{
	"id": "3d2cf116-9d6a-45a9-bcd5-9dcbff99a5a6",
	"created_at": "2026-04-06T00:10:53.484245Z",
	"updated_at": "2026-04-10T03:20:18.9016Z",
	"deleted_at": null,
	"sha1_hash": "b116472ce74e968f64a4cf8ed9abca863d3b058e",
	"title": "New attack vectors for the DarkSide ransomware gang",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61775,
	"plain_text": "New attack vectors for the DarkSide ransomware gang\r\nArchived: 2026-04-05 16:37:52 UTC\r\nSummary\r\nDiscovered in August 2020\r\nTargets only English-speaking countries, avoiding the former Soviet countries\r\nDoes not attack hospitals, hospices, schools, universities, non-profit organizations, or government\r\ninstitutions\r\nUses Salsa20 with custom matrix and RSA-1024 encryption algorithms\r\nRansom demands range from $200,000 to $2,000,000\r\nCaused shutdown of the Colonial Pipeline — the largest fuel pipeline in the U.S.\r\nUses Silent Night botnet (Zloader backdoor) for delivery\r\nAttackers have exploited Palo Alto’s CVE-2019-1579 and Microsoft Exchange vulnerabilities to breach a\r\ntarget environment\r\nAttack vectors and targets\r\nDarkSide ransomware recently attacked the Colonial Pipeline — the largest pipeline in the United States, used to\r\ntransfer fuel from New York to Texas. According to a recent Bloomberg publication, Colonial Pipeline Co. paid\r\nthe demanded $5 million ransom with cryptocurrency. However, they faced a performance issue — DarkSide\r\nransomware, despite using a fast Salsa20 file encryption algorithm, has a slow file encryption/decryption\r\nprocedure. As a result, the company continued using their own backups to hasten the restoration of pipeline\r\noperations.\r\nDarkSide stands out from other ransomware as a service (RaaS) threats, as one of the attack vectors is based on\r\nthe Zloader botnet (also known as “Silent Night”) which played a key role in DarkSide's success.\r\nZloader is a variant of the Zeus financial malware that has been targeting banks since 2006. After a short break, its\r\nactivity resumed in January 2020. Since then, the botnet’s affiliates have carried out a series of attacks on the\r\nUnited States, Canada, Germany, and Poland. Zloader is a first-stage Trojan loader that infects the victim's\r\nperipheral domain. Once a foothold is established, the Cobalt Strike red teaming tool is used to spread and deploy\r\nDarkSide ransomware.\r\nIn some cases, DarkSide ransomware has also been delivered through compromised third-party service providers.\r\nIn others, the CVE-2019-1579 vulnerability in Palo Alto’s GlobalProtect portal and GlobalProtect Gateway\r\ninterface products and Microsoft Exchange server exposure were used. As a result of exploitation, an\r\nunauthenticated attacker could execute malicious code remotely (RCE).\r\nConfiguration\r\nhttps://www.acronis.com/en-us/articles/darkside-ransomware/\r\nPage 1 of 5\n\nAs DarkSide employs an RaaS model, the configuration data is embedded in the binary built for a specific\r\naffiliate. To hide these settings from analysis, the configuration data is compressed with a PLib.\r\nAt the very start of its execution, immediately after loading libraries, the ransomware locates its configuration by\r\nsearching for the terminating hex string “0xDEADBEEF”. In the past, this string was usually used to mark\r\ndeallocated memory.\r\nAfter that, the configuration is decoded.\r\nThis configuration defines which particular features are enabled in this ransomware sample by an affiliate. The\r\nransomware configuration includes the following parameters:\r\nVictim’s ID — used for encrypted file extension, in README.[Victim's ID].TXT, and to access the\r\ndecryption service in Tor. \r\nEncryption mode – can be chosen from one of the following values:  \r\no ‘1’: ‘FULL’\r\no ‘2’: ‘FAST’\r\no Any other values: ‘AUTO’\r\nFlags — enable/disable the following features (all flags are set to ‘yes’ in the analyzed sample)\r\no Encrypt local disks\r\no Encrypt network shares\r\no Perform language check\r\no Delete volume shadow copies\r\no Empty Recycle Bin\r\no Self-delete\r\no Perform UAC bypass if necessary\r\no Adjust token privileges\r\no Logging\r\no Ignore specific folders\r\no Ignore specific files\r\no Ignore specific file extensions\r\no Terminate processes\r\no Stop services\r\no Drop ransom note\r\no Create a mutex\r\nFolders to skip. For example: \"$recycle.bin, config.msi, $windows.