{
	"id": "8217c931-ecd1-41e9-821b-c40ceee184a9",
	"created_at": "2026-04-06T00:18:23.247298Z",
	"updated_at": "2026-04-10T03:21:40.733353Z",
	"deleted_at": null,
	"sha1_hash": "f5e668b7e091557a64d7196b38d1fceda14fca39",
	"title": "MAR-10337802-1.v1: DarkSide Ransomware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79630,
	"plain_text": "MAR-10337802-1.v1: DarkSide Ransomware | CISA\r\nPublished: 2021-07-08 · Archived: 2026-04-05 15:13:17 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.cisa.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security\r\nAgency (CISA). CISA processed three (3) files associated with a variant of DarkSide ransomware. NOTE: CISA has no\r\nevidence that this variant is related to the pipeline incident, referred to in Joint Cybersecurity Advisory AA21-131A:\r\nDarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks.\r\nRansomware is designed to encrypt the victim's files to extort and ransom for their recovery. DarkSide is a ransomware-as-a-service (RaaS)--the developers of the ransomware received a share of the proceeds from the cybercriminal actors who\r\ndeploy it, known as \"affiliates.\" This DarkSide ransomware variant executes a dynamic-link library (DLL) program used to\r\ndelete Volume Shadow copies available on the system. The malware collects, encrypts, and send system information to the\r\nthreat actor's command and control (C2) domains and generates a ransom note to the victim.\r\nCISA is distributing this MAR, which includes suggested response actions and recommended mitigation techniques, to help\r\nnetwork defenders identify and mitigate risks.\r\nFor a downloadable copy of IOCs, see: MAR-10337802-1.v1.WHITE.stix.\r\nClick here for a PDF version of this report.\r\nSubmitted Files (3)\r\n156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673 (156335b95ba216456f1ac0894b7b9d...)\r\n3ba456cafcb31e0710626170c3565aae305bc7c32a948a54f0331d0939e0fe8a (045621d9.BMP)\r\nf6fba207c71d1f53f82d96a87c25c4fa3c020dca58d9b8a266137f33597a0b0e (README.045621d9.TXT)\r\nDomains (2)\r\nbaroquetees.com\r\nrumahsia.com\r\nIPs (2)\r\n176.103.62.217\r\n99.83.154.118\r\nFindings\r\n156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673\r\nTags\r\ndownloaderloaderransomwaretrojan\r\nDetails\r\nName 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a\r\nPage 1 of 12\n\nSize 55810 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 f587adbd83ff3f4d2985453cd45c7ab1\r\nSHA1 2715340f82426f840cf7e460f53a36fc3aad52aa\r\nSHA256 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673\r\nSHA512 37acf3c7a0b52421b4b33b14e5707497cfc52e57322ad9ffac87d0551220afc202d4c0987460d295077b9ee681fac2021bbfdebdc52c829b5f998\r\nssdeep 768:u2v9Ij6f3J8OT1PMK30DbQDH2doyomHRL83M4/NShWxEs0l29SFd2Xyj09rLd:fmET1PMK3qbpHY3M4wWmXgSFTSrLd\r\nEntropy 6.789366\r\nAntivirus\r\nAhnlab Ransomware/Win.DarkSide\r\nAntiy Trojan[Ransom]/Win32.DarkSide.gen\r\nAvira TR/AD.DarkSideRansom.muasl\r\nBitDefender Trojan.GenericKD.46189032\r\nClamAV Win.Packed.DarkSide-9262656-0\r\nComodo Malware\r\nCyren W32/Trojan.HLZV-8042\r\nESET a variant of Win32/Filecoder.DarkSide.B trojan\r\nEmsisoft Trojan.GenericKD.46189032 (B)\r\nIkarus Trojan-Ransom.DarkSide\r\nK7 Trojan ( 005795061 )\r\nLavasoft Trojan.GenericKD.46189032\r\nMcAfee