{ "id": "d30249a2-db71-4ce9-baec-be15b88518bc", "created_at": "2026-04-06T00:06:26.428252Z", "updated_at": "2026-04-10T13:11:54.76899Z", "deleted_at": null, "sha1_hash": "95d143aaf1242f97d9a5ea7f43ade27436b7bd57", "title": "Shining a Light on DARKSIDE Ransomware Operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 740535, "plain_text": "Shining a Light on DARKSIDE Ransomware Operations\r\nBy Mandiant\r\nPublished: 2021-05-11 · Archived: 2026-04-05 19:06:37 UTC\r\nWritten by: Jordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Matt Williams,\r\nBrendan McKeague, Jared Wilson\r\nUpdate (May 14): Mandiant has observed multiple actors cite a May 13 announcement that appeared to be shared\r\nwith DARKSIDE RaaS affiliates by the operators of the service. This announcement stated that they lost access to\r\ntheir infrastructure, including their blog, payment, and CDN servers, and would be closing their service.\r\nDecrypters would also be provided for companies who have not paid, possibly to their affiliates to distribute. The\r\npost cited law enforcement pressure and pressure from the United States for this decision. We have not\r\nindependently validated these claims and there is some speculation by other actors that this could be an exit scam.\r\nBackground\r\nSince initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have\r\nlaunched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals.\r\nLike many of their peers, these actors conduct multifaceted extortion where data is both exfiltrated and encrypted\r\nin place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more\r\npressure on victims.\r\nThe origins of these incidents are not monolithic. DARKSIDE ransomware operates as a ransomware-as-a-service\r\n(RaaS) wherein profit is shared between its owners and partners, or affiliates, who provide access to organizations\r\nand deploy the ransomware. Mandiant currently tracks multiple threat clusters that have deployed this\r\nransomware, which is consistent with multiple affiliates using DARKSIDE. These clusters demonstrated varying\r\nlevels of technical sophistication throughout intrusions. While the threat actors commonly relied on commercially\r\navailable and legitimate tools to facilitate various stages of their operations, at least one of the threat clusters also\r\nemployed a now patched zero-day vulnerability.\r\nReporting on DARKSIDE has been available in advance of this blog post to users of Mandiant Advantage Free, a\r\nno-cost version of our threat intelligence platform.\r\nTargeting\r\nMandiant has identified multiple DARKSIDE victims through our incident response engagements and from\r\nreports on the DARKSIDE blog. Most of the victim organizations were based in the United States and span across\r\nmultiple sectors, including financial services, legal, manufacturing, professional services, retail, and technology.\r\nThe number of publicly named victims on the DARKSIDE blog has increased overall since August 2020, with the\r\nexception of a significant dip in the number of victims named during January 2021 (Figure 1). It is plausible that\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 1 of 32\n\nthe decline in January was due to threat actors using DARKSIDE taking a break during the holiday season. The\r\noverall growth in the number of victims demonstrates the increasing use of the DARKSIDE ransomware by\r\nmultiple affiliates.\r\nFigure 1: Known DARKSIDE victims (August 2020 to April 2021)\r\nDARKSIDE Ransomware Service\r\nBeginning in November 2020, the Russian-speaking actor \"darksupp\" advertised DARKSIDE RaaS on the\r\nRussian-language forums exploit.in and xss.is. In April 2021, darksupp posted an update for the \"Darkside 2.0\"\r\nRaaS that included several new features and a description of the types of partners and services they were currently\r\nseeking (Table 1). Affiliates retain a percentage of the ransom fee from each victim. Based on forum\r\nadvertisements, the RaaS operators take 25% for ransom fees less than $500,000, but this decreases to 10 percent\r\nfor ransom fees greater than $5 million.\r\nIn addition to providing builds of DARKSIDE ransomware, the operators of this service also maintain a blog\r\naccessible via TOR. The actors use this site to publicize victims in an attempt to pressure these organizations into\r\npaying for the non-release of stolen data. A recent update to their underground forum advertisement also indicates\r\nthat actors may attempt to DDoS victim organizations. The actor darksupp has stated that affiliates are prohibited\r\nfrom targeting hospitals, schools, universities, non-profit organizations, and public sector entities. This may be an\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 2 of 32\n\neffort by the actor(s) to deter law enforcement action, since targeting of these sectors may invite additional\r\nscrutiny. Affiliates are also prohibited from targeting organizations in Commonwealth of Independent States (CIS)\r\nnations.\r\nAdvertisement\r\nDate/Version\r\nFeature/Update\r\nRelated Reporting\r\n(for Mandiant\r\nAdvantage\r\ncustomers)\r\nNov. 10, 2020\r\n(V1)\r\nAbility to generate builds for both Windows and Linux\r\nenvironments from within the administration panel.\r\nEncrypts files using Salsa20 encryption along with an\r\nRSA-1024 public key\r\nAccess to an administrative panel via TOR that can be\r\nused by clients to manage Darkside builds, payments,\r\nblog posts, and communication with victims\r\nThe admin panel includes a Blog section that allows\r\nclients to publish victim information and announcements\r\nto the Darkside website for the purposes of shaming\r\nvictims and coercing them to pay ransom demands\r\n20-00023273\r\nApril 14, 2021\r\n(V2.0)\r\nAutomated test decryption. The process from encryption\r\nto withdrawal of money is automated and no longer relies\r\non support.