{
	"id": "94c86f3c-80fc-4807-97d1-ee820c50962e",
	"created_at": "2026-04-06T00:10:33.693121Z",
	"updated_at": "2026-04-10T13:11:25.429071Z",
	"deleted_at": null,
	"sha1_hash": "922f82e12b3273d011c3184ac5b2d8173b144120",
	"title": "Meet DarkSide and Their Ransomware - SentinelOne Customers Protected",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 775316,
	"plain_text": "Meet DarkSide and Their Ransomware - SentinelOne Customers\r\nProtected\r\nBy SentinelOne\r\nPublished: 2021-05-10 · Archived: 2026-04-05 16:29:59 UTC\r\nThe recent campaign targeting Colonial Pipeline in the United States is a sobering example of the extent to which\r\ncybersecurity – specifically ransomware – threatens everyday life. There is a lot more to this than encrypted or\r\nstolen data. It’s hard to understand the economic reverberations of a disruptive attack on critical infrastructure,\r\nwhether for financial gain or otherwise. With the pipeline being proactively shut down as of Sunday, May 9th,\r\nthere are concerns around how this outage will affect ongoing fuel prices and for how long. How the coming\r\nweeks and months play out may serve as a template for predicting impact and risk associated with similar attacks\r\nthat will inevitably follow.\r\nSentinelOne detects and protects against DarkSide ransomware. No action is required for our customers.\r\nIn this post, we discuss the evolution of the DarkSide malware and affiliate networks, including the evolution of\r\ntheir feature sets and recruitment areas.\r\nWho is DarkSide?\r\nThe attack on Colonial Pipeline has been attributed to DarkSide, a relatively new ransomware family that emerged\r\non the crimeware market in November 2020.\r\nDarkSide claims not to attack Medical, Educational, Non-Profit, or Government sectors\r\nDarkSide launched as a RaaS (Ransomware-as-a-Service) with the stated goal of only targeting ‘large\r\ncorporations.’ They are primarily focused on recruiting Russian (CIS) affiliates, and are very skeptical of\r\npartnerships or interactions outside of that region. From the onset, DarkSide was focused on choosing the ‘right’\r\ntargets and identifying their most valuable data. This speaks to their efficiency and discernment when choosing\r\nhttps://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/\r\nPage 1 of 7\n\nwhere to focus their efforts. From their inception, DarkSide claimed they’d avoid attacking the medical,\r\neducational, non-profit, or government sectors.\r\nDarkSide affiliate recruitment post\r\nAt the time of launch, the features offered by DarkSide were fairly standard. They emphasized their speed of\r\nencryption and a wealth of options for dealing with anything that may inhibit the encryption process (i.e., security\r\nsoftware). They also advertised a Linux variant with comparable features. Following in the footsteps of recently\r\nsuccessful ransomware families like Maze and Cl0p, DarkSide established a victim data leaks blog as further\r\nleverage to encourage ransom payouts.\r\nThe original DarkSide 1.0 Feature set was advertised as follows:\r\nWindows [\r\nfull ASM, salsa20 + rsa 1024,\r\ni / o, own implementation of salsa and rsa,\r\nfast / auto (improved space) / full,\r\ntoken impersonalization for working with balls,\r\nslave table, freeing busy files,\r\nchanging file permissions,\r\narp scanner,\r\nprocess termination,\r\nservice termination,\r\ndrag-and-drop and much more].\r\nLinux [\r\nC ++, chacha20 + rsa 4096,\r\nmultithreading (including Hyper-threading, analog of i / o on windows),\r\nsupport for truncated OS assemblies (esxi 5.0+),\r\nfast / space,\r\ndirectory configuration and much more].\r\nhttps://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/\r\nPage 2 of 7\n\nAdmin panel [\r\nfull ajax,\r\nautomatic acceptance of Bitcoin, Monero,\r\ngeneration of win / lin builds with indication of all parameters (processes, services, folde\r\nbots reporting and detailed statistics on the company’s performance,\r\nautomatic distribution and withdrawal of funds,\r\nsub -accounts,\r\nonline chat and many others].