux variant parameter parsing\r\nESXCLI Commands\r\nDarkSide runs several ESXCLI commands (such as the command- line interface framework in vSphere) in order to\r\ncollect information about the infected ESXI host, such as the running virtual machinesVMs, storage- related information,\r\nand vSAN- related information.\r\nTable 2 shows a list of ESXCLI commands run by DarkSide on the victim machine.\r\nTable 2. ESXCLI Commands\r\nCommands  Desription\r\nesxcli --formatter=csv --format-param=fields==\"Device,DevfsPath”\r\nstorage core device list \r\nList the Devfs Path of the devices\r\ncurrently registered with the storage \r\nesxcli --formatter=csv storage filesystem list    \r\nList the logical sections of storage\r\ncurrently connected to the ESXI host\r\nesxcli --format-param=fields==\"WorldID,DisplayName”  vm process\r\nlist \r\nList the running VMs on the ESXI\r\nhost  \r\nesxcli vsan debug vmdk list  List the status of VMDKs in vSAN\r\nesxcli --format-param=fields==\"Type,ObjectUUID,Configuration”\r\nvsan debug object list \r\nList the UUID of the vSAN objects\r\nFigure 4 shows how the DarkSide ransomware lists the running virtual machines on the ESXI.\r\nFigure 4. Listing running VMs\r\nhttps://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\r\nPage 3 of 11\n\nKilling Virtual Machines\r\nBefore encryption, the Linux variant of the DarkSide ransomware can power off running VMs on the ESXI server using\r\nthe following ESXI command:\r\n“esxcli vm process kill --type= force --world-id= \u003cWorldNumber\u003e”\r\nFigure 5. Terminating running VMs\r\nFigure 6. Reporting on VM killing status\r\nEncryption\r\nThe Linux variant of the DarkSide ransomware uses a ChaCha20open on a new tab stream cipher with RSA-4096 to\r\nencrypt targeted files on the victim machine.\r\nIt loops across the files on the root path mentioned in the embedded configuration or in the given parameter, as shown in\r\nFigure 7.\r\nhttps://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\r\nPage 4 of 11\n\nFigure 7. Linux variant looping across files/directories\r\nBefore encryption, the ransomware performs a file size check to make sure that this is more than the minimum file size\r\ngiven in the embedded configuration or in the parameters.\r\nFigure 8. Linux variant performing a file size check\r\nThe malware then opens the target file, reads the content based on the part and space size given in the configuration or in\r\nthe parameters, encrypts them, and writes to the file as shown in the following code:\r\nhttps://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\r\nPage 5 of 11\n\nFigure 9. File encryption\r\nUnlike the Windows variant that randomly generates its custom Salsa20 matrix by calling “RtlRandomExW” several\r\ntimes, the malware uses the standard constant \"expand 32-byte k\" in the Chacha20 cipher used to encrypt files on the\r\nvictim machine, as shown in the next figure.\r\nFigure 10. Using \"expand 32-byte k” as a constant in the Chacha20 cipher\r\nAfter encryption, the malware then adds a header and a cipher at the end of the encrypted files as shown in Figure 11.\r\nFigure 11. Adding code to header\r\nhttps://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\r\nPage 6 of 11\n\nFigure 12. Hex view of the encrypted file\r\nThe ransomware output console shows the results of the encryption, the encrypted filenames, the discarded files after\r\nsize check, the time of encryption, and more. \r\nFigure 13. Ransomware output console\r\nRansom note and added extensions\r\nThe Linux variant drops a ransom note on the victim machine and adds a new file extension to the encrypted files.\r\nUnlike the Windows variant, the ransom note file name and the new extension for encrypted files are hard-coded in the\r\nmalware configuration file or given in a parameter, and the malware does not add any ID at the end of it.\r\nFor the analyzed samples, the new extension was “.darkside” and the hard-coded ransom note file name was\r\n“darkside_readme.txt”.\r\nhttps://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\r\nPage 7 of 11\n\nFigure 14. Encrypted folder with ransom note\r\nC\u0026C Beaconing\r\nThe DarkSide ransomware can send a C\u0026C beaconing message with the collected system information to a remote server\r\nhardcoded in the configuration. It collects system information on the victim machine, such as host name, domain, and\r\ndisk information, as evidenced in Figure 15.\r\nFigure 15. System information collection\r\nhttps://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\r\nPage 8 of 11\n\nThe ransomware then puts the collected system information of the victim machine with a hard-coded UID value in the\r\nfollowing format:\r\nFigure 16. System information format\r\nIt hashes the collected information before sending it to the URL mentioned in the embedded configuration of the sample.\r\nDarkSide also uses a random parameter of eight characters in the request body to make its C\u0026C traffic more difficult to\r\ndetect by IPS/IDS devices on the victim network. The request body has the following format:\r\n\u003cRandom 8-character variable\u003e = \u003cEncrypted collected information\u003e \u0026 \u003cRandom 8-character variable\u003e =\r\n\u003chardcoded UID\u003e\r\nFigure 17 shows the HTTP POST request sent by the malware to the remote server with the collected information.\r\nhttps://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\r\nPage 9 of 11\n\nFigure 17. C2 beaconing HTTP traffic\r\nConclusion\r\nThe DarkSide ransomware family targets both Windows and Linux platforms. There are similarities between the Linux\r\nand Windows variants, but they are different with regard to some features, such as encryption mechanism, target files,\r\nransom note name, extension, C\u0026C URL, and more.\r\nThe Linux variant uses a ChaCha20 stream cipher with RSA-4096 in order to encrypt the files on the victim machine. It\r\nmainly targets VM-related files on VMWare ESXI servers, such as VMDK files. It can also accept parameters to infect\r\nmore files on the victim machine. Additionally, the DarkSide ransomware runs ESXCLI commands to get vSAN and\r\nstorage information on the victim machine. It also lists and kills running VMs on the infected ESXI host before\r\nencryption. Lastly, it drops a ransom note on the encrypted directories on the victim machine.\r\nIndicators of Compromise\r\nC\u0026C servers:\r\ncatsdegree[.]com\r\nsecurebestapp20[.]com\r\ntemisleyes[.]com\r\nSHA256 Trend Micro Detection Name\r\nhttps://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\r\nPage 10 of 11\n\n984ce69083f2865ce90b48569291982e786980aeef83345953276adfcbbeece8\r\n9cc3c217e3790f3247a0c0d3d18d6917701571a8526159e942d0fffb848acffb Ransom.Linux.DARKSIDE.THDBGBA\r\nc93e6237abf041bc2530ccb510dd016ef1cc6847d43bf023351dce2a96fdc33b\r\nda3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\r\nhttps://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html"
	],
	"report_names": [
		"darkside-linux-vms-targeted.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434602,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79b03f0d9ab3f9d24b9713f3d9f068246884a6b5.pdf",
		"text": "https://archive.orkl.eu/79b03f0d9ab3f9d24b9713f3d9f068246884a6b5.txt",
		"img": "https://archive.orkl.eu/79b03f0d9ab3f9d24b9713f3d9f068246884a6b5.jpg"
	}
}