Win32/Filecoder.DarkSide [Threat Name] go to Threat

Win32/Filecoder.DarkSide.B [Threat Variant Name]

Category trojan
Size 55296 B
Aliases Trojan-Ransom.Win32.Encoder.lzn (Kaspersky)
  Ransom:Win32/DarkSide.DA (Microsoft)
  Win32:DarkSide-C.[Ransom] (Avast)
  Trojan.Encoder.33763 (Dr.Web)
Short description

Win32/Filecoder.DarkSide.B is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.


The trojan registers itself as a system service using the following name:

  • %variable%

A string with variable content is used instead of %variable% .

Payload information

Win32/Filecoder.DarkSide.B is a trojan that encrypts files on fixed, removable and network drives.


The trojan launches the following processes:

  • %malwarefilepath% -work worker%num% job%num%-%PID%

The trojan searches for files with the following file extensions:

  • *.*

It avoids files from the following directories:

  • $recycle.bin
  • $windows.~bt
  • $windows.~ws
  • all users
  • appdata
  • application data
  • boot
  • config.msi
  • default
  • google
  • intel
  • mozilla
  • msocache
  • perflogs
  • program files
  • program files (x86)
  • programdata
  • public
  • system volume information
  • tor browser
  • windows
  • windows.old
  • x64dbg

It avoids files with the following filenames:

  • autorun.inf
  • boot.ini
  • bootfont.bin
  • bootsect.bak
  • desktop.ini
  • iconcache.db
  • ntldr
  • ntuser.dat
  • ntuser.dat.log
  • ntuser.ini
  • thumbs.db

It avoids files with the following extensions:

  • .386
  • .adv
  • .ani
  • .bat
  • .bin
  • .cab
  • .cmd
  • .com
  • .cpl
  • .cur
  • .deskthemepack
  • .diagcfg
  • .diagpkg
  • .dll
  • .drv
  • .exe
  • .hlp
  • .hta
  • .icl
  • .icns
  • .ico
  • .ics
  • .idx
  • .key
  • .ldf
  • .lnk
  • .lock
  • .mod
  • .mpa
  • .msc
  • .msi
  • .msp
  • .msstyles
  • .msu
  • .nls
  • .nomedia
  • .ocx
  • .pdb
  • .prf
  • .ps1
  • .rom
  • .rtp
  • .scr
  • .shs
  • .spl
  • .sys
  • .theme
  • .thremepack
  • .wpx

The trojan encrypts the file content.


The Salsa20 encryption algorithm is used.


An additional .%variable% extension is appended.


The following file is dropped in the same folder:

  • README.%variable%.TXT

It contains the following text:

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://[%redacted%] 2) Open our website: http://[%redacted%] When you open our website, put the following data in the input form: Key: [%redacted%] !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

A string with variable content is used instead of %variable% .


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Information stealing

Win32/Filecoder.DarkSide.B is a trojan that steals sensitive information.


The trojan collects the following information:

  • user name
  • computer name
  • operating system version
  • language settings
  • disks

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (2) URLs. The HTTP protocol is used.

Other information

The trojan may terminate specific running processes.


The following services are disabled:

  • backup
  • GxBlr
  • GxCIMgr
  • GxCVD
  • GxFWD
  • GxVss
  • memtas
  • mepocs
  • sophos
  • sql
  • svc$
  • veeam
  • vss

The trojan searches for files with the following names:

  • *recycle*

The trojan then deletes the found files.


The trojan may set the following Registry entries:

  • [HKEY_CLASSES_ROOT\­.%variable%]
    • "" = "%variable%"
  • [HKEY_CLASSES_ROOT\­%variable%\­DefaultIcon]
    • "" = "%commonappdata%\­%variable%.ico"

The following files may be dropped:

  • %commonappdata%\­%variable%.ico

The trojan may set the following Registry entries:

  • [HKEY_USERS\­%SID%\­Control Panel\­Desktop]
    • "WallPaper" = "%commonappdata%\­%variable%.bmp"
    • "WallpaperStyle" = "10"

The following files may be dropped:

  • %commonappdata%\­%variable%.bmp

This file/image is set as a wallpaper.


A string with variable content is used instead of %variable% .


Trojan may remove itself from the infected computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.