GenericRXOX-NH!F587ADBD83FF\r\nNANOAV Trojan.Win32.Encoder.iuukal\r\nQuick Heal Trojanransom.Encoder\r\nSymantec Downloader\r\nSystweak trojan-ransom.darkside\r\nTACHYON Ransom/W32.DarkSide.55810\r\nTrendMicro Ransom.17F5A898\r\nTrendMicro House Call Ransom.17F5A898\r\nVirusBlokAda BScope.TrojanRansom.Convagent\r\nZillya! Trojan.Encoder.Win32.2315\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2021-04-05 18:09:20-04:00\r\nImport Hash 6c8408bb5d7d5a5b75b9314f94e68763\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a\r\nPage 2 of 12\n\nPE Sections\r\nMD5 Name Raw Size Entropy\r\ndb99af79840cc24e4a2bc8920af97c4d header 1024 1.699168\r\n6738c20d4ea897835026864651841fca .text 37376 6.090461\r\n4e6ca671cfd10e3aa0e2dcd99bc287b6 .text1 1024 5.130274\r\nc0265513cd36f1d659cc71bd70bfef58 .rdata 512 3.215043\r\n3853bbcd5344aff518bb2f1ccbd05bdd .data 12288 7.713634\r\n4d2b117a0087a34a0cb8575f34413c47 .ndata 3584 7.935769\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n156335b95b... Connected_To baroquetees.com\r\n156335b95b... Connected_To rumahsia.com\r\n156335b95b... Dropped 3ba456cafcb31e0710626170c3565aae305bc7c32a948a54f0331d0939e0fe8a\r\n156335b95b... Dropped f6fba207c71d1f53f82d96a87c25c4fa3c020dca58d9b8a266137f33597a0b0e\r\nDescription\r\nThis artifact is a 32-bit DLL that is a Darkside ransomware variant. The program is called ‘encryptor2.dll’. When it is\r\nexecuted, it will invoke the Volume Shadow service (vssvc.exe) to delete any Volume Shadow copies available on the\r\nsystem.\r\nThe malware collects information on the system to include the operating system, default language, username, hostname,\r\ndomain, and operating system (OS) architecture. This information is encrypted and sent to one of the following command-and-control (C2) domains:\r\n---Begin C2 Domains---\r\nbaroquetees[.]com\r\nrumahsia[.]com\r\n---End C2 Domains---\r\nThe malware reads the system GUID and uses the value to generate a unique eight character hexadecimal extension that it\r\nappends to the encrypted files. This extension is also used as the name of the running service the program uses to encrypt the\r\nuser’s data.\r\n---Begin Service Example---\r\nHKLM\\System\\CurrentControlSet\\services\\.045621d9\r\nHKLM\\System\\CurrentControlSet\\services\\.045621d9\\DisplayName Data: “.045621d9”\r\nHKLM\\System\\CurrentControlSet\\services\\.045621d9\\ObjectName Data: “LocalSystem”\r\nHKLM\\System\\CurrentControlSet\\services\\.045621d9\\ImagePath Data: \u003cPath to the DLL\u003e\r\n---End Service Example---\r\nThis variant of the malware contains a hard-coded key ‘_M8607761bf3212d6’ that it uses to decrypt an embedded base64\r\nencoded configuration that runs the ransomware program. The program is configured to avoid encrypting any files located in\r\ndirectories that contain the following strings:\r\n---Begin Avoided Directories---\r\n$recycle.bin\r\nconfig.msi\r\n$windows.~bt\r\n$windows.