Antivirus company BitDefender has released a decryptor for victims of the DarkSide ransomware gang.
The decryptor was publicly posted on the BitDefender website Jan. 11 and is available for download to all. It can be used by current victims to unlock their systems and data without having to pay a ransom. According to a short blog included with the release, the tool automatically scans and searches for file extensions associated with the encrypted files and decrypts them.
In response to a follow-up inquiry from SC Media, BitDefender said the decryptor works on all DarkSide infections. Relatively new on the scene, (the group first emerged in August 2020), DarkSide operators are among a host of groups that have emerged over the past year vying for dominance in the ransomware market.
“After the demise of GandCrab, players in the ransomware space have been fighting for supremacy and affiliates,” said BitDefender Threat Research Director Bogdan Botezatu in an emailed statement. “DarkSide is one such competitor, and although it is relatively new, it has already successfully managed to infect multiple targets and stay relevant.”
The group operates as ransomware-as-a-service, selling or leasing customized versions of their malware to other partners to use in their own attacks. According to Digital Shadows, the group uses “a highly targeted approach” to selecting victims, carefully crafts custom code for each target and uses sophisticated, almost corporate-like methods of communication during attacks.
Just how much the release of the decryptor ends up setting back DarkSide operations is not clear. Its utility would be most relevant for current victims and those who previously declined to pay the ransom. Even then, while decrypting locked data removes one form of leverage these groups have over companies, if they also exfiltrated before deploying the ransomware, it wouldn’t do anything to stop them from leaking that same data to the public, a common tactic that DarkSide and other groups use to further up the pressure on companies to pay.
“Just like most modern ransomware, its operators are attempting to exfiltrate confidential data prior to encryption and uses it to blackmail the victim,” said Botezatu. “This tactic once again shows how important layered defenses and managed detection and remediation services are to businesses of all sizes.”
John Bambenek, President of cybersecurity investigation firm Bambenek Consulting, told SC Media that public release of decryptors can be a helpful tool to some but that their utility usually decreases over time as groups like DarkSide react and adapt to the exposure.
Like a breached company, DarkSide may have to undergo its own investigation efforts to determine how their encryption keys were obtained and whether the theft was tied to any ongoing security failure in their IT infrastructure. Such work is largely about “figuring out what the decryptor does, if it defeats some kind of flaw” in the group’s IT management infrastructure.
That being said, Bambenek said that even if the benefits of releasing a decryptor aren’t permanent, there is still value in burning current versions and forcing the gang to regroup and retool.
“If you’re actively facing [a DarkSide attack] it can help you, you can decrypt and that affects the calculus,” said Bambenek. “It’s not nothing, the attackers have to go back to the drawing board and figure out how you got the keys.”
The post DarkSide decryptor unlocks systems without ransom payment – for now appeared first on SC Media.