\r\nAvailable DDoS of targets (Layer 3, Layer 7)\r\nSought a partner to provide network accesses to them and\r\na person or team with pentesting skills\r\n21-00008435\r\nTable 1: Notable features and updates listed on DARKSIDE advertisement thread (exploit.in)\r\nDARKSIDE Affiliates\r\nDARKSIDE RaaS affiliates are required to pass an interview after which they are provided access to an\r\nadministration panel (Figure 2). Within this panel, affiliates can perform various actions such as creating a\r\nransomware build, specifying content for the DARKSIDE blog, managing victims, and contacting support.\r\nMandiant has identified at least five Russian-speaking actors who may currently, or have previously, been\r\nDARKSIDE affiliates. Relevant advertisements associated with a portion of these threat actors have been aimed at\r\nfinding either initial access providers or actors capable of deploying ransomware on accesses already obtained.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 3 of 32\n\nSome actors claiming to use DARKSIDE have also allegedly partnered with other RaaS affiliate programs,\r\nincluding BABUK and SODINOKIBI (aka REvil). For more information on these threat actors, please see\r\nMandiant Advantage.\r\nFigure 2: DARKSIDE affiliate panel\r\nAttack Lifecycle\r\nMandiant currently tracks five clusters of threat activity that have involved the deployment of DARKSIDE. For\r\nmore information on uncategorized threats, refer to our post, \"DebUNCing Attribution: How Mandiant Tracks\r\nUncategorized Threat Actors.\" These clusters may represent different affiliates of the DARKSIDE RaaS platform.\r\nThroughout observed incidents, the threat actor commonly relied on various publicly available and legitimate\r\ntools that are commonly used to facilitate various stages of the attack lifecycle in post-exploitation ransomware\r\nattacks (Figure 3). Additional details on three of these UNC groups are included below.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 4 of 32\n\nFigure 3: TTPs seen throughout DARKSIDE ransomware engagements\r\nUNC2628\r\nUNC2628 has been active since at least February 2021. Their intrusions progress relatively quickly with the threat\r\nactor typically deploying ransomware in two to three days. We have some evidence that suggests UNC2628 has\r\npartnered with other RaaS including SODINOKIBI (REvil) and NETWALKER.\r\nIn multiple cases we have observed suspicious authentication attempts against corporate VPN\r\ninfrastructure immediately prior to the start of interactive intrusion operations. The authentication patterns\r\nwere consistent with a password spraying attack, though available forensic evidence was insufficient to\r\ndefinitively attribute this precursor activity to UNC2628.\r\nIn cases where evidence was available, the threat actor appeared to obtain initial access through corporate\r\nVPN infrastructure using legitimate credentials.\r\nUNC2628 has interacted with victim environments using various legitimate accounts, but in multiple cases\r\nhas also created and used a domain account with the username 'spservice'. Across all known intrusions,\r\nUNC2628 has made heavy use of the Cobalt Strike framework and BEACON payloads. BEACON\r\ncommand and control (C2) infrastructure attributed to this actor has included the following:\r\nhxxps://104.193.252[.]197:443/\r\nhxxps://162.244.81[.]253:443/\r\nhxxps://185.180.197[.]86:443/\r\nhxxps://athaliaoriginals[.]com/\r\nhxxps://lagrom[.]com:443/font.html\r\nhxxps://lagrom[.]com:443/night.html\r\nhxxps://lagrom[.]com:443/online.html\r\nhxxps://lagrom[.]com:443/send.html\r\nhxxps://lagrom[.]com/find.html?key=id#-\r\nIn at least some cases there is evidence to suggest this actor has employed Mimikatz for credential theft\r\nand privilege escalation.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 5 of 32\n\nThe threat actor appeared to have used built-in commands such as ‘net’ and ‘ping’ to perform basic\r\nreconnaissance of the internal network, though it is likely that additional reconnaissance was performed via\r\nBEACON and not represented in available log sources.\r\nUNC2628 has moved laterally in environments almost exclusively via RDP using legitimate credentials\r\nand Cobalt Strike BEACON payloads. This threat cluster uses both HTTPS BEACON payloads and SMB\r\nBEACON, the latter almost exclusively using named pipes beginning with “\\\\.\\pipe\\UIA_PIPE_”\r\nIntrusions attributed to this threat cluster have progressed swiftly from intrusion to data theft and\r\nransomware deployment, and have thus not focused heavily on maintaining a persistent foothold in\r\nimpacted environments. Despite this, UNC2628 has maintained access via the collection of legitimate\r\ncredentials, the creation of attacker-controlled domain accounts (spservice), and via the creation of\r\nWindows services intended to launch BEACON. Notably, UNC2628 has repeatedly loaded BEACON with\r\na service named ‘CitrixInit’.\r\nUNC2628 has also employed F-Secure Labs' Custom Command and Control (C3) framework, deploying\r\nrelays configured to proxy C2 communications through the Slack API. Based on this actor's other TTPs\r\nthey were likely using C3 to obfuscate Cobalt Strike BEACON traffic.\r\nThe threat actor has exfiltrated data over SFTP using Rclone to systems in cloud hosting environments.\r\nRclone is a command line utility to manage files for cloud storage applications. Notably, the infrastructure\r\nused for data exfiltration has been reused across multiple intrusions. In one case, the data exfiltration\r\noccurred on the same day that the intrusion began.\r\nUNC2628 deploys DARKSIDE ransomware encryptors using PsExec to a list of hosts contained in\r\nmultiple text files.\r\nThe threat actor has used the following directories, placing copies of backdoors, ransomware binaries,\r\ncopies of PsExec, and lists of victim hosts within them.