~ws\r\nwindows\r\nappdata\r\napplication data\r\nboot\r\ngoogle\r\nmozilla\r\nprogram files\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a\r\nPage 3 of 12\n\nprogram files (x86)\r\nprogramdata\r\nsystem volume information\r\ntor browser\r\nwindows.old\r\nintel\r\nmsocache\r\nperflogs\r\nx64dbg\r\npublic\r\nall users\r\ndefault\r\n---End Avoided Directories---\r\nAny files with the following extensions will not be encrypted:\r\n---Begin File Extensions---\r\n.386\r\n.adv\r\n.ani\r\n.bat\r\n.bin\r\n.cab\r\n.cmd\r\n.com\r\n.cpl\r\n.cur\r\n.deskthemepack\r\n.diagcab\r\n.diagcfg\r\n.diagpkg\r\n.dll\r\n.drv\r\n.exe\r\n.hlp\r\n.icl\r\n.icns\r\n.ico\r\n.ics\r\n.idx\r\n.ldf\r\n.lnk\r\n.mod\r\n.mpa\r\n.msc\r\n.msp\r\n.msstyles\r\n.msu\r\n.nls\r\n.nomedia\r\n.ocx\r\n.prf\r\n.ps1\r\n.rom\r\n.rtp\r\n.scr\r\n.shs\r\n.spl\r\n.sys\r\n.theme\r\n.themepack\r\n.wpx\r\n.lock\r\n.key\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a\r\nPage 4 of 12\n\n.hta\r\n.msi\r\n.pdb\r\n.sql\r\n---End File Extensions---\r\nBefore the encryption routine starts, the program will check to determine if any of the following processes are running, and\r\nshut them down:\r\n---Begin Running Processes---\r\noracle\r\nocssd\r\ndbsnmp\r\nsynctime\r\nagntsvc\r\nisqlplussvc\r\nxfssvccon\r\nmydesktopservice\r\nocautoupds\r\nencsvc\r\nfirefox\r\ntbirdconfig\r\nmydesktopqos\r\nocomm\r\ndbeng50\r\nsqbcoreservice\r\nexcel\r\ninfopath\r\nmsaccess\r\nmspub\r\nonenote\r\noutlook\r\npowerpnt\r\nsteam\r\nthebat\r\nthunderbird\r\nvisio\r\nwinword\r\nwordpad\r\nnotepad\r\n---End Running Processes---\r\nThe following services will also be terminated:\r\n---Begin Terminated Services---\r\n.vss\r\n.sql\r\nsvc$\r\nmemtas\r\nmepocs\r\nsophos\r\nveeam\r\nbackup\r\nGxVss\r\nGxBlr\r\nGxFWD\r\nGxCVD\r\nGxCIMgr\r\n---End Terminated Services---\r\nAfter the encryption routine runs, a bitmap image file is created in the path C:\\ProgramData with the same name as the\r\nencryption extension, e.g. ‘045621d9.BMP’. The following registry keys are created that generate a ransom note wallpaper\r\non the user’s desktop:\r\n---Begin Wallpaper Registry Keys---\r\nHKU\\DEFAULT\\ControlPanel\\Desktop\\Wallpaper Data: \u003cPath to .BMP file\u003e\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a\r\nPage 5 of 12\n\nHKCU\\ControlPanel\\Desktop\\Wallpaper    Data: \u003cPath to .BMP file\u003e\r\n---End Wallpaper Registry Keys---\r\nThe .BMP file contains instructions to the victim for recovering data (Figure 1).\r\nIn each directory that the program has encrypted files, a ransom note is dropped with the naming format ‘README.\r\n\u003cUniqueID\u003e.TXT’. The file contains instructions for the victim to follow to recover files.\r\nThe following is an example of the recovery instructions:\r\n---Begin Recovery Instructions---\r\n----------- [ Welcome to DarkSide ] -------------\u003e\r\nWhat happend?\r\n----------------------------------------------\r\nYour computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt\r\nyour data.\r\nBut you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all\r\nyour network.\r\nFollow our instructions below and you will recover all your data.\r\nWhat guarantees?\r\n----------------------------------------------\r\nWe value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.\r\nAll our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.\r\nWe guarantee to decrypt one file for free. Go to the site and contact us.\r\nHow to get access on website?