\r\nLeak site [\r\nhidden posts,\r\nphased publication of target data and many more functionality].\r\nCDN system for data storage [\r\nReceiving quotas,\r\nfast data loading,\r\nstorage 6m from the moment of loading].\r\nA Well-Organized Affiliate Network\r\nHopeful affiliates are subject to DarkSide’s rigorous vetting process, which examines the candidate’s ‘work\r\nhistory,’ areas of expertise, and past profits among other things. To get started, affiliates were required to deposit\r\n20 BTC (at the time, that amounted to around $300,000 USD).\r\nDarkSide announces improved CDN\r\nOver the following months, DarkSide continued to improve its services, while also expanding its affiliate network.\r\nBy late November 2020, DarkSide launched a more advanced Content Delivery Network (CDN) that allowed\r\ntheir operators to more efficiently store and distribute stolen victim data. Many of their high-value targets found\r\nthemselves listed on the victim blog, including a number of financial, accounting, and legal firms, as well as\r\ntechnology companies.\r\nInitial access can take many forms depending on the affiliate involved, their needs, and timeline. A majority of the\r\ncampaigns observed were initiated only after the enterprise had been thoroughly scouted via Cobalt Strike beacon\r\nhttps://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/\r\nPage 3 of 7\n\ninfections. After the initial reconnaissance phase, the operators would deploy the DarkSide ransomware wherever\r\nit would cause the greatest disruption.\r\nDarkSide Decryption Tool – Is it Working?\r\nIn January 2021, Bitdefender released a DarkSide decryption tool. This tool was also posted to the\r\nNoMoreRansom project website. The tool had a reportedly high success rate.\r\nDarkSide 2.0 performance comparisons\r\nBy March, the group announced the launch of the new and improved DarkSide 2.0. The new iteration included\r\nmany improvements for both their Windows and Linux variants and is no longer subject to the decryption tool.\r\nDarkSide 2.0 reportedly encrypts data on disk twice as fast as the original.\r\nOther updated features include:\r\nExpanded multi-processor support (parallel/simultaneous encryption across volumes)\r\nEXE and DLL-based payloads\r\nUpdated SALSA20+RSA1024 implementation with “proprietary acceleration”\r\nNew operating modes (Fast / Full / Auto)\r\n19 total build settings\r\nActive account impersonation\r\nActive Directory support (discovery and traversal)\r\nNew CMD-line parameter support\r\nOn the Linux side, DarkSide 2.0 offers the following updates:\r\nUpdated multithreading support\r\nUpdated CHACHA20 + RSA 4096 implementation\r\n2 new operating modes (Fast / Space)\r\n14 Total build settings\r\nSupport for all major ESXi versions\r\nNAS support (Synology, OMV)\r\nAlong with this expanded feature set, SentinelLabs researchers have seen a shift in the deployment of the\r\nDarkSide ransomware, from standard packers like VMProtect and UPX to a custom packer internally referred to\r\nas ‘encryptor2.’\r\nA Battle for Territory\r\nhttps://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/\r\nPage 4 of 7\n\nWith the release of DarkSide 2.0, the group has continued to increase its footprint in the Ransomware landscape.\r\nAlong with their territorial expansion throughout 2021, DarkSide also increased their ‘pressure campaigns’ on\r\nvictims to include DDoS attacks along with the threat of data leakage. They are able to invoke L3/L7 DDoS\r\nattacks if their victims choose to resist ‘cooperation’.\r\nMore recently, DarkSide operators have been attempting to attract more expertise around assessing data and\r\nnetwork value, along with seeking others to provide existing access or newer methods of initial access. These\r\nefforts are meant to make operations more streamlined and increase efficiency.