stories/darkside_ransomware.yml

name: DarkSide Ransomware
id: 507edc74-13d5-4339-878e-b9114ded1f35
version: 1
date: '2021-05-12'
author: Bhavin Patel, Splunk
description: Leverage searches that allow you to detect and investigate unusual activities
  that might relate to the DarkSide Ransomware
narrative: This story addresses Darkside ransomware. This ransomware payload has many
  similarities to common ransomware however there are certain items particular to
  it. The creation of a .TXT log that shows every item being encrypted as well as
  the creation of ransomware notes and files adding a machine ID created based on
  CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation
  level,enough to browse the attackers websites. A customized URI with leaked information
  is presented to each victim.This is the ransomware payload that shut down the Colonial
  pipeline. The story is composed of several detection searches covering similar items
  to other ransomware payloads and those particular to Darkside payload.
references:
- https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
- https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations
tags:
  category:
  - Malware
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Advanced Threat Detection