\r\nC:\\run\\\r\nC:\\home\\\r\nC:\\tara\\\r\nC:\\Users\\[username]\\Music\\\r\nC:\\Users\\Public\r\nUNC2659\r\nUNC2659 has been active since at least January 2021. We have observed the threat actor move through the whole\r\nattack lifecycle in under 10 days. UNC2659 is notable given their use of an exploit in the SonicWall SMA100 SSL\r\nVPN product, which has since been patched by SonicWall. The threat actor appeared to download several tools\r\nused for various phases of the attack lifecycle directly from those tools’ legitimate public websites.\r\nThe threat actor obtained initial access to their victim by exploiting CVE-2021-20016, an exploit in the\r\nSonicWall SMA100 SSL VPN product, which has been patched by SonicWall. There is some evidence to\r\nsuggest the threat actor may have used the vulnerability to disable multi-factor authentication options on\r\nthe SonicWall VPN, although this has not been confirmed.\r\nThe threat actor leveraged TeamViewer (TeamViewer_Setup.exe) to establish persistence within the victim\r\nenvironment. Available evidence suggests that the threat actor downloaded TeamViewer directly from the\r\nfollowing URL and also browsed for locations from which they could download the AnyDesk utility.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 6 of 32\n\nhxxps://dl.teamviewer[.]com/download/version_15x/TeamViewer_Setup.exe\r\nThe threat actor appeared to download the file rclone.exe directly from rclone[.]org -\r\nhxxps://downloads.rclone[.]org/v1.54.0/rclone-v1.54.0-windows-amd64.zip. The threat actors were seen\r\nusing rclone to exfiltrate hundreds of gigabytes of data over the SMB protocol to the pCloud cloud-based\r\nhosting and storage service.\r\nThe threat actor deployed the file power_encryptor.exe in a victim environment, encrypting files and\r\ncreating ransom notes over the SMB protocol.\r\nMandiant observed the threat actor navigate to ESXi administration interfaces and disable snapshot\r\nfeatures prior to the ransomware encryptor deployment, which affected several VM images.\r\nUNC2465\r\nUNC2465 activity dates back to at least April 2019 and is characterized by their use of similar TTPs to distribute\r\nthe PowerShell-based .NET backdoor SMOKEDHAM in victim environments. In one case where DARKSIDE\r\nwas deployed, there were months-long gaps, with only intermittent activity between the time of initial\r\ncompromise to ransomware deployment. In some cases, this could indicate that initial access was provided by a\r\nseparate actor.\r\nUNC2465 used phishing emails and legitimate services to deliver the SMOKEDHAM backdoor.\r\nSMOKEDHAM is a .NET backdoor that supports keylogging, taking screenshots, and executing arbitrary\r\n.NET commands. During one incident, the threat actor appeared to establish a line of communication with\r\nthe victim before sending a malicious Google Drive link delivering an archive containing an LNK\r\ndownloader. More recent UNC2465 emails have used Dropbox links with a ZIP archive containing\r\nmalicious LNK files that, when executed, would ultimately lead to SMOKEDHAM being downloaded\r\nonto the system.\r\nUNC2465 has used Advanced IP Scanner, BLOODHOUND, and RDP for internal reconnaissance and\r\nlateral movement activities within victim environments.\r\nThe threat actor has used Mimikatz for credential harvesting to escalate privileges in the victim network.\r\nUNC2465 also uses the publicly available NGROK utility to bypass firewalls and expose remote desktop\r\nservice ports, like RDP and WinRM, to the open internet.\r\nMandiant has observed the threat actor using PsExec and cron jobs to deploy the DARKSIDE ransomware.\r\nUNC2465 has called the customer support lines of victims and told them that data was stolen and\r\ninstructed them to follow the link in the ransom note.\r\nImplications\r\nWe believe that threat actors have become more proficient at conducting multifaceted extortion operations and that\r\nthis success has directly contributed to the rapid increase in the number of high-impact ransomware incidents over\r\nthe past few years. Ransomware operators have incorporated additional extortion tactics designed to increase the\r\nlikelihood that victims will acquiesce to paying the ransom prices. As one example, in late April 2021, the\r\nDARKSIDE operators released a press release stating that they were targeting organizations listed on the\r\nNASDAQ and other stock markets. They indicated that they would be willing to give stock traders information\r\nabout upcoming leaks in order to allow them potential profits due to stock price drops after an announced breach.\r\nIn another notable example, an attacker was able to obtain the victim's cyber insurance policy and leveraged this\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 7 of 32\n\ninformation during the ransom negotiation process refusing to lower the ransom amount given their knowledge of\r\nthe policy limits. This reinforces that during the post-exploitation phase of ransomware incidents, threat actors can\r\nengage in internal reconnaissance and obtain data to increase their negotiating power. We expect that the extortion\r\ntactics that threat actors use to pressure victims will continue to evolve throughout 2021.\r\nBased on the evidence that DARKSIDE ransomware is distributed by multiple actors, we anticipate that the TTPs\r\nused throughout incidents associated with this ransomware will continue to vary somewhat. For more\r\ncomprehensive recommendations for addressing ransomware, please refer to our blog post: \"Ransomware\r\nProtection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment\"\r\nand the linked white paper.