\r\n----------------------------------------------\r\nUsing a TOR browser:\r\n1) Download and install TOR browser from this site: hxxps[:]//torproject.org/\r\n2) Open our website:\r\nhxxp[:]//dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB\r\nWhen you open our website, put the following data in the input form:\r\nKey:\r\nlmrlfxpjZBun4Eqc4Xd4XLJxEOL5JTOTLtwCOqxqxtFfu14zvKMrLMUiGV36bhzV5nfRPSSvroQiL6t36hV87qDIDlub946I5ud5QQIZC3EEzHaIy04dB\r\n!!! DANGER !!!\r\nDO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.\r\n!!! DANGER !!!\r\n---End Recovery Instructions---\r\nScreenshots\r\nFigure 1. -\r\nbaroquetees.com\r\nTags\r\ncommand-and-control\r\nPorts\r\n443 TCP\r\nWhois\r\nDomain Name: BAROQUETEES.COM\r\nRegistry Domain ID: 2536327775_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.namecheap.com\r\nRegistrar URL: http://www.namecheap.com\r\nUpdated Date: 2021-02-27T09:49:39Z\r\nCreation Date: 2020-06-11T14:12:08Z\r\nRegistry Expiry Date: 2021-06-11T14:12:08Z\r\nRegistrar: NameCheap, Inc.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a\r\nPage 6 of 12\n\nRegistrar IANA ID: 1068\r\nRegistrar Abuse Contact Email: abuse@namecheap.com\r\nRegistrar Abuse Contact Phone: +1.6613102107\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nName Server: DNS1.REGISTRAR-SERVERS.COM\r\nName Server: DNS2.REGISTRAR-SERVERS.COM\r\nDNSSEC: unsigned\r\nDomain name: baroquetees.com\r\nRegistry Domain ID: 2536327775_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.namecheap.com\r\nRegistrar URL: http://www.namecheap.com\r\nUpdated Date: 0001-01-01T00:00:00.00Z\r\nCreation Date: 2020-06-11T14:12:08.00Z\r\nRegistrar Registration Expiration Date: 2021-06-11T14:12:08.00Z\r\nRegistrar: NAMECHEAP INC\r\nRegistrar IANA ID: 1068\r\nRegistrar Abuse Contact Email: abuse@namecheap.com\r\nRegistrar Abuse Contact Phone: +1.6613102107\r\nReseller: NAMECHEAP INC\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nRegistrant Name: Withheld for Privacy Purposes\r\nRegistrant Organization: Privacy service provided by Withheld for Privacy ehf\r\nRegistrant Street: Kalkofnsvegur 2\r\nRegistrant City: Reykjavik\r\nRegistrant State/Province: Capital Region\r\nRegistrant Postal Code: 101\r\nRegistrant Country: IS\r\nRegistrant Phone: +354.4212434\r\nRegistrant Email: b261116753cd4019a6d879fad2cd43ca.protect@withheldforprivacy.com\r\nAdmin Name: Withheld for Privacy Purposes\r\nAdmin Organization: Privacy service provided by Withheld for Privacy ehf\r\nAdmin Street: Kalkofnsvegur 2\r\nAdmin City: Reykjavik\r\nAdmin State/Province: Capital Region\r\nAdmin Postal Code: 101\r\nAdmin Country: IS\r\nAdmin Phone: +354.4212434\r\nAdmin Email: b261116753cd4019a6d879fad2cd43ca.protect@withheldforprivacy.com\r\nTech Name: Withheld for Privacy Purposes\r\nTech Organization: Privacy service provided by Withheld for Privacy ehf\r\nTech Street: Kalkofnsvegur 2\r\nTech City: Reykjavik\r\nTech State/Province: Capital Region\r\nTech Postal Code: 101\r\nTech Country: IS\r\nTech Phone: +354.4212434\r\nTech Email: b261116753cd4019a6d879fad2cd43ca.protect@withheldforprivacy.com\r\nName Server: dns1.registrar-servers.com\r\nName Server: dns2.registrar-servers.com\r\nDNSSEC: unsigned\r\nRelationships\r\nbaroquetees.com Resolved_To 176.103.62.217\r\nbaroquetees.com Connected_From 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673\r\nDescription\r\nThe ransomware collects system information and sends it to this domain.