{
	"id": "5c0f3178-7b7b-4bb2-b227-6eb3b85aedef",
	"created_at": "2026-04-06T00:21:20.614059Z",
	"updated_at": "2026-04-10T03:21:49.59689Z",
	"deleted_at": null,
	"sha1_hash": "e1203bd32688c6cba056d6668f69aec1a466c073",
	"title": "DarkSide's-Targeted-Ransomware-Analysis-Report-for-Critical-U.S.-Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 750823,
	"plain_text": "DarkSide's-Targeted-Ransomware-Analysis-Report-for-Critical-U.S.-\r\nInfrastructure\r\nPublished: 2021-05-21 · Archived: 2026-04-05 23:06:15 UTC\r\nLearn more about 360 Total Security\r\nDarkSide Group Background\r\nDarkSide is an emerging RaaS (ransomware as a service) criminal group. The group may be organized by other former\r\nbranches of ransomware activities. According to the attack rules announced by the group, the group only target The medical,\r\ngovernment, education, non-profit organizations, and organizations outside the funeral and interment industry launched\r\nblackmail attacks. The ransomware family first appeared in August 2020, up to now, 81 companies have been publicly\r\nattacked by the ransomware family.\r\nRelated important attacks\r\nOn April 20, 2021, the DarkSide group issued an announcement on its dark web site, claiming that it invaded many\r\ncompanies listed on the Nasdaq and other stock exchanges, and encrypted the core data of related companies. If the related\r\ncompanies refuse to pay the ransom, The group is preparing to publish the stolen data and make a profit from the short-selling options of related companies.\r\nOn May 7, 2021, Colonial Pipeline, the largest fuel pipeline provider in the United States, encountered a targeted attack by\r\nthe DarkSide group, forcing it to shut down the key fuel network that supplies fuel to the densely populated eastern states of\r\nthe United States.\r\nhttps://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/\r\nPage 1 of 6\n\nTechnical characteristics of the attack\r\nAccording to the analysis of the historical attack data of the DarkSide group, the attack characteristics of the group are\r\ndifferent from other ransomware groups. A large amount of data will be stolen before the ransomware attack is released and\r\ninstalled against related organizations. It also created a distributed storage system in Iran, which is used to store victim data.\r\nThe main attack features of the Darkside Group:\r\nRansomware mainly targets Windows systems, but there are also variants for Linux systems;\r\nUse a large number of penetration testing tools to perform vulnerability scanning and intrusion penetration against\r\nthe external network systems of relevant organizations;\r\nAfter entering the intranet of the relevant organization, it will attack the Windows domain controller in an attempt to\r\ncontrol the entire enterprise intranet;\r\nThe core data of the stolen organization will be uploaded to the private cloud distributed storage system;\r\nAfter controlling the core assets of the organization, the installation of the ransomware attack was finally carried out.\r\nDarkside’s extortion notice is tailored specifically for companies, and will specifically target companies’ accounting data,\r\nexecution data, sales data, customer support data, marketing data, and other core value data for stealing and extorting\r\nattacks.\r\nCore Ransomware Analysis\r\nThe DarkSide ransomware virus will check to see if the current user is an administrator when it is first launched:\r\nAfter starting to run, an icon will be released in the AppData\\Local directory as the icon of the encrypted file. At the same\r\ntime, the file name of the icon is also the file suffix added after the ransomware encrypted file (each sample is different, the\r\ncurrent sample is “.82a71c82”)\r\nhttps://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/\r\nPage 2 of 6\n\nThe virus will inject the current user name, computer name and other information encrypted and sent to the C2 server. The\r\nURL during the test is:\r\nhxxp://securebestapp20.com/mhzPjMHjEl\r\nCall system powershell to execute commands:\r\npowershell -ep bypass -c “”(0..61)|%{$s+=[char][byte]\r\n(‘0x’+’4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C\r\n“”\r\nAfter unpacking the string, the actual command is to delete the Windows system shadow operation:\r\nGet-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}\r\nAfter the preparation work is completed, the virus starts two threads to encrypt files in a loop.\r\nhttps://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/\r\nPage 3 of 6\n\nThe ransomware uses the Salsa20 algorithm to encrypt the victim’s data, and then uses the RSA-1024 algorithm to encrypt\r\nthe Salsa20 key and put it at the end of the file.\r\nIn the end, the virus will modify the user’s desktop background and leave a blackmail message asking the victim to contact\r\nhimself to pay the ransom.\r\nhttps://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/\r\nPage 4 of 6\n\nGroup association traceability analysis\r\nDarkSide group members once posted DarkSide-related ransomware information on well-known Russian forums.\r\nThe ransomware virus will determine the default language of the system. If it is a Russian language, it will not encrypt\r\nsystem files.\r\nJudging from the comprehensive technical characteristics and historical activities, the gang is a typical RaaS (Extortion as a\r\nService) criminal gang, and a large number of Russian-speaking personnel are suspected.\r\nSecurity Advices to Enterprise Customers\r\nThe processing flow after the ransomware attack is discovered:\r\n1. If an infected machine is found, its network and the computer should be shut down immediately. Closing the network\r\ncan prevent the ransomware from spreading laterally on the intranet, and shutting down the computer can prevent the\r\nransomware from continuing to encrypt files in time;\r\n2. Contact security vendor to investigate and deal with the internal network;\r\n3. The passwords of all machines in the company should be changed. You cannot be sure how many passwords of the\r\nmachines inside the company are mastered by the hacker.\r\nProtective measures after being attacked by ransomware:\r\n1. Contact the security vendor to investigate and deal with the internal network;\r\n2. The login password should be of sufficient length and complexity, and the login password should be changed\r\nregularly;\r\n3. The shared folder of important information should be set to access permission control and be backed up regularly;\r\n4. Regularly detect security vulnerabilities in the system and software, and apply patches in time;\r\n5. The login password should be of sufficient length and complexity, and the login password should be changed\r\nregularly;\r\nhttps://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/\r\nPage 5 of 6\n\n6. The shared folder of important information should be set to access permission control and be backed up regularly;\r\n7. Regularly detect security vulnerabilities in the system and software, and apply patches in time.\r\nLearn more about 360 Total Security\r\nSource: https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/\r\nhttps://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/"
	],
	"report_names": [
		"darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434880,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e1203bd32688c6cba056d6668f69aec1a466c073.pdf",
		"text": "https://archive.orkl.eu/e1203bd32688c6cba056d6668f69aec1a466c073.txt",
		"img": "https://archive.orkl.eu/e1203bd32688c6cba056d6668f69aec1a466c073.jpg"
	}
}