DarkSide ransomware highly selective and targeted toward its victims. Its victims are business users and enterprise data with it encrypts their data with Salsa20 + RSA-1024 and then demands a multi-million dollar in BTC as ransom to get the files back. Before mounting attacks, DarkSide will create a custom ransomware executable that can be run for the specific company they are attacking. When executed, the ransomware runs a PowerShell command that deletes Shadow Volume Copies on the system so that they cannot be used to recover files. It then terminates the process of databases, office applications and email clients to prepare the machine for encryption. Oddly, it leaves the TeamViewer process running, which may be used for remote access later.
DarkSide has similarities with
REvil Ransomware. It also does not infect systems that have locale of
CIS Countries. Another similarity shared between REvil Ransomware and
GandCrab Ransomware.
Update : DarkSide operators move there distributed backup system to Iran for storage of stolen data of its victims.
Update : Bitdefender release
free decryptor tool.
DarkSide Ransomware v1.8.6.2 Signatures
Family: Ransom:Win32/DarkSide!MSR
MD5: 9d418ecc0f3bf45029263b0944236884
SHA256: 151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5
DarkSide Ransomware v1.8.6.2 Download
DarkSide Ransomware Signatures
Family: Trojan:Win32/Ymacco.AA9C
MD5: f87a2e1c3d148a67eaeb696b1ab69133
SHA256: 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297
DarkSide Ransomware Download