{
	"id": "770e1bad-53a1-488a-93be-2447548439c3",
	"created_at": "2026-04-06T01:29:04.696418Z",
	"updated_at": "2026-04-10T03:30:50.718885Z",
	"deleted_at": null,
	"sha1_hash": "7f5799157dee8792f546d74b3ea1fe96cae21553",
	"title": "Blue Team Detection: DarkSide Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78151,
	"plain_text": "Blue Team Detection: DarkSide Ransomware\r\nBy Secprentice\r\nPublished: 2021-06-13 · Archived: 2026-04-06 01:17:40 UTC\r\n Featured\r\nMalware write-ups can be found in abundance online, they are often written from the point of view of a malware\r\nresearcher who focuses on the deep internals of how malicious software works.\r\nSecprentice\r\nBlue Team Detection: DarkSide Ransomware\r\nMalware write-ups can be found in abundance online, they are often written from the point of view of a malware\r\nresearcher who focuses on the deep internals of how malicious software works, in some cases the information\r\nprovided cannot be used to derive actionable intelligence and defence mechanisms by cybersecurity blue teams.\r\nWith that said, Researchers normally publish lists of hashes, file names, paths and IP addresses but these are easily\r\nrotated by attackers and therefore quickly become redundant for defenders. So, instead of looking for these\r\nfingerprints (which frequently change), we should instead look to detect malware by its behaviours (which are\r\nrelatively persistent and common across many malware flavours). In this post, I hope to take a recent popular\r\nstrain of malware and pick it apart, not as a malware analyst but as a blue team defender to create intelligence that\r\ncan be used to detect malware based on its generalised behaviours instead of a stagnant list of hashes, IPs or file\r\nnames.\r\nDarkSide Ransomware unleashed chaos on the Oil industry recently by demanding millions of dollars to decrypt\r\ncritical infrastructure networks. Thankfully Fireye has written up a great report which illuminates some of the\r\ntactics employed by Darkside admins to inflict their cryptographic nightmare. Although it seems Darkside is\r\nmaking a swift exit the methods they use are common across many threat actors and therefore the advice below\r\nremains applicable to other ransomware flavours.\r\nBased on the evidence that DARKSIDE ransomware is distributed by multiple actors, we anticipate that\r\nthe TTPs used throughout incidents associated with this ransomware will continue to vary somewhat\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nDetection Opportunities\r\nhttps://www.secjuice.com/blue-team-detection-darkside-ransomware/\r\nPage 1 of 6\n\nImage credit: Fireeye\r\n#1 Password attacks at the perimeter\r\nConsumers of security tools are often led to believe that Ransomware is a complex threat but for our first\r\ndetection opportunity, we see quite the opposite.\r\nIn multiple cases we have observed suspicious authentication attempts against corporate VPN\r\ninfrastructure immediately prior to the start of interactive intrusion operations. The authentication\r\npatterns were consistent with a password spraying attack, though available forensic evidence was\r\ninsufficient to definitively attribute this precursor activity to UNC2628. In cases where evidence was\r\navailable, the threat actor appeared to obtain initial access through corporate VPN infrastructure using\r\nlegitimate credentials.\r\nThe attackers are simply logging into the victims VPN appliance and accessing the network where they assume\r\nthe permissions of the user whose credentials they have stolen. This isn't a complex intrusion. It's just logging in.\r\nIt could have been slowed or perhaps stopped by modernising password policy and enabling two-factor\r\nauthentication on the VPN gateway.\r\nDefenders can detect this stage of the attack by monitoring VPN authentication logs (normally Syslog directly\r\nfrom the VPN appliances or RADIUS) for multiple failed attempts. Also, multiple failed attempts followed by\r\nsuccess. Alert fidelity can be achieved in modern SIEMs by applying baselining or machine learning to\r\nautomatically detect anomalous authentication instead of relying on a static threshold such as X auth failures in Y\r\nminutes.\r\nhttps://www.secjuice.com/blue-team-detection-darkside-ransomware/\r\nPage 2 of 6\n\nSimplification of the attack for visual learners. \r\nFireEye does also mention the attacker may have logged in with legitimate credentials, it could be argued that the\r\nattackers stole or were sold a working username/password combination. In this case, it's surely safe to assume that\r\ntwo-factor authentication would have slowed down the attackers. Implementing 2FA is initially time-consuming\r\nbut a breeze to work with after the initial deployment hump. Some say that user workflow and productivity is\r\nhampered by having a two-factor authentication process but thanks to modern push notification solutions (like\r\nDuo and Azure) this simply isn't true. Your smartphone can send you a push notification that you tap and unlock\r\nwith biometrics adding fractions of a second onto your login time. The pros of a more secure VPN outweigh the\r\ncons of a few extra seconds of logon time.