DarkSide is a Ransomware-as-a-Service (RaaS) group that offers its own brand of malware to customers on a subscription basis. The ransomware is currently in version 2.
According to IBM X-Force, the malware, once deployed, steals data, encrypts systems using Salsa20 and RSA-1024 encryption protocols, and executes an encoded PowerShell command to delete volume shadow copies.
SecureWorks tracks them as Gold Waterfall and attributes the group as a Russian-speaking past affiliate of the REvil ransomware RaaS service.
A decryptor for DarkSide malware on Windows machines was released by Bitdefender in January 2021. In response, the group said the decryptor was based on a key previously purchased and may no longer work as "this problem has been fixed."
Bitdefender told ZDNet that the decryption tool, unfortunately, does not work with the latest version of DarkSide malware.
"We're constantly working on new versions of our tools as cybercriminals fix vulnerabilities that make decryption possible," the firm added.
While believed to be relatively new to the ransomware scene, first spotted in the summer of 2020, DarkSide has already created a leak website used in double-extortion campaigns, in which victim companies are not only locked out of their systems, but also have their information stolen.
If these organizations refuse to pay up, stolen data may be published on the platform and made available to the public.
DarkSide isn't just content in making money from ransomware demands, however, as the group has indicated it will happily work with competitors or investors before leaks are published.
"If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares," the group says.
Read on: DarkSide explained: the ransomware group responsible for Colonial Pipeline cyberattack
Perhaps unusually, however, DarkSide also appears to be trying to cultivate a Robin Hood and good-guy image -- stealing from the rich (the so-called 'big game' targets) and giving a portion of the criminal proceeds to charity.
Charities reportedly offered donations in stolen Bitcoin (BTC) have, so far, refused to accept them.
The RaaS service operators have also tried to distance themselves from the incident by vaguely implying it was a customer at fault and that the cyberattack doesn't fit the DarkSide ethos.
"We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives," DarkSide said on May 10. "Our goal is to make money, and not creating problems for society. We [will] introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."
FireEye has released the results of an investigation into DarkSide affiliates. Sophos says that the cybersecurity company has been called in at least five times to deal with suspected DarkSide infections and has published research on the group's typical attack methods and tools.