\r\n176.103.62.217\r\nTags\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a\r\nPage 7 of 12\n\ncommand-and-control\r\nRelationships\r\n176.103.62.217 Resolved_To baroquetees.com\r\nDescription\r\nAt the time of analysis the domain baroquetees[.]com resolved to this Internet protocol (IP) address.\r\nrumahsia.com\r\nTags\r\ncommand-and-control\r\nWhois\r\nDomain Name: RUMAHSIA.COM\r\nRegistry Domain ID: 2519337945_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.namecheap.com\r\nRegistrar URL: http://www.namecheap.com\r\nUpdated Date: 2021-04-28T07:21:46Z\r\nCreation Date: 2020-04-27T16:07:26Z\r\nRegistry Expiry Date: 2022-04-27T16:07:26Z\r\nRegistrar: NameCheap, Inc.\r\nRegistrar IANA ID: 1068\r\nRegistrar Abuse Contact Email: abuse@namecheap.com\r\nRegistrar Abuse Contact Phone: +1.6613102107\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nName Server: DNS101.REGISTRAR-SERVERS.COM\r\nName Server: DNS102.REGISTRAR-SERVERS.COM\r\nDNSSEC: unsigned\r\nDomain name: rumahsia.com\r\nRegistry Domain ID: 2519337945_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.namecheap.com\r\nRegistrar URL: http://www.namecheap.com\r\nUpdated Date: 0001-01-01T00:00:00.00Z\r\nCreation Date: 2020-04-27T16:07:26.00Z\r\nRegistrar Registration Expiration Date: 2021-04-27T16:07:26.00Z\r\nRegistrar: NAMECHEAP INC\r\nRegistrar IANA ID: 1068\r\nRegistrar Abuse Contact Email: abuse@namecheap.com\r\nRegistrar Abuse Contact Phone: +1.6613102107\r\nReseller: NAMECHEAP INC\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nRegistrant Name: REACTIVATION PERIOD\r\nRegistrant Organization: Withheld for Privacy Purposes\r\nRegistrant Street: Kalkofnsvegur 2\r\nRegistrant City: Reykjavik\r\nRegistrant State/Province: Capital Region\r\nRegistrant Postal Code: 101\r\nRegistrant Country: IS\r\nRegistrant Phone: +354.4212434\r\nRegistrant Email: reactivation-pending@mail.withheldforprivacy.com\r\nAdmin Name: REACTIVATION PERIOD\r\nAdmin Organization: Withheld for Privacy Purposes\r\nAdmin Street: Kalkofnsvegur 2\r\nAdmin City: Reykjavik\r\nAdmin State/Province: Capital Region\r\nAdmin Postal Code: 101\r\nAdmin Country: IS\r\nAdmin Phone: +354.4212434\r\nAdmin Email: reactivation-pending@mail.withheldforprivacy.com\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a\r\nPage 8 of 12\n\nTech Name: REACTIVATION PERIOD\r\nTech Organization: Withheld for Privacy Purposes\r\nTech Street: Kalkofnsvegur 2\r\nTech City: Reykjavik\r\nTech State/Province: Capital Region\r\nTech Postal Code: 101\r\nTech Country: IS\r\nTech Phone: +354.4212434\r\nTech Email: reactivation-pending@mail.withheldforprivacy.com\r\nName Server: dns101.registrar-servers.com\r\nName Server: dns102.registrar-servers.com\r\nDNSSEC: unsigned\r\nRelationships\r\nrumahsia.com Resolved_To 99.83.154.118\r\nrumahsia.com Connected_From 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673\r\nDescription\r\nThe ransomware collects system information and sends it to this domain.\r\n99.83.154.118\r\nTags\r\ncommand-and-control\r\nRelationships\r\n99.83.154.118 Resolved_To rumahsia.com\r\nDescription\r\nAt the time of analysis the domain rumahsia[.]com resolved to this IP address.