In January, cybersecurity firm Bitdefender had released a free tool to help victims of the DarkSide ransomware recover their encrypted files for free. However, this did not deter the spirit of the operators and they are back with a new set of threats and attacks.


  • DarkSide is a Ransomware-as-a-Service (RaaS) that has been active since August 2020.
  • As a part of the modus operandi, the group operated the ransomware through ads posted on cybercrime forums. Eventually, it used a well-established RaaS model to partner with other cybercrime groups.
  • The primary targets of the ransomware include companies in the professional services and manufacturing sectors.

Did the release of decryptor lead to DarkSide shutdown?

  • No, it didn’t seem so. In March, threat intelligence experts warned of a new version of the ransomware that featured a faster encryption process, VoIP calling, and modules to target virtual machines.
  • Moreover, DarkSide 2.0 featured multithreading capabilities in both Windows and Linux versions. While the Windows version encrypted files faster than any other RaaS model, the Linux version targeted VMware ESXi vulnerabilities to hijack virtual machines and encrypt their virtual hard drives.
  • Furthermore, the ransomware variant has also been designed to target NAS devices, including Synology and OMV.

What other changes did the gang implement?

  • Not content with its victim-pressuring tactics, the DarkSide gang forged ahead with DarkSide Leaks to increase the chance of receiving ransom payments.
  • According to a report from Kaspersky, the gang leverages the media and engages with journalists to give updates on upcoming leaks.
  • Apart from the ransom demand made against the decryption key, the gang persuades reluctant victims to pay the ransom by falsely claiming that it would go toward donations.
  • To make it worse, the gang has started taking aim at companies listed on NASDAQ or other stock markets. This unprecedented extortion tactic can have a negative impact on targeted companies’ stock prices.

Final words

Supposedly run by former affiliates of other ransomware campaigns, the DarkSide ransomware group has a code of conduct that implies that it will not attack hospitals, schools, and government organizations. Nevertheless, this does not make it any less of a threat. With large organizations being a part of its list of targets, the ever-evolving ransomware gang will continue to seek out new avenues to rake in profits and ratchet up pressure on victims.

Cyware Publisher