\r\nAcknowledgements\r\nBeyond the comparatively small number of people who are listed as authors on this report are hundreds of\r\nconsultants, analysts and reverse-engineers who tirelessly put in the work needed to respond to intrusions at\r\nbreakneck pace and still maintain unbelievably high analytical standards. This larger group has set the foundation\r\nfor all of our work, but a smaller group of people contributed more directly to producing this report and we would\r\nlike to thank them by name. We would like to specifically thank Bryce Abdo and Matthew Dunwoody from our\r\nAdvanced Practices team and Jay Smith from FLARE, all of whom provided analytical support and technical\r\nreview. Notable support was also provided by Ioana Teaca, and Muhammadumer Khan.\r\nAppendix A: DARKSIDE Ransomware Analysis\r\nDARKSIDE is a ransomware written in C that may be configured to encrypt files on fixed and removable disks as\r\nwell as network shares. DARKSIDE RaaS affiliates are given access to an administration panel on which they\r\ncreate builds for specific victims. The panel allows some degree of customization for each ransomware build such\r\nas choosing the encryption mode and whether local disks and network shares should be encrypted (Figures 4). The\r\nfollowing malware analysis is based on the file MD5: 1a700f845849e573ab3148daef1a3b0b. A more recently\r\nanalyzed DARKSIDE sample had the following notable differences:\r\nThe option for beaconing to a C2 server was disabled and the configuration entry that would have\r\ncontained a C2 server was removed.\r\nIncluded a persistence mechanism in which the malware creates and launches itself as a service.\r\nContained a set of hard-coded victim credentials that were used to attempt to logon as a local user. If the\r\nuser token retrieved based on the stolen credentials is an admin token and is part of the domain\r\nadministrators' group, it is used for network enumeration and file permission access.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 8 of 32\n\nFigure 4: DARKSIDE build configuration options appearing in the administration panel\r\nHost-Based Indicators\r\nPersistence Mechanism\r\nEarly versions of the malware did not contain a persistence mechanism. An external tool or installer was required\r\nif the attacker desired persistence. A DARKSIDE version observed in May 2021 implement a persistence\r\nmechanism through which the malware creates and launches itself as a service with a service name and\r\ndescription named using eight pseudo-randomly defined lowercase hexadecimal characters (e.g., \".e98fc8f7\") that\r\nare also appended by the malware to various other artifacts it created. This string of characters is referenced as . :\r\nService Name:\r\nDescription:\r\nFilesystem Artifacts\r\nCreated Files\r\n%CD%\\LOG.TXT\r\nREADME.TXT\r\nMay version: %PROGRAMDATA%\\.ico\r\nRegistry Artifacts\r\nThe DARKSIDE version observed in May sets the following registry key:\r\nHKCR\\\\DefaultIcon\\\\DefaultIcon=%PROGRAMDATA%\\.ico\r\nDetails\r\nConfiguration\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 9 of 32\n\nThe malware initializes a 0x100-byte keystream used to decrypt strings and configuration data. Strings are\r\ndecrypted as needed and overwritten with NULL bytes after use. The malware's configuration size is 0xBE9 bytes.\r\nA portion of the decrypted configuration is shown in Figure 5.\r\n00000000 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000080 95 AA A8 7C 2B 6A D5 12 0E 73 B3 7D BD 16 25 62 •ª¨|+jÕ..s³}½.%b\r\n00000090 A4 A8 BF 19 73 F7 E0 BC DF 02 A8 94 32 CF 0C C0 ¤¨¿.s÷à¼ß.¨\"2Ï.À\r\n000000A0 C5 83 0F 14 66 02 87 EE FD 29 96 DF 02 05 C1 12 Ń..f.‡îý)–ß..Á.\r\n000000B0 3E 43 A7 59 E1 F0 C4 5D AE E1 20 2E 77 D9 CA 3C \u003eC§YáðÄ]®á .wÙÊ\u003c\r\n000000C0 AD C6 BC 84 75 1C E7 0B F0 30 2A 51 13 7A B2 66 .Ƽ„u.ç.ð0*Q.z²f\r\n000000D0 44 73 79 E1 E4 69 C3 CA 1B C1 76 63 65 95 EA CA DsyáäiÃÊ.Ávce•êÊ\r\n000000E0 F6 10 68 0D CE 36 61 F9 57 B9 19 50 31 D4 E1 70 ö.h.Î6aùW¹.P1Ôáp\r\n000000F0 EC 7B 33 1E 4F 17 E1 80 1D BC CF 8C D8 C5 66 41 ì{3.O.á€.¼ÏŒØÅfA\r\n00000100 E5 0A 00 00 02 6E 01 02 15 03 43 01 8E 24 0E 72 å....n....C.Ž$.r\r\n\u003ccut\u003e\r\nFigure 5: Partial decrypted configuration\r\nThe sample's 0x80-byte RSA public key blob begins at offset 0x80. The DWORD value at offset 0x100 is\r\nmultiplied by 64 and an amount of memory equivalent to the result is allocated. The remaining bytes, which start\r\nat offset 0x104, are aPLib-decompressed into the allocated buffer. The decompressed bytes include the ransom\r\nnote and other elements of the malware's configuration described as follows (e.g., processes to terminate, files to\r\nignore). The first 0x60 bytes of the decompressed configuration are shown in Figure 6.\r\n00000000 02 01 01 01 00 01 01 00 01 01 01 01 01 01 01 01 ................\r\n00000010 01 01 01 01 01 01 24 00 72 00 65 00 63 00 79 00 ......$.r.e.c.y.\r\n00000020 63 00 6C 00 65 00 2E 00 62 00 69 00 6E 00 00 00 c.l.e...b.i.n...\r\n00000030 63 00 6F 00 6E 00 66 00 69 00 67 00 2E 00 6D 00 c.o.n.f.i.g...m.\r\n00000040 73 00 69 00 00 00 24 00 77 00 69 00 6E 00 64 00 s.i...$.w.i.n.d.\r\n00000050 6F 00 77 00 73 00 2E 00 7E 00 62 00 74 00 00 00 o.w.s...~.b.t...\r\n\u003ccut\u003e\r\nFigure 6: Partial decompressed configuration\r\nThe first byte from Figure 6 indicates the encryption mode. This sample is configured to encrypt using FAST\r\nmode. Supported values are as follows:\r\n1: FULL\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 10 of 32\n\n2: FAST\r\nOther values: AUTO\r\nThe individual bytes from offset 0x02 to offset 0x15 in Figure 6 are Boolean values that dictate the malware's\r\nbehavior. The malware takes the actions listed in Table 2 based on these values. Table 2 also identifies features\r\nthat are enabled or disabled for the current sample.