Darkside

Description

FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable disks, or network shares. The malware can be customized by the affiliates to create a build for specific victims.

External Analysis
https://blog.qualys.com/vulnerabilities-threat-research/2021/06/09/darkside-ransomware
https://www.varonis.com/blog/darkside-ransomware
https://abcnews.go.com/Politics/biden-speak-colonial-pipeline-attack-americans-face-gasoline/story?id=77666212
https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/
https://blog.group-ib.com/blackmatter#
https://blog.group-ib.com/blackmatter2
https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version
https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b
https://otx.alienvault.com/pulse/60d0afbc395c24edefb33bb9
https://pylos.co/2021/05/13/mind-the-air-gap/
https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/
https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/
https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/
https://therecord.media/popular-hacking-forum-bans-ransomware-ads/
https://twitter.com/GelosSnake/status/1451465959894667275
https://twitter.com/JAMESWT_MHT/status/1388301138437578757
https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/
https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/
https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/
https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/
https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/
https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/
https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group
https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin
https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims
https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/
https://www.ic3.gov/Media/News/2021/211101.pdf
https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime
https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside
https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short/
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access
https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/
https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636
https://www.youtube.com/watch?v=NIiEcOryLpI
https://www.youtube.com/watch?v=qxPXxWMI2i4
http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/
http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/
https://asec.ahnlab.com/en/34549/
https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/
https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/
https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/
https://blog.group-ib.com/blackmatter#
https://blog.group-ib.com/blackmatter2
https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service
https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html
https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections
https://brandefense.io/darkside-ransomware-analysis-report/
https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/
https://community.riskiq.com/article/fdf74f23
https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf
https://github.com/sisoma2/malware_analysis/tree/master/blackmatter
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf
https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html
https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/
https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b
https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/
https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/
https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted
https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps
https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/
https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/
https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/
https://therecord.media/popular-hacking-forum-bans-ransomware-ads/
https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/
https://threatpost.com/guess-fashion-data-loss-ransomware/167754/
https://twitter.com/GelosSnake/status/1451465959894667275
https://twitter.com/JAMESWT_MHT/status/1388301138437578757
https://twitter.com/ValthekOn/status/1422385890467491841?s=20
https://twitter.com/sysopfb/status/1422280887274639375
https://unit42.paloaltonetworks.com/darkside-ransomware/
https://us-cert.cisa.gov/ncas/alerts/aa21-131a
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion
https://www.acronis.com/en-us/articles/darkside-ransomware/
https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution
https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/
https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/
https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/
https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/
https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/
https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/
https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/
https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://www.databreaches.net/a-chat-with-darkside/
https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968
https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/
https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/
https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/
https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/
https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group
https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin
https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
https://www.glimps.fr/lockbit3-0/
https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox
https://www.ic3.gov/Media/News/2021/211101.pdf
https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack
https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime
https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/
https://www.mandiant.com/resources/burrowing-your-way-into-vpns
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/
https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline#
https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/
https://www.nozominetworks.com/blog/how-to-analyze-malware-for-technical-writing/
https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/
https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/
https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/
https://www.secjuice.com/blue-team-detection-darkside-ransomware/
https://www.secureworks.com/research/threat-profiles/gold-waterfall
https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/
https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html
https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html
https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf
https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf
https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/
https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks
https://www.varonis.com/blog/darkside-ransomware/
https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636
https://www.youtube.com/watch?v=NIiEcOryLpI
https://www.youtube.com/watch?v=qxPXxWMI2i4
https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html
https://zawadidone.nl/darkside-ransomware-analysis/
https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside
Urls
Screen
http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion
File servers
Screen
Chat servers
Screen
http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/