[Mal Series #13] Darkside Ransom
By GhouLSec
Published: 2021-05-01 · Archived: 2026-04-05 20:06:54 UTC
Here is my analysis of the Darkside ransomware.
Will attach more screenshot regarding of my analysis this time 😏
Didn’t connect to the C2 during the analysis
Dynamically Resolve Windows API
Press enter or click to view image in full size
Elevate Privilege (If running in Non-Admin privilege)
Utilizing COM bypass UAC privilege (When Access Token Method Failed)
Elevation:Administrator!new:%s
Get access token from admin process (e.g. Explorer.exe)
Press enter or click to view image in full size
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 1 of 14

Adjust Privilege Token
Hash Generation File Extention, Mutex, Victim’s ID
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 2 of 14

Inside gen_hash_val
Press enter or click to view image in full size
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 3 of 14

Press enter or click to view image in full size
Generator Mutex String
Press enter or click to view image in full size
Victim ID: Get first 10 bytes from CRC32 block of Machine GUID
File Drop
Drop ransomware icon file in %APPDATA% and create Regkey for it.
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 4 of 14

Create File -> RegCreateKey -> RegSetValueExW
Service Enumeration and Delete
Enumerate and compare with these services,
vss,sql,svc$,memtas,mepocs,sophos,veeam,backup
If found then delete the service.
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 5 of 14

Gather Victim Info
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 6 of 14

Victim’s info gather function
Output of Victim’s Info
Get DriverType & Size
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 7 of 14

Format “<Drive Name>:<Remaining Disk Space>/<Total Disk Space>” e.g. C:30/50
Language
HKCU = HKEY_CURRENT_USER = 0x80000001 Details
HKCU/Control Panel/Desktop/MuiCached/MachinePreferredUILanguage
Encrypt Victim’s Info
Press enter or click to view image in full size
Encryption Routine: Encrypt 8 bytes for one function call
Press enter or click to view image in full size
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 8 of 14

Encryption Key maybe? 🤔
URL Path Generator
Press enter or click to view image in full size
URL Path Generator function
Press enter or click to view image in full size
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 9 of 14

Pseudo Random
Psuedo random generator similar with srand code
Internet connection
securebestapp20[.]com/<URL Path Generator>
Encrypted Powershell runs “delete shadow copy”
Press enter or click to view image in full size
Ok, bye shadow copy
Salsa session key generation & RSA encryption on Salsa session key
The session key generated from the RtlRandomEx function which feeds with a hard coded seed value. The when
the length == 5 it will leave 0 bytes there. (Refer to “Custom Salsa key state arrangement”)
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 10 of 14

Salsa session key generator
RtlRandomEx inside wrap_random_ex()
Flow of the keygen -> rsa encrypt -> crc -> result buffer copy
How to identify Salsa encryption algorithm?
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 11 of 14

Get GhouLSec’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
Found these pattern inside the code instead of its constant.
b ^= (a + d) <<< 7;
c ^= (b + a) <<< 9;
d ^= (c + b) <<< 13; (0xd in Hex)
a ^= (d + c) <<< 18; (0x12 in Hex)
Yay, same pattern 🤗
Let’s check out the key generated. Hmm… There is no constant found for the Salsa Key generated.
Custom Salsa key state arrangement
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 12 of 14

Default Salsa key state arrangement
Usually “expa”, “nd 3”, “2-by”, “te k” were seen in Salsa implementation but this seems like a custom one.
RSA Public Ley Encryption
How to determine RSA?
Knowing the exponential (010010h LE) (10001h BE)
Guessing the Exponential function (Here is good explanation regarding to the RSA algo)
Before RSA encryption
After RSA encryption
As for details like exponential and modulo function, I still cant figure it out yet. However, feels like the rcl ,
sbb and adc plays an important role both exponential and modulo operation. Maybe someone can figure this
out. 🤔
Generates 16 bytes block hash by using RtlComputeCrc32.
16 bytes CRC32 block from Encrypted Salsa Key
After encrypted the byte. It will append the byte with the encrypted key and its CRC32 hash.
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 13 of 14

Encrypted file format
Excluded Folder, File and Extension
$recycle.bin config.msi $windows.~bt $windows.~ws windows appdata application data boot google
mozilla program files program files (x86) programdata system volume information tor browser
windows.old intel msocache perflogs x64dbg public all users default
autorun.inf boot.ini bootfont.bin bootsect.bak desktop.ini iconcache.db ntldr ntuser.dat
ntuser.dat.log ntuser.ini thumbs.db
386 adv ani bat bin cab cmd com cpl cur deskthemepack diagcab diagcfg diagpkg dll drv exe hlp icl
icns ico ics idx ldf lnk mod mpa msc msp msstyles msu nls nomedia ocx prf ps1 rom rtp scr shs spl sys
theme themepack wpx lock key hta msi pdb
Ransomnote
Press enter or click to view image in full size
Sha256
afb22b1ff281c085b60052831ead0a0ed300fac0160f87851dacc67d4e158178
References:
Buy me a Pizza 🍕?
Source: https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
Page 14 of 14