\r\nOffset Enabled Description\r\n0x01 Yes Unknown\r\n0x02 Yes Encrypt local disks\r\n0x03 Yes Encrypt network shares\r\n0x04 No Perform language check\r\n0x05 Yes Delete volume shadow copies\r\n0x06 Yes Empty Recycle Bins\r\n0x07 No Self-delete\r\n0x08 Yes Perform UAC bypass if necessary\r\n0x09 Yes Adjust token privileges\r\n0x0A Yes Logging\r\n0x0B Yes\r\nFeature not used but results in the following strings being decrypted:\r\nhttps://google.com/api/version\r\nhttps://yahoo.com/v2/api\r\n0x0C Yes Ignore specific folders\r\n0x0D Yes Ignore specific files\r\n0x0E Yes Ignore specific file extensions\r\n0x0F Yes Feature not used; related to these strings: \"backup\" and \"here_backups\"\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 11 of 32\n\n0x10 Yes Feature not used: related to these strings: \"sql\" and \"sqlite\"\r\n0x11 Yes Terminate processes\r\n0x12 Yes Stop services\r\n0x13 Yes Feature not used; related to a buffer that contains the repeated string \"blah\"\r\n0x14 Yes Drop ransom note\r\n0x15 Yes Create a mutex\r\nTable 2: Configuration bits\r\nUAC Bypass\r\nIf the malware does not have elevated privileges, it attempts to perform one of two User Account Control (UAC)\r\nbypasses based on the operating system (OS) version. If the OS is older than Windows 10, the malware uses a\r\ndocumented slui.exe file handler hijack technique. This involves setting the registry value\r\nHKCU\\Software\\Classes\\exefile\\shell\\open\\command\\Default to the malware path and executing slui.exe using\r\nthe verb \"runas.\"\r\nIf the OS version is Windows 10 or newer, the malware attempts a UAC bypass that uses the CMSTPLUA COM\r\ninterface. The decrypted strings listed in Figure 7 are used to perform this technique.\r\nElevation:Administrator!new:\r\n{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\r\nFigure 7: Decrypted UAC bypass strings\r\nEncryption Setup\r\nThe malware generates a pseudo-random file extension based on a MAC address on the system. In a DARKSIDE\r\nversion observed in May 2021, the file extension is generated using a MachineGuid registry value as a seed rather\r\nthan the MAC address. The file extension consists of eight lowercase hexadecimal characters (e.g., \".e98fc8f7\")\r\nand is referred to as \u003cransom_ext\u003e. The file extension generation algorithm has been recreated in Python. If\r\nlogging is enabled, the malware creates the log file LOG\u003cransom_ext\u003e.TXT in its current directory.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 12 of 32\n\nThe malware supports the command line argument \"-path,\" which allows an attacker to specify a directory to\r\ntarget for encryption.\r\nThe sample analyzed for this report is not configured to perform a system language check. If this functionality\r\nwere enabled and the check succeeded, the string \"This is a Russian-Speaking System, Exit\" would be written to\r\nthe log file and the malware would exit.\r\nAnti-Recovery Techniques\r\nThe malware locates and empties Recycle Bins on the system. If the process is running under WOW64, it executes\r\nthe PowerShell command in Figure 8 using CreateProcess to delete volume shadow copies.\r\npowershell -ep bypass -c \"(0..61)|%{$s+=[char][byte]\r\n('0x'+'4765742D576D694F626A6563742057696E33325F536861646F7763\r\n6F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s\"\r\nFigure 8: Encoded PowerShell command\r\nThe decoded command from Figure 4 is \"Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}.\"\r\nIf the malware is not running under WOW64, it uses COM objects and WMI commands to delete volume shadow\r\ncopies. The decrypted strings in Figure 9 are used to facilitate this process.\r\nroot/cimv2\r\nSELECT * FROM Win32_ShadowCopy\r\nWin32_ShadowCopy.ID='%s'\r\nFigure 9: Decrypted strings related to shadow copy deletion\r\nSystem Manipulation\r\nAny service the name of which contains one of the strings listed in Figure 10 is stopped and deleted.\r\nvss\r\nsql\r\nsvc$\r\nmemtas\r\nmepocs\r\nsophos\r\nveeam\r\nbackup\r\nFigure 10: Service-related strings\r\nThe version observed in May 2021 is additionally configured to stop and delete services containing the strings\r\nlisted in Figure 11.\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 13 of 32\n\nGxVss\r\nGxBlr\r\nGxFWD\r\nGxCVD\r\nGxCIMgr\r\nFigure 11: Additional service-related strings in May version\r\nAny process name containing one of the strings listed in Figure 12 is terminated.\r\nsql\r\noracle\r\nocssd\r\ndbsnmp\r\nsynctime\r\nagntsvc\r\nisqlplussvc\r\nxfssvccon\r\nmydesktopservice\r\nocautoupds\r\nencsvc\r\nfirefox\r\ntbirdconfig\r\nmydesktopqos\r\nocomm\r\ndbeng50\r\nsqbcoreservice\r\nexcel\r\ninfopath\r\nmsaccess\r\nmspub\r\nonenote\r\noutlook\r\npowerpnt\r\nsteam\r\nthebat\r\nthunderbird\r\nvisio\r\nwinword\r\nwordpad\r\nnotepad\r\nFigure 12: Process-related strings\r\nFile Encryption\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 14 of 32\n\nBased on its configuration, the malware targets fixed and removable disks as well as network shares. Some\r\nprocesses may be terminated so associated files can be successfully encrypted. However, the malware does not\r\nterminate processes listed in Figure 13.\r\nvmcompute.exe\r\nvmms.exe\r\nvmwp.exe\r\nsvchost.exe\r\nTeamViewer.exe\r\nexplorer.exe\r\nFigure 13: Processes not targeted for termination\r\nThe malware uses the strings listed in Figure 14 to ignore certain directories during the encryption process.\r\nwindows\r\nappdata\r\napplication data\r\nboot\r\ngoogle\r\nmozilla\r\nprogram files\r\nprogram files (x86)\r\nprogramdata\r\nsystem volume information\r\ntor browser\r\nwindows.old\r\nintel\r\nmsocache\r\nperflogs\r\nx64dbg\r\npublic\r\nall users\r\ndefault\r\nFigure 14: Strings used to ignore directories\r\nThe files listed in Figure 15 are ignored.\r\n$recycle.bin\r\nconfig.msi\r\n$windows.~bt\r\n$windows.~ws\r\nFigure 15: Ignored files\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 15 of 32\n\nThe version observed in May 2021 is additionally configured to ignore the files listed in Figure 16.\r\nautorun.inf\r\nboot.ini\r\nbootfont.bin\r\nbootsect.bak\r\ndesktop.ini\r\niconcache.db\r\nntldrntuser.dat\r\nntuser.dat\r\nlogntuser.ini\r\nthumbs.db\r\nFigure 16: Additional ignored files in May version\r\nAdditional files are ignored based on the extensions listed in Figure 17.