\r\n#2 Exploitation of edge appliances.\r\nAdmittedly this section is only half a detection, the other half is patching advice.\r\nFireEye noted that some Darkside attacks exploited CVE-2021-20016 for initial access. This vulnerability allows\r\nunauthenticated remote commands to be executed against SonicWall appliances. Anyone with an internet\r\nconnection and the right set of instructions (SQL queries in this case) can easily steal credentials from the\r\nSonicWall appliance and use them to break into a network from the outside. This low effort, high yield attack is\r\nmade possible by the precarious location of edge networking appliances, bridging the internal and external\r\nnetwork.\r\nSimplification of VPN appliances on the internet. \r\nIf your network has any edge appliances (Citrix, VPNs or similar) they must be promptly patched when\r\nvulnerabilities are disclosed, the sooner the better. Failing to do so will undoubtedly allow attackers in eventually.\r\nIt's possible to detect such vulnerabilities with an external vulnerability scanner or simply by signing up for a\r\nnotification service like https://secalerts.co.\r\nIn some cases, it's also possible to detect appliance attacks via their logs although this varies by vendor and\r\nvulnerability. Knowing which logs to look at isn't always known until long after the vulnerability has been\r\npublished. In most cases, the appliance will write a Syslog message or have a particular file in a particular location\r\nthat shows the system has been compromised. It's probably best not to count on this method for detecting\r\nnetworking appliance intrusions. Prevention is better than the cure.\r\n#3 Phishing\r\nhttps://www.secjuice.com/blue-team-detection-darkside-ransomware/\r\nPage 3 of 6\n\nA group that Fireye have dubbed UNC2465 snuck Darkside in via the \"Hamhock\" backdoor. It's hard to find much\r\ninformation about this backdoor other than what's provided in the Fireye write up but it's possible to make\r\neducated guesses about its tactics based on the snippets of information Fireye have included.\r\nDuring one incident, the threat actor appeared to establish a line of communication with the victim\r\nbefore sending a malicious Google Drive link delivering an archive containing an LNK downloader.\r\nMore recent UNC2465 emails have used Dropbox links with a ZIP archive containing malicious LNK\r\nfiles that, when executed, would ultimately lead to SMOKEDHAM being downloaded onto the system\r\nSo, UNC2465 delivered the Hamhock backdoor via phishing in two flavours. One using cloud storage services\r\nlike Google Drive or Dropbox and the other by hiding malicious LNK files inside ZIPs and sending them directly\r\nto the victim. Fireeye has not shared many details about the phishing kill chain but we can safely assume it looks\r\nsomething like these Any.Run samples that abuse LNK files:\r\nhttps://app.any.run/tasks/2f776569-a3be-42e4-a6af-732982c9b2ed/\r\nhttps://app.any.run/tasks/2f776569-a3be-42e4-a6af-732982c9b2ed/\r\nWhen boiled down this phishing attack is nothing more than delivering a shortcut file that points towards a\r\nmalicious command. The shortcut file is put in front of the user inside of a ZIP file attachment or hidden behind a\r\ncloud file sharing link.\r\nThis isn't anything new and certainly isn't anything to be concerned about because long kill chains like this grant\r\nmany detection and prevention opportunities for us defenders.\r\nA rough outline of the LNK kill chain as per AnyRun samples.\r\nTo detect and prevent this phishing method defenders should consider some or all of the following actions:\r\nDo not allow LNK files to be delivered as eMail attachments. Block LNK files from being delivered to\r\nend-users.\r\nEnsure that this block extends to LNK files inside of ZIPs. Most modern email gateways can look inside\r\nZIP files for malicious files.\r\nhttps://www.secjuice.com/blue-team-detection-darkside-ransomware/\r\nPage 4 of 6\n\nEnsure that this block extends to LNK files inside of encrypted ZIPs. Attackers sometimes password-protect ZIP files to stop eMail scanners from looking inside. This particular protection may interrupt\r\nnormal business workflows and therefore is not suitable for everyone, your business should be consulted\r\nfor appetite first.\r\nUse EDR to monitor for archive software (WinZip, 7Zip, Unrar) writing .LNK files to disk aka being\r\nextracted.\r\nUser EDR to monitor for a suspicious parent to child process relationships as per any other malware. For\r\nexample: CMD.exe \u003e MSHTA.exe \u003e PowerShell.exe. There's no special sauce here. Once the attackers are\r\non the network they still rely on traditional code execution and foothold techniques, so stick to what you\r\nknow and don't be distracted by the fact that a new scary ransomware flavour is involved.