~bt, $windows.~ws, windows,\r\nappdata, application data, boot, google, mozilla, program files, program files (x86), programdata, system\r\nvolume information, tor browser, windows.old, intel, msocache, perflogs, x64dbg, public, all users,\r\ndefault.\"\r\nFiles to skip. For example: \"autorun.inf, boot.ini, bootfont.bin, bootsect.bak, desktop.ini, iconcache.db,\r\nntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db.\"\r\nExtensions to skip. For example: \"386, adv, ani, bat, bin, cab, cmd, com, cpl, cur, deskthemepack,\r\ndiagcab, diagcfg, diagpkg, dll, drv, exe, hlp, icl, icns, ico, ics, idx, ldf, lnk, mod, mpa, msc, msp, msstyles,\r\nhttps://www.acronis.com/en-us/articles/darkside-ransomware/\r\nPage 2 of 5\n\nmsu, nls, nomedia, ocx, prf, ps1, rom, rtp, scr, shs, spl, sys, theme, themepack, wpx, lock, key, hta, msi,\r\npdb.\"\r\nFolders to delete. For example: \"backup.\"\r\nProcesses to skip when terminating.\r\nProcesses to terminate to unlock files.\r\nC\u0026C URLs\r\nServices to stop\r\nWallpaper message directing victims to the ransom note\r\nRansom note\r\nThe latest version of DarkSide attempts to stop the same list of backup and anti-malware services as previous\r\nversions targeted:\r\nvss\r\nsql\r\nsvc$\r\nmemtas\r\nmepocs\r\nsophos\r\nveeam\r\nbackup\r\nGxVss\r\nGxBlr\r\nGxFWD\r\nGxCVD\r\nGxCIMgr\r\nDarkSide kills processes that contain the following strings in their names to unlock the files:\r\nsql\r\noracle\r\nocssd\r\ndbsnmp\r\nsynctime\r\nagntsvc\r\nisqlplussvc\r\nxfssvccon\r\nmydesktopservice\r\nocautoupds\r\nencsvc\r\nfirefox\r\ntbirdconfig\r\nmydesktopqos\r\nocomm\r\nhttps://www.acronis.com/en-us/articles/darkside-ransomware/\r\nPage 3 of 5\n\ndbeng50\r\nsqbcoreservice\r\nexcel\r\ninfopath\r\nmsaccess\r\nmspub\r\nonenote\r\noutlook\r\npowerpnt\r\nsteam\r\nthebat\r\nthunderbird\r\nvisio\r\nwinword\r\nwordpad\r\nnotepad\r\nDarkSide doesn’t touch the following processes to prevent their accidental termination, which may lead to system\r\ncrash or the disconnection of a remote session:\r\nvmcompute.exe\r\nvmms.exe\r\nvmwp.exe\r\nsvchost.exe\r\nTeamViewer.exe\r\nexplorer.exe\r\nThese lists have been not changed since the previous analyzed version of DarkSide.\r\nFile encryption\r\nNo changes here since our last analysis. DarkSide ransomware still uses Salsa20 for file encryption and RSA1024\r\nfor file keys encryption.\r\nC\u0026C communication\r\nThe analyzed DarkSide sample has a C\u0026C connection flag enabled in the configuration. It connects to the\r\nfollowing domains, sending a check-in request and providing information that will be used to uniquely identify an\r\ninfected computer:\r\nsecurebestapp20.com\r\ntemisleyes.com\r\nRansom note\r\nhttps://www.acronis.com/en-us/articles/darkside-ransomware/\r\nPage 4 of 5\n\nThe string from the configuration is used to generate the following wallpaper:\r\nThe ransom note template hasn’t changed since our last analysis.\r\nDetection by Acronis\r\nAcronis’ Active Protection technology uses machine intelligence and behavioral analysis to successfully identify\r\nand stop DarkSide attacks — as well as any other known or unknown cyberthreats. Backups are protected against\r\ntampering, and enable the automatic and rapid restoration of any encrypted files.\r\nConclusion\r\nCompared to previous variants, we haven’t found significant changes in the DarkSide ransomware code and\r\nconfiguration. However, DarkSide's new TTPs rely on exploitation of Palo Alto’s CVE-2019-1579 and Microsoft\r\nExchange vulnerabilities as well as the Silent Night (Zloader) botnet in recent major attacks.\r\nIoCs\r\nSHA256: 151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5\r\nsecurebestapp20.com\r\ntemisleyes.com\r\nSource: https://www.acronis.com/en-us/articles/darkside-ransomware/\r\nhttps://www.acronis.com/en-us/articles/darkside-ransomware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.acronis.com/en-us/articles/darkside-ransomware/"
	],
	"report_names": [
		"darkside-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434253,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b116472ce74e968f64a4cf8ed9abca863d3b058e.pdf",
		"text": "https://archive.orkl.eu/b116472ce74e968f64a4cf8ed9abca863d3b058e.txt",
		"img": "https://archive.orkl.eu/b116472ce74e968f64a4cf8ed9abca863d3b058e.jpg"
	}
}