\r\n.386, .adv, .ani, .bat, .bin, .cab, .cmd, .com, .cpl, .cur, .deskthemepack, .diagcab, .diagcfg, .diagpkg, .dll,\r\nFigure 17: Ignored file extensions\r\nFiles are encrypted using Salsa20 and a key randomly generated using RtlRandomEx. Each key is encrypted using\r\nthe embedded RSA-1024 public key.\r\nRansom Note\r\nThe malware writes the ransom note shown in Figure 18 to README\u003cransom_ext\u003e.TXT files written to\r\ndirectories it traverses.\r\n----------- [ Welcome to Dark ] -------------\u003e\r\nWhat happend?\r\n----------------------------------------------\r\nYour computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you canno\r\nBut you can restore everything by purchasing a special program from us - universal decryptor. This program will\r\nFollow our instructions below and you will recover all your data.\r\nData leak\r\n----------------------------------------------\r\nFirst of all we have uploaded more then 100 GB data.\r\nExample of data:\r\n - Accounting data\r\n - Executive data\r\n - Sales data\r\n - Customer Support data\r\n - Marketing data\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 16 of 32\n\n- Quality data\r\n - And more other...\r\nYour personal leak page: http://darksidedxcftmqa[.]onion/blog/article/id/6/\u003cREDACTED\u003e\r\nThe data is preloaded and will be automatically published if you do not pay.\r\nAfter publication, your data will be available for at least 6 months on our tor cdn servers.\r\nWe are ready:\r\n- To provide you the evidence of stolen data\r\n- To give you universal decrypting tool for all encrypted files.\r\n- To delete all the stolen data.\r\nWhat guarantees?\r\n----------------------------------------------\r\nWe value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our intere\r\nAll our decryption software is perfectly tested and will decrypt your data. We will also provide support in case\r\nWe guarantee to decrypt one file for free. Go to the site and contact us.\r\nHow to get access on website?\r\n----------------------------------------------\r\nUsing a TOR browser:\r\n1) Download and install TOR browser from this site: https://torproject.org/\r\n2) Open our website: http://darksidfqzcuhtk2[.]onion/\u003cREDACTED\u003e\r\nWhen you open our website, put the following data in the input form:\r\nKey:\r\n\u003cREDACTED\u003e\r\n!!! DANGER !!!\r\nDO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.\r\n!!! DANGER !!!\r\nFigure 18: Ransom note\r\nDecrypted Strings\r\nGlobal\\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\nhttps://google.com/api/version\r\nhttps://yahoo.com/v2/api\r\nsql\r\nsqlite\r\n$recycle.bin\r\nconfig.msi\r\n$windows.~bt\r\n$windows.~ws\r\nwindows\r\nappdata\r\napplication data\r\nboot\r\ngoogle\r\nmozilla\r\nprogram files\r\nprogram files (x86)\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 17 of 32\n\nprogramdata\r\nsystem volume information\r\ntor browser\r\nwindows.old\r\nintel\r\nmsocache\r\nperflogs\r\nx64dbg\r\npublic\r\nall users\r\ndefault\r\n386\r\nadv\r\nani\r\nbat\r\nbin\r\ncab\r\ncmd\r\ncom\r\ncpl\r\ncur\r\ndeskthemepack\r\ndiagcab\r\ndiagcfg\r\ndiagpkg\r\ndll\r\ndrv\r\nexe\r\nhlp\r\nicl\r\nicns\r\nico\r\nics\r\nidx\r\nldf\r\nlnk\r\nmod\r\nmpa\r\nmsc\r\nmsp\r\nmsstyles\r\nmsu\r\nnls\r\nnomedia\r\nocx\r\nprf\r\nps1\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 18 of 32\n\nrom\r\nrtp\r\nscr\r\nshs\r\nspl\r\nsys\r\ntheme\r\nthemepack\r\nwpx\r\nlock\r\nkey\r\nhta\r\nmsi\r\npdb\r\nvmcompute.exe\r\nvmms.exe\r\nvmwp.exe\r\nsvchost.exe\r\nTeamViewer.exe\r\nexplorer.exe\r\noracle\r\nocssd\r\ndbsnmp\r\nsynctime\r\nagntsvc\r\nisqlplussvc\r\nxfssvccon\r\nmydesktopservice\r\nocautoupds\r\nencsvc\r\nfirefox\r\ntbirdconfig\r\nmydesktopqos\r\nocomm\r\ndbeng50\r\nsqbcoreservice\r\nexcel\r\ninfopath\r\nmsaccess\r\nmspub\r\nonenote\r\noutlook\r\npowerpnt\r\nsteam\r\nthebat\r\nthunderbird\r\nvisio\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 19 of 32\n\nwinword\r\nwordpad\r\nnotepad\r\nvss\r\nsql\r\nsvc$\r\nmemtas\r\nmepocs\r\nsophos\r\nveeam\r\nbackup\r\n\\r\\nblahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah\\r\\nblahblahblahblahblahblahbl\r\nahblahblahblahblahblahblahblahblahblah\\r\\nblahblahblahblahblahblahblahblahblahblahblahblahblahblah\r\nblahblah\\r\\nblahblahblah\\r\\n\r\n\\r\\n----------- [ Welcome to Dark ] -------------\u003e\\r\\n\\r\\nWhat happend?\\r\\n-------------------------------------\r\n-path\r\nINF\r\nDBG\r\n/C DEL /F /Q\r\n \u003e\u003e NUL\r\nComSpec\r\nREADME\r\n.TXT\r\nStart Encrypting Target Folder\r\nEncrypt Mode - AUTO\r\nStarted %u I/O Workers\r\nEncrypted %u file(s)\r\nStart Encrypt\r\n[Handle %u]\r\nFile Encrypted Successful\r\nEncrypt Mode - FAST\r\nEncrypt Mode - FULL\r\nThis is a Russian-Speaking System, Exit\r\nSystem Language Check\r\nEncrypting Network Shares\r\nEncrypting Local Disks\r\nREADME\r\n.TXT\r\nEncrypt Mode - AUTO\r\nStarted %u I/O Workers\r\nEncrypted %u file(s)\r\nStart Encrypt\r\n[Handle %u]\r\nFile Encrypted Successful\r\nEncrypt Mode - FAST\r\nEncrypt Mode - FULL\r\nTerminating Processes\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 20 of 32\n\nDeleting Shadow Copies\r\nUninstalling Services\r\nEmptying Recycle Bin\r\nThis is a Russian-Speaking System, Exit\r\nSystem Language Check\r\nStart Encrypting All Files\r\npowershell -ep bypass -c \"(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F776\r\n6F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2\r\n*$_,2))};iex $s\"\r\nroot/cimv2\r\nWQL\r\nSELECT * FROM Win32_ShadowCopy\r\nID\r\nWin32_ShadowCopy.ID='%s'\r\n.exe\r\nLOG%s.TXT\r\nREADME%s.TXT\r\nSoftware\\Classes\\exefile\\shell\\open\\command\r\n\\slui.exe\r\nrunas\r\nElevation:Administrator!new:\r\n{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\r\nexplorer.exe\r\nFigure 19: Decrypted strings\r\nAppendix B: Indicators for Detection and Hunting\r\nYara Detections\r\nThe following YARA rules are not intended to be used on production systems or to inform blocking rules without\r\nfirst being validated through an organization's own internal testing processes to ensure appropriate performance\r\nand limit the risk of false positives. These rules are intended to serve as a starting point for hunting efforts to\r\nidentify related activity; however, they may need adjustment over time if the malware family changes.