\r\n3ba456cafcb31e0710626170c3565aae305bc7c32a948a54f0331d0939e0fe8a\r\nTags\r\nransomware\r\nDetails\r\nName 045621d9.BMP\r\nSize 4339094 bytes\r\nType PC bitmap, Windows 3.x format, 2308 x 940 x 16, image size 4339040, cbSize 4339094, bits offset 54\r\nMD5 2e5dee7e7d8aa32b5a638cd619eb67b3\r\nSHA1 1cbb4aa1dd284d62f4eb1833b6fe1290c122ccf7\r\nSHA256 3ba456cafcb31e0710626170c3565aae305bc7c32a948a54f0331d0939e0fe8a\r\nSHA512 7f731e2fa892082a5f2c3e4865eaeab9b3f03ae26ce4fe545a46de5002130b1374b941fc3cb3bf0204d036b2233023658869bf22b626bf947627e\r\nssdeep 12:RLp5BJxhfVfPNpNhdhhxvn9RBxJRRPHJvPZBJxhf55vPpZ5B1ZJZxNBJv5B15Bpx:R\r\nEntropy 0.155294\r\nPath C:\\ProgramData\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a\r\nPage 9 of 12\n\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n3ba456cafc... Dropped_By 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673\r\nDescription\r\nThis bitmap image is the wallpaper used by the ransomware.\r\nf6fba207c71d1f53f82d96a87c25c4fa3c020dca58d9b8a266137f33597a0b0e\r\nTags\r\nransomwaretrojan\r\nDetails\r\nName README.045621d9.TXT\r\nSize 2009 bytes\r\nType ASCII text, with very long lines, with CRLF line terminators\r\nMD5 135d0337c142e73417030daf30d835ac\r\nSHA1 4d03e3db39adaf57df53181429706aa854878026\r\nSHA256 f6fba207c71d1f53f82d96a87c25c4fa3c020dca58d9b8a266137f33597a0b0e\r\nSHA512 b07fefbceeba5eddac04ecf011f347fd3879b77330d4db6178dd1daa54dbed956f90e28ecf93404e8c98f9683aac0fd238133d6188f29264752045\r\nssdeep 48:L7EZWCOqZGgQx8N3NbS/3TXWAxdHyJWtbXi5RLNRVtRGHE:LAMCMxq3NbS/rrn9d2RL/VH7\r\nEntropy 5.517181\r\nAntivirus\r\nESET Win32/Filecoder.DarkSide trojan\r\nTrendMicro Ransom.B01C9038\r\nTrendMicro House Call Ransom.B01C9038\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\nf6fba207c7... Dropped_By 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673\r\nDescription\r\nThis is the ransom note created by the Darkside ransomware variant. The note contains the .onion address and the preshared\r\nkey to be sent to decrypt one file for free.\r\nScreenshots\r\nFigure 2. -\r\nRelationship Summary\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a\r\nPage 10 of 12\n\n156335b95b... Connected_To baroquetees.com\r\n156335b95b... Connected_To rumahsia.com\r\n156335b95b... Dropped 3ba456cafcb31e0710626170c3565aae305bc7c32a948a54f0331d0939e0fe8a\r\n156335b95b... Dropped f6fba207c71d1f53f82d96a87c25c4fa3c020dca58d9b8a266137f33597a0b0e\r\nbaroquetees.com Resolved_To 176.103.62.217\r\nbaroquetees.com Connected_From 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673\r\n176.103.62.217 Resolved_To baroquetees.com\r\nrumahsia.com Resolved_To 99.83.154.118\r\nrumahsia.com Connected_From 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673\r\n99.83.154.118 Resolved_To rumahsia.com\r\n3ba456cafc... Dropped_By 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673\r\nf6fba207c7... Dropped_By 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Service Desk .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a\r\nPage 11 of 12\n\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a"
	],
	"report_names": [
		"ar21-189a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434703,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f5e668b7e091557a64d7196b38d1fceda14fca39.pdf",
		"text": "https://archive.orkl.eu/f5e668b7e091557a64d7196b38d1fceda14fca39.txt",
		"img": "https://archive.orkl.eu/f5e668b7e091557a64d7196b38d1fceda14fca39.jpg"
	}
}