What Is DarkSide Ransomware?
How Does DarkSide Ransomware Operate? DarkSide Ransomware Removal & Decryption.
DarkSide is a ransomware program that began attacking organizations worldwide in August 2020. Originally discovered by MalwareHunterTeam, DarkSide ransomware is described as a high-risk ransomware-type virus that seems to be operated by former affiliates of other ransomware campaigns.
Having announced themselves through a ‘press release’, as disclosed in BleepingComputer, this ransomware has already collected million-dollar payments for their cyberattacks.
According to Bleeping Computer, DarkSide threat actors stated:
We are a new product on the market, but that does not mean that we have no experience and we came from nowhere. We received millions of dollars profit by partnering with other well-known cryptolockers. We created DarkSide because we didn’t find the perfect product for us. Now we have it.
How Does DarkSide Ransomware Operate?
DarkSide Ransomware operates under the form of a Ransomware-as-a-Service (RaaS), in which the gains are shared between its holders and partners, or affiliates, who allow entry to companies and execute the ransomware. The DarkSide ransomware gang gets around 25% of a ransom payment, and the rest is taken by the affiliate who organized the assault.
Like other similar threats utilized in targeted cyberattacks, DarkSide not only encrypts the user’s information but also withdraws data from the affected servers.
The encrypted files may have different formats such as audio files, videos, photos, archives, office documents, etc. Following this, the affected files can’t be used anymore. Moreover, the virus changes the extension of these files to .DarkSide.
After this, a special file README.xxxxxxx.TXT holding comprehensive information about what happened and the ransom’s cost is created.
This way, the hackers force the user to pay the requested ransom.
The note below contains addresses where the victims can reach out to the criminals, but they don’t specify how much money the users should pay. It’s usually a few hundred dollars. It is not recommended to pay the ransom since you can’t be sure you’ll recover your files afterward.
What makes DarkSide ransomware different from Maze or Clop ransomware, for example, is that DarkSide seems to be somehow moral, clarifying that certain domains are not to be touched, including government, medicine, non-profit, and education.
According to them, before conducting an attack against an organization they check its accounts to make sure the enterprise can afford to pay the ransom as they do not “want to kill your business.”
In essence, DarkSide stated it would promise to decrypt one test file, provide the needed support with decryption following the ransom payment and remove all uploaded information from the Dark Web stores.
If the victims fail to pay the requested ransom, the hackers threaten to make public all data, keep it saved for at least six months and inform the media, clients, and partners of the attack.
How Can You Get Infected With DarkSide Ransomware?
The main goal of the DarkSide infection is to penetrate your computer system. In order to work, the main point of the ransomware virus is to masquerade as real documents on your computer system to make sure that you can run the virus files of it.
Such documents can be delivered to you via email where they may pretend to be respectable files like PDF documents, billings, invoices, etc.
Heimdal™ Email Fraud Prevention
- Deep content scanning for attachments and links;
- Phishing, spear phishing and man-in-the-email attacks;
- Advanced spam filters to protect against sophisticated attacks;
- Fraud prevention system against Business Email Compromise;
Threat actors frequently send emails containing harmful website links or attachments in their attempt to trick potential victims into opening the malicious file. Once opened, the malware installation begins.
Victims are usually tricked into compromising their devices through Peer-to-Peer networks such as torrent clients, third-party downloaders, installers, freeware download websites, free file hosting websites, and all sorts of similar tools. When users download and run malicious files their computer becomes instantly infected.
Also, malware is often installed accidentally via fake software updaters, which uses bugs or out-of-date software vulnerabilities, or they just install malicious programs rather than updates and fixes.
DarkSide Ransomware Removal & Decryption
DarkSide ransomware is a very dangerous malware created to encrypt files such as photos, audios, videos, documents, etc, and make them impossible to access.
Following the encryption process, it spreads the ransom note in every folder of your device that claims the decryption is possible only when you use its data recovery service.
This is the moment when you need to remove DarkSide ransomware and all the linked components from PCs immediately and then execute data recovery actions. Here are some ransomware removal methods that might be helpful.
- DarkSide ransomware removal with “Safe Mode with Networking”
- Restart your PCs and press “F8” until you see the “Advance Boot Options” window
- From the list, select “Safe Mode with Networking”
- Log in to your account with DarkSide ransomware infection
- Open your internet browser and download authentic anti-malware software.
- Update the anti-malware software and starts the “Full Scan” operation to remove all programs connected to DarkSide ransomware from your device.
- DarkSide ransomware removal utilizing Safe Mode with Command Prompt” and “System Restore”
- Restart your computer and press “F8” until you see the “Windows Advance Options” menu
- Choose “Safe Mode with Command Prompt” option
- Write “cd restore” command in command Prompt and press “Enter” to perform it
- Next, write “rstrui.exe” command in command line and press “Enter” again
- “System Restore” window will appear once the “rstrui.exe” command is executed
- Click on “Next” button
- Choose “Restore Points” and click on “Next”
- In the confirmation dialog box, click on “Yes” to begin “System Restore” process
The next step after restoring your computer to the previous date is to install and scan your device with strong anti-malware software to make sure you removed any remaining malicious programs linked to DarkSide ransomware.
If you want to try to decrypt the encrypted files yourself then you can take a look at the following options. Keep in mind that they might not work.
- ShadowExplorer is a free program where you can see Shadow copies created by Windows itself. If Shadow copies in Windows are available then you can use Shadow Explorer to restore these copies. You can then restore entire folders or files. Most advanced ransomware is familiar with Shadow copies and removes them therefore is a huge probability that it won’t work.
- Recuva is another free program that can also help you to recuperate your lost files. And it can recover from any rewriteable media you have memory cards, external hard drives, USB sticks, and more. This program might not work for the more advanced ransomware.
Also, note that in Windows 10, you get a special characteristic called “Fall Creators Update” that provide “Controlled Folder Access” feature in order to stop any kind of encryption to the files. This way, any files stored in the locations such as “Documents”, “Pictures”, “Music”, “Videos”, etc folders are protected by default.
As we always say, the best way to stay safe from damage regarding ransomware infections is to maintain regularly updated backups. It is also advised to use a powerful anti-malware tool in order to get protection in real-time.