\r\nrule Ransomware_Win_DARKSIDE_v1__1\r\n{\r\n meta:\r\n author = “FireEye”\r\n date_created = “2021-03-22”\r\n description = “Detection for early versions of DARKSIDE ransomware samples based on the encryption mode\r\n md5 = “1a700f845849e573ab3148daef1a3b0b”\r\n strings:\r\n $consts = { 80 3D [4] 01 [1-10] 03 00 00 00 [1-10] 03 00 00 00 [1-10] 00 00 04 00 [1-10] 00 00 00 00 [1-\r\n condition:\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 21 of 32\n\n(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $consts\r\n}\r\nFigure 20: DARKSIDE YARA rule\r\nrule Dropper_Win_Darkside_1\r\n{\r\n meta:\r\n author = \"FireEye\"\r\n date_created = \"2021-05-11\"\r\n description = \"Detection for on the binary that was used as the dropper leading to DARKSIDE.\"\r\n strings:\r\n $CommonDLLs1 = \"KERNEL32.dll\" fullword\r\n $CommonDLLs2 = \"USER32.dll\" fullword\r\n $CommonDLLs3 = \"ADVAPI32.dll\" fullword\r\n $CommonDLLs4 = \"ole32.dll\" fullword\r\n $KeyString1 = { 74 79 70 65 3D 22 77 69 6E 33 32 22 20 6E 61 6D 65 3D 22 4D 69 63 72 6F 73 6F 66 74 2E 5\r\n $KeyString2 = { 74 79 70 65 3D 22 77 69 6E 33 32 22 20 6E 61 6D 65 3D 22 4D 69 63 72 6F 73 6F 66 74 2E 5\r\n $Slashes = { 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C }\r\n condition:\r\n filesize \u003c 2MB and filesize \u003e 500KB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (\r\n}\r\nFigure 21: DARKSIDE Dropper YARA rule\r\nrule Backdoor_Win_C3_1\r\n{\r\n meta:\r\n author = “FireEye”\r\n date_created = \"2021-05-11\"\r\n description = \"Detection to identify the Custom Command and Control (C3) binaries.\"\r\n md5 = \"7cdac4b82a7573ae825e5edb48f80be5\"\r\n strings:\r\n $dropboxAPI = \"Dropbox-API-Arg\"\r\n $knownDLLs1 = \"WINHTTP.dll\" fullword\r\n $knownDLLs2 = \"SHLWAPI.dll\" fullword\r\n $knownDLLs3 = \"NETAPI32.dll\" fullword\r\n $knownDLLs4 = \"ODBC32.dll\" fullword\r\n $tokenString1 = { 5B 78 5D 20 65 72 72 6F 72 20 73 65 74 74 69 6E 67 20 74 6F 6B 65 6E }\r\n $tokenString2 = { 5B 78 5D 20 65 72 72 6F 72 20 63 72 65 61 74 69 6E 67 20 54 6F 6B 65 6E }\r\n $tokenString3 = { 5B 78 5D 20 65 72 72 6F 72 20 64 75 70 6C 69 63 61 74 69 6E 67 20 74 6F 6B 65 6E }\r\n condition:\r\n filesize \u003c 5MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (((all of ($knownDLLs*\r\nFigure 22: Custom Command and Control (C3) YARA rule\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 22 of 32\n\nDetecting DARKSIDE\r\nFireEye products detect this activity at multiple stages of the attack lifecycle. The following table contains specific\r\ndetections intended to identify and prevent malware and methods seen at these intrusions. For brevity, this list\r\ndoes not include FireEye’s existing detections for BEACON, BloodHound/SharpHound, and other common tools\r\nand malware that FireEye has observed both in this campaign and across a broad range of intrusion operations\r\nPlatform(s) Detection Name\r\nNetwork SecurityEmail SecurityDetection On\r\nDemandMalware AnalysisFile Protect\r\nRansomware.SSL.DarkSide\r\nTrojan.Generic\r\nRansomware.Linux.DARKSIDE\r\nRansomware.Win.Generic.MVX\r\nRansomware.Win.DARKSIDE.MVX\r\nRansomware.Linux.DARKSIDE.MVX\r\nRansomware.Win32.DarkSide.FEC3\r\nFE_Ransomware_Win_DARKSIDE_1\r\nFE_Ransomware_Win32_DARKSIDE_1\r\nFE_Ransomware_Linux64_DARKSIDE_1\r\nFE_Ransomware_Linux_DARKSIDE_1\r\nFEC_Trojan_Win32_Generic_62\r\nFE_Loader_Win32_Generic_177\r\nFE_Loader_Win32_Generic_197\r\nFE_Backdoor_Win_C3_1\r\nFE_Backdoor_Win32_C3_1\r\nFE_Backdoor_Win32_C3_2\r\nFE_Backdoor_Win_C3_2\r\nBackdoor.Win.C3\r\nFE_Dropper_Win_Darkside_1\r\nEndpoint Security Real-Time (IOC)\r\nBABYMETAL (BACKDOOR)\r\nDARKSIDE RANSOMWARE (FAMILY)\r\nSUSPICIOUS POWERSHELL USAGE\r\n(METHODOLOGY)\r\nSUSPICIOUS POWERSHELL USAGE B\r\n(METHODOLOGY) \r\nMalware Protection(AV/MG)\r\nGeneric.mg.*\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 23 of 32\n\nGen:Heur.FKP.17\r\nGen:Heur.Ransom.RTH.1\r\nGen:Trojan.Heur.PT.omZ@bSEA3vk\r\nGen:Variant.Razy.*\r\nTrojan.CobaltStrike.CB\r\nTrojan.GenericKD.*\r\nTrojan.Linux.Ransom.H \r\nUAC Protect\r\nMalicious UAC bypass program detected\r\nHelix\r\nVPN ANALYTICS [Abnormal Logon]\r\nWINDOWS ANALYTICS [Abnormal RDP Logon]\r\nTEAMVIEWER CLIENT [User-Agent]\r\nWINDOWS METHODOLOGY [Plink Reverse\r\nTunnel]\r\nWINDOWS METHODOLOGY - SERVICES\r\n[PsExec]\r\nMandiant Security Validation Actions\r\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\r\nVID Title\r\nA101-700  Malicious File Transfer - DARKSIDE, Download, Variant #2 \r\nA101-701  Malicious File Transfer - DARKSIDE, Download, Variant #3 \r\nA101-702  Malicious File Transfer - DARKSIDE, Download, Variant #4 \r\nA101-703  Malicious File Transfer - DARKSIDE, Download, Variant #5 \r\nA101-704  Malicious File Transfer - DARKSIDE, Download, Variant #6 \r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 24 of 32\n\nA101-705  Malicious File Transfer - DARKSIDE, Download, Variant #7 \r\nA101-706  Malicious File Transfer - DARKSIDE, Download, Variant #8 \r\nA101-707  Malicious File Transfer - DARKSIDE, Download, Variant #9 \r\nA101-708  Malicious File Transfer - DARKSIDE, Download, Variant #10 \r\nA101-709  Malicious File Transfer - DARKSIDE, Download, Variant #11 \r\nA101-710  Malicious File Transfer - DARKSIDE, Download, Variant #12 \r\nA101-711  Malicious File Transfer - DARKSIDE, Download, Variant #13 \r\nA101-712  Malicious File Transfer - DARKSIDE, Download, Variant #14 \r\nA101-713  Malicious File Transfer - DARKSIDE, Download, Variant #15 \r\nA101-714  