{
	"id": "31909de0-426f-4197-96a7-ba0628c90bcd",
	"created_at": "2026-04-06T00:07:39.019942Z",
	"updated_at": "2026-04-10T03:20:56.252097Z",
	"deleted_at": null,
	"sha1_hash": "c6bb4b4633578232482c3de569809f4a7d5ef158",
	"title": "DarkSide ransomware analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 374209,
	"plain_text": "DarkSide ransomware analysis\r\nBy Zawadi Done\r\nPublished: 2020-10-05 · Archived: 2026-04-05 17:45:44 UTC\r\nThis blog post will try to explain how the ransomware called DarkSide works. Based on my research, this\r\nransomware uses Salsa20 encryption to encrypt files and RSA encryption to encrypt the key used by Salsa20. A\r\nnew key is created per file based on random bytes.\r\nA new ransomware operation named DarkSide began attacking organizations earlier this month with\r\ncustomized attacks that have already earned them million-dollar payouts.\r\nStarting around August 10th, 2020, the new ransomware operation began performing targeted attacks\r\nagainst numerous companies.\r\nIn a “press release” issued by the threat actors, they claim to be former affiliates who had made millions\r\nof dollars working with other ransomware operations.\r\nhttps://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/amp/\r\nUnpackingPermalink\r\nThe executable is compressed with UPX\r\nfile 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297\r\n[...]: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed\r\nAfter the first instruction pushad I put a breakpoint on the ESP register and continue.\r\nThe execution breaks on the instruction lea eax, dword ptr ss:[esp80] . After the loop is executed it jumps to\r\nthe entry point of the packed executable.\r\nhttps://zawadidone.nl/darkside-ransomware-analysis/\r\nPage 1 of 5\n\nOnce the executable is unpacked, we can analyze the ransomware\r\nAnti-analysisPermalink\r\nTo make static analysis harder the ransomware resolves DLL’s and API calls dynamically using LoadLibrary ,\r\nGetProcAddress and 2 custom functions shown below. In this screenshot, the address of _wcsicmp is resolved\r\nin memory.\r\nPreparationPermalink\r\nThe mutex Global\\\\3e93e49583d6401ba148cd68d1f84af7 is created to make sure only one copy of the\r\nransomware is running, otherwise the ransomware exits. This is done based on the name of the executable. Then\r\nSetThreadExecutionState is called to force the system to be in the working state by resetting the system idle\r\ntimer.\r\nServices\r\nTo make sure certain services are not running the following services are stopped using ControlService -\r\nSERVICE_CONTROL_STOP and DeleteService . Deleting a service is not useful if an organization pays the ransom\r\nand wants to go back into production quickly. As a system administrator, I wouldn’t be happy about this.\r\nvss\r\nsql\r\nsvc$\r\nmemtas\r\nmepocs\r\nsophos\r\nveeam\r\nbackup\r\nhttps://zawadidone.nl/darkside-ransomware-analysis/\r\nPage 2 of 5\n\nShadow Copies\r\nUsing CreateProcessW the following Powershell script is executed which deletes Shadow Volume Copies.\r\npowershell -ep bypass -c \\\"(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F7\r\nWhen deobfuscated, we can see that this PowerShell command is used to delete Shadow Volume\r\nCopies on the machine before encrypting it.\r\nGet-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}\r\nhttps://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/amp/\r\nProcesses\r\nTo make sure certain processes are not running a list of processes are terminated\r\n(https://pastebin.com/WWSQxhcq.\r\nhttps://zawadidone.nl/darkside-ransomware-analysis/\r\nPage 3 of 5\n\nEncryptionPermalink\r\nThe encryption routine skips a few files, file extensions and directories (https://pastebin.com/WWSQxhcq).\r\nEncryption flowchartPermalink\r\nThe encryption routine of the ransomware is shown below.\r\nDebugging modePermalink\r\nhttps://zawadidone.nl/darkside-ransomware-analysis/\r\nPage 4 of 5\n\nI don’t know why but it seems the authors have forgotten to disable debugging functionality in their code or\r\nmaybe they are using this to verify that the files are encrypted. (XXX = file name). This file was in the same\r\ndirectory as the executable.\r\n[INF] Start Encrypting All Files\r\n[INF] Emptying Recycle Bin\r\n[INF] Uninstalling Services\r\n[INF] Deleting Shadow Copies\r\n[INF] Terminating Processes\r\n[INF] Encrypt Mode - FAST\r\n[INF] Encrypting Local Disks\r\n[INF] Started 8 I/O Workers\r\n[INF] Start Encrypt [Handle 492] \\\\?\\C:\\XXX\r\n[INF] File Encrypted Successful [Handle 492]\r\n[INF] Start Encrypt [Handle 640] \\\\?\\C:\\XXX\r\n[INF] File Encrypted Successful [Handle 640]\r\n[INF] Start Encrypt [Handle 640] \\\\?\\C:\\XXX\r\n[...]\r\nIOCPermalink\r\nSHA256 - 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297\r\nReferencesPermalink\r\nhttps://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/amp/\r\nhttps://tria.ge/200828-r31s5nvvm2/behavioral1\r\nSource: https://zawadidone.nl/darkside-ransomware-analysis/\r\nhttps://zawadidone.nl/darkside-ransomware-analysis/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://zawadidone.nl/darkside-ransomware-analysis/"
	],
	"report_names": [
		"darkside-ransomware-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434059,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c6bb4b4633578232482c3de569809f4a7d5ef158.pdf",
		"text": "https://archive.orkl.eu/c6bb4b4633578232482c3de569809f4a7d5ef158.txt",
		"img": "https://archive.orkl.eu/c6bb4b4633578232482c3de569809f4a7d5ef158.jpg"
	}
}