Meet DarkSide and Their Ransomware – SentinelOne Customers Protected

The recent campaign targeting Colonial Pipeline in the United States is a sobering example of the extent to which cybersecurity – specifically ransomware – threatens everyday life. There is a lot more to this than encrypted or stolen data. It’s hard to understand the economic reverberations of a disruptive attack on critical infrastructure, whether for financial gain or otherwise. With the pipeline being proactively shut down as of Sunday, May 9th, there are concerns around how this outage will affect ongoing fuel prices and for how long. How the coming weeks and months play out may serve as a template for predicting impact and risk associated with similar attacks that will inevitably follow.

SentinelOne detects and protects against DarkSide ransomware. No action is required for our customers.

SentinelOne Protects from DarkSide Ransomware

In this post, we discuss the evolution of the DarkSide malware and affiliate networks, including the evolution of their feature sets and recruitment areas.

Watch How SentinelOne Mitigates DarkSide Ransomware
Beyond Protection, it's important that your security tool can mitigate and rollback in the case of a Ransomware attack

Who is DarkSide?

The attack on Colonial Pipeline has been attributed to DarkSide, a relatively new ransomware family that emerged on the crimeware market in November 2020.

DarkSide claims not to attack Medical, Educational, Non-Profit, or Government sectors

DarkSide launched as a RaaS (Ransomware-as-a-Service) with the stated goal of only targeting ‘large corporations.’ They are primarily focused on recruiting Russian (CIS) affiliates, and are very skeptical of partnerships or interactions outside of that region. From the onset, DarkSide was focused on choosing the ‘right’ targets and identifying their most valuable data. This speaks to their efficiency and discernment when choosing where to focus their efforts. From their inception, DarkSide claimed they’d avoid attacking the medical, educational, non-profit, or government sectors.

DarkSide affiliate recruitment post

At the time of launch, the features offered by DarkSide were fairly standard. They emphasized their speed of encryption and a wealth of options for dealing with anything that may inhibit the encryption process (i.e., security software). They also advertised a Linux variant with comparable features. Following in the footsteps of recently successful ransomware families like Maze and Cl0p, DarkSide established a victim data leaks blog as further leverage to encourage ransom payouts.

The original DarkSide 1.0 Feature set was advertised as follows:

Windows [
	full ASM, salsa20 + rsa 1024, 
	i / o, own implementation of salsa and rsa, 
	fast / auto (improved space) / full, 
	token impersonalization for working with balls, 
	slave table, freeing busy files, 
	changing file permissions, 
	arp scanner, 
	process termination, 
	service termination, 
	drag-and-drop and much more].

Linux [
	C ++, chacha20 + rsa 4096, 
	multithreading (including Hyper-threading, analog of i / o on windows), 
	support for truncated OS assemblies (esxi 5.0+), 
	fast / space, 
	directory configuration and much more].

Admin panel [
	full ajax, 
	automatic acceptance of Bitcoin, Monero, 
	generation of win / lin builds with indication of all parameters (processes, services, folders, extensions ...), 
	bots reporting and detailed statistics on the company’s performance, 
	automatic distribution and withdrawal of funds, 
	sub -accounts, 
	online chat and many others].

Leak site [
	hidden posts, 
	phased publication of target data and many more functionality].

CDN system for data storage [
	Receiving quotas, 
	fast data loading, 
	storage 6m from the moment of loading].

A Well-Organized Affiliate Network

Hopeful affiliates are subject to DarkSide’s rigorous vetting process, which examines the candidate’s ‘work history,’ areas of expertise, and past profits among other things. To get started, affiliates were required to deposit 20 BTC (at the time, that amounted to around $300,000 USD).

DarkSide announces improved CDN

Over the following months, DarkSide continued to improve its services, while also expanding its affiliate network. By late November 2020, DarkSide launched a more advanced Content Delivery Network (CDN) that allowed their operators to more efficiently store and distribute stolen victim data. Many of their high-value targets found themselves listed on the victim blog, including a number of financial, accounting, and legal firms, as well as technology companies.

Initial access can take many forms depending on the affiliate involved, their needs, and timeline. A majority of the campaigns observed were initiated only after the enterprise had been thoroughly scouted via Cobalt Strike beacon infections. After the initial reconnaissance phase, the operators would deploy the DarkSide ransomware wherever it would cause the greatest disruption.

DarkSide Decryption Tool – Is it Working?

In January 2021, Bitdefender released a DarkSide decryption tool. This tool was also posted to the NoMoreRansom project website. The tool had a reportedly high success rate.

DarkSide 2.0 performance comparisons

By March, the group announced the launch of the new and improved DarkSide 2.0. The new iteration included many improvements for both their Windows and Linux variants and is no longer subject to the decryption tool. DarkSide 2.0 reportedly encrypts data on disk twice as fast as the original.

Other updated features include:

  • Expanded multi-processor support (parallel/simultaneous encryption across volumes)
  • EXE and DLL-based payloads
  • Updated SALSA20+RSA1024 implementation with “proprietary acceleration”
  • New operating modes (Fast / Full / Auto)
  • 19 total build settings
  • Active account impersonation
  • Active Directory support (discovery and traversal)
  • New CMD-line parameter support

On the Linux side, DarkSide 2.0 offers the following updates:

  • Updated multithreading support
  • Updated CHACHA20 + RSA 4096 implementation
  • 2 new operating modes (Fast / Space)
  • 14 Total build settings
  • Support for all major ESXi versions
  • NAS support (Synology, OMV)

Along with this expanded feature set, SentinelLabs researchers have seen a shift in the deployment of the DarkSide ransomware, from standard packers like VMProtect and UPX to a custom packer internally referred to as ‘encryptor2.’

A Battle for Territory

With the release of DarkSide 2.0, the group has continued to increase its footprint in the Ransomware landscape. Along with their territorial expansion throughout 2021, DarkSide also increased their ‘pressure campaigns’ on victims to include DDoS attacks along with the threat of data leakage. They are able to invoke L3/L7 DDoS attacks if their victims choose to resist ‘cooperation’.

More recently, DarkSide operators have been attempting to attract more expertise around assessing data and network value, along with seeking others to provide existing access or newer methods of initial access. These efforts are meant to make operations more streamlined and increase efficiency.

New methods and talent areas

The Colonial Pipeline attack is only the latest in a slew of increasingly daring ransomware attacks. The absolute best defense against a severe ransomware attack (and the nightmare that follows) is preparation and prevention. Technology is a huge part of that, but one must not discount user hygiene and education. It is vital to keep end users up to date on what threats are out there and how to spot them. Vigilant users, along with robust preventative controls are key. Business continuity planning and disaster recovery drills are not fun, but they are critical and necessary to ensure readiness and resilience against these threats.

The SentinelOne platform is fully capable of preventing and detecting the malware and artifacts associated with DarkSide ransomware. We hope that the pipeline starts flowing again soon; our society depends on it to live.

Indicators of Compromise






T1112 Modify Registry
T1012 Query Registry
T1082 System Information Discovery
T1120 Peripheral Device Discovery
T1005 Data from Local System
T1486 Data Encrypted for Impact
T1543.003 Create or Modify System Process: Windows Service
T1490 Inhibit System Recovery
T1553.004 Subvert Trust Controls: Install Root Certificate
T1078 Valid Accounts