Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Available solutions for Darkside Ransomware

    • Updated:
    • 22 May 2021
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector 3.5
    • Deep Discovery Inspector 5.5
    • Deep Security 12.0
    • InterScan Messaging Security Suite 9.1
    • Interscan Messaging Security Virtual Appliance 9.1
    • Interscan Web Security Suite 6.5
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Advanced 10.0
    • Worry-Free Business Security Services 6.7
    • Worry-Free Business Security Standard 10.0
    • Platform:
Summary

In August 2020, the threat actor group Carbon Spider, associated with the ReVil group, introduced a new ransomware called Darkside. It was later offered as a RaaS in November 2020. It uses a variety of methods to gain initial access to its target system, specifically through phishing, Remote Desktop Protocol (RDP) exploitation, Cobalt Strike, and other exploits. Once it gains a foothold, it moves to the Domain Controller (DC), where it proceeds to steal credentials as well as other valuable assets for data exfiltration. It then continues its lateral movement through the system, eventually using the DC network share to deploy the ransomware to connected machines.

Darkside, which is being offered via the ransomware-as-a-service (RaaS) model, has already been deployed against critical infrastructure in the United States. It uses a “double extortion” technique where the attackers threaten to release sensitive information in addition to encrypting data on their victim's machines.

Capabilities

  • File Encryption
  • Data Exfiltration
  • Command and Control
  • Lateral Movement
  • Credential Stealing

Impact

  • Data loss - loss of important files, documents and other data upon encryption
  • Financial loss - users are asked to pay in order to decrypt files that were affected
  • Exfiltration of data

Infection Routine

Module state

Details
Public

File Reputation

SHA1DETECTION/POLICY/RULESPATTERN BRANCH/VERSIONRELEASE DATE / LAST UPDATE
a3e7561de73378b453186a6c33858bf47577d69cRansom.Win32.DARKSIDE.SMYAAK-B16.402.082020-12-09T19:41:19Z
7ae73b5e1622049380c9b615ce3b7f636665584bRansom.Win32.DARKSIDE.SMYAAK-B16.402.082020-12-09T19:41:19Z
c104056f9a926d27a2082f0510c97b09cb0eb3e5Ransom.Win32.DARKSIDE.SMYAAK-B16.402.082020-12-09T19:41:19Z
d1dfe82775c1d698dd7861d6dfa1352a74551d35Ransom.Win32.DARKSIDE.YXAH-THA16.170.062020-08-08T10:37:45Z

Predictive Machine Learning

DETECTIONPATTERN BRANCH/VERSION
Troj.Win32.TRX.XXPE50FFF036In-the-Cloud
Troj.Win32.TRX.XXPE50FFF038In-the-Cloud
Rapid ProliferationIn-the-Cloud

Behavior Monitoring

PATTERN BRANCH/VERSIONRELEASE DATE
Malware Behavior Blocking2020

Sandbox Detection

Detection
VAN_RANSOMWARE

Tipping Point DV filter

Detection
Malware DV Filter 39754

Solution Map - What should customers do?

Solution Map for Darkside

To update Trend Micro products, refer to the corresponding Online Help Center guides.

Recommendation

Make sure to always use the latest pattern available to detect the old and new variants of Darkside Ransomware.

Make sure to implement the ransomware protection features and best practices.

Threat Report

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000286466
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.