DarkSide ransomware highly selective and targeted toward its victims. It victims are business users and enterprise data with it encrypts thera data with Salsa20 + RSA-1024 and then demands a multi-million dollar in BTC as ransom to get the files back. Before mounting an attacks, DarkSide will create a custom ransomware executable that can be run for the specific company they are attacking. When executed, the ransomware runs a PowerShell command that deletes Shadow Volume Copies on the system so that they cannot be used to recover files. It then terminate process of databases, office applications and email clients to prepare the machine for encryption. Oddly, it leave TeamViewer process running, which may be used for remote access later.
DarkSide has similarities with REvil Ransomware
. It also does not infect systems that have locale of CIS Countries. Another similarity shared between REvil Ransomware and GandCrab Ransomware
DarkSide operators move there distributed backup system to Iran for storage of stolen data of its victims.
DarkSide Ransomware Signatures
DarkSide Ransomware Download