Darkside ransomware group has started its operation in August of 2020 with the model of RaaS (Ransomware-as-a-Service). They have become known for their operations of large ransoms scale. They have announced that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can be able to pay large ransoms. Darkside ransomware group became very famous following the cyberattack of the Colonial Pipeline and Toshiba unit. The FBI finally terminate the Darkside operation and Managed to pull money from their wallets back.
| Favicon | Title | Available | Last Visit | FQDN | Screenshot |
|---|---|---|---|---|---|
 |
None | 🔴 | 2021-05-01 00:00:00.000000 | darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion | N/A |
| Discovery | RMM Tools | Defense Evasion | Credential Theft | OffSec | Networking | LOLBAS | Exfiltration |
|---|---|---|---|---|---|---|---|
| ADRecon | AnyDesk | Mimikatz | Cobalt Strike | Plink | PsExec | Bashupload | |
| AdFind | GoToAssist | SessionGopher | CrackMapExec | MEGA | |||
| Advanced IP Scanner | TightVNC | Impacket | pCloud | ||||
| SoftPerfect NetScan | PowerSploit | RClone | |||||
| Sendspace |
This information is provided by Ransomware-Tool-Matrix
| Name | # Msg | Initial Ransom | Negotiated Ransom | Paid |
|---|---|---|---|---|
| 20200811 | 85 | N/A | N/A | |
| 20210418 | 10 | N/A | N/A | |
| 20201115 | 243 | $1,000,000 | $350,000 | |
| 20210413 | 63 | $600,000 | $250,000 | |
| 20210215 | 24 | N/A | $250,000 |
This information is provided by Valéry Marchive & Julien Mousqueton
| Employees(s) | Customer(s) | Third Party Employee(s) |
|---|---|---|
This information is provided by HudsonRock
rule Darkside_linux {
meta:
description = "darkside ransomware linux version"
author = "Alienvault Labs"
copyright = "Alienvault Inc. 2021"
strings:
$s1 = "[END] Remove Self"
$s2 = "[CFG] Landing URL#["
$s3 = "Welcome to DarkSide"
$dec_loop = { 0F B6 02 84 C0 74 1C 0F B6 B1 DF A7 89 00 40 38 F0 74 10 48 83 C1 01 31 F0 48 83 F9 20 88 02 49 0F 44 C8 }
condition:
uint32(0) == 0x464C457F and all of them
}