Darkside Ransomware Decryptor

CyberGuard's Incident Response (IR) Team has been busy recently and are seeing an increase in Darkside ransomware attacked. Yesterday, BitDefender published a decryptor for Darkside ransomware which prompted an acknowledgement of their mistake and response on the Darkside news page of their data leak site.

Our team of analysts gave the BitDefender decryptor a try against a number of data types collected from previous Darkside victims but found it to be very hit and miss. However we have located another decryptor which has potentially been provided to a previous Darkside victim after paying the ransom. Testing of this decryptor proved much more successful against data encrypted within Windows. Unfortunately a separate encryptor is used for the Linux environments and, from investigation, a different encryption cipher and RSA key size is used.

Details for the Darkside Decryptor (Windows)
Sha256:47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243
Careful use of this tool is advised as source is unknown and assumed to be threat actors.

Hybrid Analysis -
https://www.hybridanalysis.com/sample/47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243 

Virus Total - 
https://www.virustotal.com/gui/file/47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243 

Even with using the above decryptor, believed to be provided by Darkside, we have encountered issues decrypting some files. Further investigation by a member of our threat research team has discovered that the unrecoverable files were missing the checksum hash derived from the encrypted decryption key, so were not recoverable even with the decryptor provided. 

If bulk analysing an encrypted data set, to see what the likelihood of successful decryption is; should the above tool or equivalent be used, we have compiled the following script to enumerate data and check for a valid decryption signature.

https://github.com/cgsupport/tools/blob/main/Check-DarksideFiles.ps1 
 

If you have any concerns about protecting your business against the threat from Darkside ransomware get in touch with our Cyber Team by calling 01299 873803 or emailing [email protected].