This story has been updated with new information about the decryptor and a response from Bitdefender.
Antivirus company Bitdefender has released a decryptor for victims of the DarkSide ransomware gang.
The decryptor was publicly posted on the Bitdefender website Jan. 11 and is available for download to all. It can be used by current victims to unlock their systems and data without having to pay a ransom. According to a short blog included with the release, the tool automatically scans and searches for file extensions associated with the encrypted files and decrypts them.
Relatively new on the scene, (the group first emerged in August 2020), DarkSide operators are among a host of groups that have emerged over the past year vying for dominance in the ransomware market.
“After the demise of GandCrab, players in the ransomware space have been fighting for supremacy and affiliates,” said Bitdefender Threat Research Director Bogdan Botezatu in an emailed statement. “DarkSide is one such competitor, and although it is relatively new, it has already successfully managed to infect multiple targets and stay relevant.”
The group operates as ransomware-as-a-service, selling or leasing customized versions of their malware to other partners to use in their own attacks. According to Digital Shadows, the group uses “a highly targeted approach” to selecting victims, carefully crafts custom code for each target and uses sophisticated, almost corporate-like methods of communication during attacks.
Just how much the release of the decryptor ends up setting back DarkSide operations is not clear. Its utility would be most relevant for current victims and those who previously declined to pay the ransom. Even then, while decrypting locked data removes one form of leverage these groups have over companies, if they also exfiltrated before deploying the ransomware, it wouldn’t do anything to stop them from leaking that same data to the public. Doing so is a common tactic that DarkSide and other groups use to further up the pressure on companies to pay.
“Just like most modern ransomware, its operators are attempting to exfiltrate confidential data prior to encryption and uses it to blackmail the victim,” said Botezatu. “This tactic once again shows how important layered defenses and managed detection and remediation services are to businesses of all sizes.”
John Bambenek, President of cybersecurity investigation firm Bambenek Consulting, told SC Media that public release of decryptors can be a helpful tool to some but that their utility usually decreases over time as groups like DarkSide react and adapt to the exposure.
Indeed, the day after the decryptor was released, DarkSide put up a note on its ransomware site claiming to have identified and corrected the issue. They alleged that Bitdefender created the decryptor using private keys that were previously purchased from the group and that an underlying problem with key generation led to at least 40% of companies having the same encryption key.
They mockingly thanked Bitdefender for alerting them to the issue, saying the group’s low level of activity during the Christmas and New Year’s holidays means only “2-3” companies would benefit from the release. They also said they would compensate any affiliates who lost money due to the release.
In a response, Botezatu said the move was expected, and said the release was likely done to reassure affiliates that that they are “still in the game.” He also said Bitdefender is “already seeing successful decryptions, so it’s obvious that we’re talking about more victims than what the attackers have claimed.”
Brett Callow, a threat analyst at Emsisoft, said the rapid response from DarkSide reflects how efficient such groups have become at addressing issues that impact their business.
“The fact that DarkSide have addressed the key generation issue - or, at least, claim to - is not at all surprising,” said Callow. “Ransomware groups are far more sophisticated than in the past and, with millions of dollars on the line, invariably move quickly to fix any bugs in their code.”
Like breached companies, ransomware groups like DarkSide who've had their keys packaged into a decryptor undergo their own investigation efforts to determine how the keys were obtained and whether the theft was tied to any ongoing security failure in their IT infrastructure. Such work is largely about “figuring out what the decryptor does, if it defeats some kind of flaw” in the group’s IT management infrastructure, Bambenek said.
That being said, even if the benefits of releasing a decryptor aren’t permanent, there is still value in burning current versions and forcing the gang to regroup and retool.
“If you’re actively facing [a DarkSide attack] it can help you, you can decrypt and that affects the calculus,” said Bambenek. “It’s not nothing, the attackers have to go back to the drawing board and figure out how you got the keys.”