\r\n#4 Privilege escalation detection\r\nAfter any hacker has gotten into her target network she will want to obtain high privileges so she can spread deep\r\ninto the network and encrypt as many systems as possible. Again, there is no secret sauce here. The ransomware\r\noperators are using the same tried and true techniques. Specifically called out by FireEye are Mimikatz, CVE-2020-1472 and LSASS memory dumps. To detect and prevent these privilege escalation attacks, defenders should\r\nimplement as many of the below initiatives as possible:\r\nPatch systems regularly and promptly. CVE-2020-1472 can be avoided by installing patches.\r\nAdministrators must ensure that wdigest regkey is set to 0 on systems running  Windows 7, 8, Server 2008,\r\nand Server 2012. This stops plain text credentials from being stored in memory. EDR tools should be used\r\nto monitor for modifications to the wdigest registry key as attackers may try to modify it to weaken system\r\nsecurity\r\nAdministrators should also ensure the RunAsPPL registry key is set which stops tools like Mimikatz from\r\ndumping the LSASS process memory where credentials are stored in a hashed format.\r\nAs mentioned earlier, password policies must be modernised with length and longevity in mind.\r\nA large portion of common Microsoft domain attacks can be detected by Microsoft ATA, now renamed to\r\nMicrosoft Defender For Identity.\r\nThe agent runs on domain controllers where it can monitor for suspicious behaviour in domain controller\r\nlogs.\r\n#5 Monitoring and controlling administrative tools\r\nAll of the hacking groups that deployed DarkSide were observed by Fireeye to be using system administrator tools\r\nthat have no place on a network except in very particular circumstances. Defenders should look to strictly control\r\naccess to the following tools:\r\nTeamviewer\r\nrClone\r\nPSExec\r\nFireEye directly calls out the fact that the attackers downloaded standard binaries for these tools directly from the\r\nvendor source. (For example dl.teamviewer.com) This is interesting because it highlights the fact that the attackers\r\nhttps://www.secjuice.com/blue-team-detection-darkside-ransomware/\r\nPage 5 of 6\n\ndon't feel the need to hide this download, obviously because it often goes undetected.\r\nDefenders can detect and control the use of these tools using EDR Watchlists, Firewalls and application control\r\ntools like AppLocker. If a user starts any of these applications without proper permission or explanation their\r\nactivity should be investigated.\r\n#5 Protect ESXi\r\nMandiant observed the threat actor navigate to ESXi administration interfaces and disable snapshot\r\nfeatures prior to the ransomware encryptor deployment, which affected several VM images.\r\nI believe this claim to be profound because this isn't a commonly talked about attack vector and few organisations\r\nare properly monitoring their virtual machine management consoles. Defenders should work to implement as\r\nmany of the following recommendations as possible to protect their ESXi hosts from attacks like this.\r\nEnsure that all virtual machine hosts are patched and running the latest software available from the vendor.\r\nIf you don't have a vulnerability management platform then sign up to a service like https://secalerts.co/ for\r\nemail alerts.\r\nControl access to your ESXi hosts tightly, only share the credentials with employees who need to know. Be\r\nsure to rotate the passwords after key administrators leave the company.\r\nSet long complex passwords for your ESXi server backends and store them in password vaults like Secret\r\nServer, KeePass or BitWarden.\r\nMonitor ESXI Syslog for multiple authentication failure events in a short period of time.\r\nIngest your ESXi Syslog logs into a monitoring platform and configure alarms that will warn you of virtual\r\nmachine snapshots being deleted in bulk.\r\nThis week's images were provided by Nina Z's digital art collection.\r\nHelp Support Our Non-Profit Mission\r\nIf you enjoyed this article or found it helpful, please consider donating. Secjuice is a 501(c)(6) non-profit and\r\nvolunteer-based publication powered by donations. We will use your donation to cover our hosting costs and keep\r\nSecjuice an advertisement and sponsor-free zone.\r\nDonate at Open Collective\r\nSource: https://www.secjuice.com/blue-team-detection-darkside-ransomware/\r\nhttps://www.secjuice.com/blue-team-detection-darkside-ransomware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.secjuice.com/blue-team-detection-darkside-ransomware/"
	],
	"report_names": [
		"blue-team-detection-darkside-ransomware"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e9f7f836-b77f-4f95-aa02-9e99d32faf1d",
			"created_at": "2024-12-21T02:00:02.857057Z",
			"updated_at": "2026-04-10T02:00:03.791142Z",
			"deleted_at": null,
			"main_name": "UNC2465",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC2465",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438944,
	"ts_updated_at": 1775791850,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f5799157dee8792f546d74b3ea1fe96cae21553.pdf",
		"text": "https://archive.orkl.eu/7f5799157dee8792f546d74b3ea1fe96cae21553.txt",
		"img": "https://archive.orkl.eu/7f5799157dee8792f546d74b3ea1fe96cae21553.jpg"
	}
}