Malicious File Transfer - DARKSIDE, Download, Variant #16 \r\nA101-715  Malicious File Transfer - DARKSIDE, Download, Variant #17 \r\nA101-716  Malicious File Transfer - DARKSIDE, Download, Variant #18 \r\nA101-717  Malicious File Transfer - DARKSIDE, Download, Variant #19 \r\nA101-718  Malicious File Transfer - DARKSIDE, Download, Variant #20 \r\nA101-719  Malicious File Transfer - DARKSIDE, Download, Variant #21 \r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 25 of 32\n\nA101-720  Malicious File Transfer - DARKSIDE, Download, Variant #22 \r\nA101-721  Malicious File Transfer - DARKSIDE, Download, Variant #23 \r\nA101-722  Malicious File Transfer - DARKSIDE, Download, Variant #24 \r\nA101-723  Malicious File Transfer - DARKSIDE, Download, Variant #25 \r\nA101-724  Malicious File Transfer - DARKSIDE, Download, Variant #26 \r\nA101-725  Malicious File Transfer - DARKSIDE, Download, Variant #27 \r\nA101-726  Malicious File Transfer - DARKSIDE, Download, Variant #28 \r\nA101-727  Malicious File Transfer - DARKSIDE, Download, Variant #29 \r\nA101-728  Malicious File Transfer - DARKSIDE, Download, Variant #30 \r\nA101-729  Malicious File Transfer - DARKSIDE, Download, Variant #31 \r\nA101-730  Malicious File Transfer - DARKSIDE, Download, Variant #32 \r\nA101-731  Malicious File Transfer - DARKSIDE, Download, Variant #33 \r\nA101-732  Malicious File Transfer - DARKSIDE, Download, Variant #34 \r\nA101-733  Malicious File Transfer - DARKSIDE, Download, Variant #35 \r\nA101-734  Malicious File Transfer - DARKSIDE, Download, Variant #36 \r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 26 of 32\n\nA101-735  Malicious File Transfer - NGROK, Download, Variant #1 \r\nA101-736  Malicious File Transfer - UNC2465, LNK Downloader for SMOKEDHAM, Download \r\nA101-737  Malicious File Transfer - BEACON, Download, Variant #3 \r\nA101-738  Data Exfiltration - RCLONE, Exfil Over SFTP \r\nA101-739  Malicious File Transfer - RCLONE, Download, Variant #2 \r\nA101-740  Command and Control - DARKSIDE, DNS Query, Variant #1 \r\nA101-741  Command and Control - DARKSIDE, DNS Query, Variant #2 \r\nA101-742  Application Vulnerability - SonicWall, CVE-2021-20016, SQL Injection \r\nA104-771  Protected Theater - DARKSIDE, PsExec Execution \r\nA104-772  Host CLI - DARKSIDE, Windows Share Creation \r\nA104-773  Protected Theater - DARKSIDE, Delete Volume Shadow Copy \r\nRelated Indicators\r\nUNC2628\r\nIndicator Description\r\n104.193.252[.]197:443 BEACON C2\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 27 of 32\n\n162.244.81[.]253:443 BEACON C2\r\n185.180.197[.]86:443 BEACON C2\r\nathaliaoriginals[.]com BEACON C2\r\nlagrom[.]com BEACON C2\r\nctxinit.azureedge[.]net BEACON C2\r\n45.77.64[.]111 Login Source\r\n181ab725468cc1a8f28883a95034e17d BEACON Sample\r\nUNC2659\r\nIndicator Description\r\n173.234.155[.]208 Login Source\r\nUNC2465\r\nIndicator Description\r\n81.91.177[.]54 :7234 Remote Access\r\nkoliz[.]xyz File Hosting\r\nlos-web[.]xyz EMPIRE C2\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 28 of 32\n\nsol-doc[.]xyz Malicious Infrastructure\r\nhxxp://sol-doc[.]xyz/sol/ID-482875588 Downloader URL\r\n6c9cda97d945ffb1b63fd6aabcb6e1a8 Downloader LNK\r\n7c8553c74c135d6e91736291c8558ea8 VBS Launcher\r\n27dc9d3bcffc80ff8f1776f39db5f0a4 Ngrok Utility\r\nDARKSIDE Ransomware Encryptor\r\nDARKSIDE Sample MD5\r\n04fde4340cc79cd9e61340d4c1e8ddfb\r\n0e178c4808213ce50c2540468ce409d3\r\n0ed51a595631e9b4d60896ab5573332f\r\n130220f4457b9795094a21482d5f104b\r\n1a700f845849e573ab3148daef1a3b0b\r\n1c33dc87c6fdb80725d732a5323341f9\r\n222792d2e75782516d653d5cccfcf33b\r\n29bcd459f5ddeeefad26fc098304e786\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 29 of 32\n\n3fd9b0117a0e79191859630148dcdc6d\r\n47a4420ad26f60bb6bba5645326fa963\r\n4d419dc50e3e4824c096f298e0fa885a\r\n5ff75d33080bb97a8e6b54875c221777\r\n66ddb290df3d510a6001365c3a694de2\r\n68ada5f6aa8e3c3969061e905ceb204c\r\n69ec3d1368adbe75f3766fc88bc64afc\r\n6a7fdab1c7f6c5a5482749be5c4bf1a4\r\n84c1567969b86089cc33dccf41562bcd\r\n885fc8fb590b899c1db7b42fe83dddc3\r\n91e2807955c5004f13006ff795cb803c\r\n9d418ecc0f3bf45029263b0944236884\r\n9e779da82d86bcd4cc43ab29f929f73f\r\na3d964aaf642d626474f02ba3ae4f49b\r\nb0fd45162c2219e14bdccab76f33946e\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 30 of 32\n\nb278d7ec3681df16a541cf9e34d3b70a\r\nb9d04060842f71d1a8f3444316dc1843\r\nc2764be55336f83a59aa0f63a0b36732\r\nc4f1a1b73e4af0fbb63af8ee89a5a7fe\r\nc81dae5c67fb72a2c2f24b178aea50b7\r\nc830512579b0e08f40bc1791fc10c582\r\ncfcfb68901ffe513e9f0d76b17d02f96\r\nd6634959e4f9b42dfc02b270324fa6d9\r\ne44450150e8683a0addd5c686cd4d202\r\nf75ba194742c978239da2892061ba1b4\r\nf87a2e1c3d148a67eaeb696b1ab69133\r\nf913d43ba0a9f921b1376b26cd30fa34\r\nf9fc1a1a95d5723c140c2a8effc93722\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 31 of 32\n\nSource: https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\nPage 32 of 32", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html" ], "report_names": [ "shining-a-light-on-darkside-ransomware-operations.html" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "0f302f8a-43c8-4dfe-aa95-454be09bb260", "created_at": "2023-12-08T02:00:05.732568Z", "updated_at": "2026-04-10T02:00:03.489875Z", "deleted_at": null, "main_name": "UNC2659", "aliases": [], "source_name": "MISPGALAXY:UNC2659", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f7f836-b77f-4f95-aa02-9e99d32faf1d", "created_at": "2024-12-21T02:00:02.857057Z", "updated_at": "2026-04-10T02:00:03.791142Z", "deleted_at": null, "main_name": "UNC2465", "aliases": [], "source_name": "MISPGALAXY:UNC2465", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433986, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/95d143aaf1242f97d9a5ea7f43ade27436b7bd57.pdf", "text": "https://archive.orkl.eu/95d143aaf1242f97d9a5ea7f43ade27436b7bd57.txt", "img": "https://archive.orkl.eu/95d143aaf1242f97d9a5ea7f43ade27436b7bd57.jpg" } }