\r\nNew methods and talent areas\r\nThe Colonial Pipeline attack is only the latest in a slew of increasingly daring ransomware attacks. The absolute\r\nbest defense against a severe ransomware attack (and the nightmare that follows) is preparation and prevention.\r\nTechnology is a huge part of that, but one must not discount user hygiene and education. It is vital to keep end\r\nusers up to date on what threats are out there and how to spot them. Vigilant users, along with robust preventative\r\ncontrols are key. Business continuity planning and disaster recovery drills are not fun, but they are critical and\r\nnecessary to ensure readiness and resilience against these threats.\r\nThe SentinelOne platform is fully capable of preventing and detecting the malware and artifacts associated with\r\nDarkSide ransomware. We hope that the pipeline starts flowing again soon; our society depends on it to live.\r\nIndicators of Compromise\r\nSHA256\r\n156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673\r\n4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a\r\n61ca175c2f04cb5279f8507e69385577cf04e4e896a01d0b5357746a241c7846\r\nbfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893\r\na11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210\r\n2dcac9f48c3989619e0abd200beaae901852f751c239006886ac3ec56d89e3ef\r\n243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60\r\n12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975\r\nhttps://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/\r\nPage 5 of 7\n\n9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297\r\n5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7\r\n78782fd324bc98a57274bd3fff8f756217c011484ebf6b614060115a699ee134\r\ndc4b8dfff72ff08ec4daa8db4c096a350a9a1bf5434ba7796ab10ec1322ac38c\r\n8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc\r\n4edb883d1ac97824ee42d9f92917cc84b52995abcd17b2852a7e3d5bb567ffbe\r\ne9417cb1baec2826e3f5a6f64ade26c1374d74d8aa41bfabd29ea20ea5894b14\r\nfb76b4a667c6d790c39fcc93a3aac8cd2a224f0eb9ece4ecfd7825f606c2a8b6\r\nSHA1\r\n2715340f82426f840cf7e460f53a36fc3aad52aa\r\n86ca4973a98072c32db97c9433c16d405e4154ac\r\n7944ae1d281bbeeb6f317e2ececf6b4c83e63a06\r\na4e2deb65f97f657b50e48707b883ce2b138e787\r\nf90f83c3dbcbe9b5437316a67a8abe6a101ef4c3\r\n483c894ee5786704019873b0fc99080fdf1a0976\r\n7ae73b5e1622049380c9b615ce3b7f636665584b\r\n2fc8514367d4799d90311b1b1f277b3fca5ca731\r\nd1dfe82775c1d698dd7861d6dfa1352a74551d35\r\nd3495ac3b708caeceffab59949dbf8a9fa24ccef\r\n7a29a8f5e14da1ce40365849eb59487dbb389d08\r\n1f90eb879580faef3c37e10d0a0345465eebd4ee\r\n88fc623483f7ffe57f986ed10789e6723083fcd8\r\n996567f5e84b7666ff3182699da0de894e7ea662\r\n21145fd2cc8767878edbd7d1900c4c4f926a6d5b\r\n076d0d8d07368ef680aeb0c08f7f2e624c46cbc5\r\nMITRE ATT\u0026CK\r\nT1112 Modify Registry\r\nT1012 Query Registry\r\nT1082 System Information Discovery\r\nT1120 Peripheral Device Discovery\r\nT1005 Data from Local System\r\nT1486 Data Encrypted for Impact\r\nT1543.003 Create or Modify System Process: Windows Service\r\nT1490 Inhibit System Recovery\r\nT1553.004 Subvert Trust Controls: Install Root Certificate\r\nT1078 Valid Accounts\r\nhttps://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/\r\nPage 6 of 7\n\nSource: https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/\r\nhttps://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/"
	],
	"report_names": [
		"meet-darkside-and-their-ransomware-sentinelone-customers-protected"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434233,
	"ts_updated_at": 1775826685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/922f82e12b3273d011c3184ac5b2d8173b144120.pdf",
		"text": "https://archive.orkl.eu/922f82e12b3273d011c3184ac5b2d8173b144120.txt",
		"img": "https://archive.orkl.eu/922f82e12b3273d011c3184ac5b2d8173b144120.jpg"
	}
}