Free decrypter released for victims of Darkside ransomware

Cybersecurity firm Bitdefender has released today a free tool that can help victims of the Darkside ransomware recover their encrypted files for free, without paying the ransom demand.

The tool, available for download from the Bitdefender site, along with usage instructions, gives hope to companies that had important files locked and ransomed by one of today’s most sophisticated ransomware operations.

Background into the Darkside group

Active since the summer of 2020, the Darkside group launched and still operates today through ads posted on cybercrime forums.

The group uses a well-established Ransomware-as-a-Service (RaaS) model to partner with other cybercrime groups.

These groups would apply for the Darkside RaaS and receive a fully functional version of the Darkside ransomware. They would then breach companies using their own chosen methods, install the ransomware, and ask for huge payouts, usually in the realm of hundreds of thousands or millions of US dollars.

This modus operandi isn’t new, and it’s called “big-game hunting” because ransomware gangs usually tend to go after companies, instead of home users, in the hopes of increasing their profits.

In situations where victims didn’t want to pay, Darkside operators leak documents they stole from the victim’s network on a dedicated “leak site,” as a form of punishment and forwarning to other victims who may want to restore from backups instead of paying the crooks.

While the Darkside hasn’t posted the names and data of any new victims on its leak site since before the winter holiday last year, the group is still believed to be active at the time of writing.

According to security researcher MalwareHunter, the most recent activity from the group is an update to its leak site last week during which the Darkside operators added a new section dedicated to journalists, where reporters could register and get in contact with the Darkside gang directly.

While most Darkside victims have already either paid the ransom demand already or restored from backup months ago, the Darkside decrypter isn’t entirely useless, but far from it.

Will the decrypter lead to a Darkside shutdown?

First and foremost, the tool helps companies recover important files that were encrypted months before and which they weren’t able to restore but still have around, saved on backup drives.

Second, the tool also incurs operational costs to the Darkside gang, which will now have to re-do all its file encryption code to prevent free decryptions.

Third, the tool also deals a major reputational blow to the Darkside RaaS. Many ransomware operations have shut down in the past after the release of a free decrypter, as most of their customers abandoned them for newer and non-decryptable competitors.

As for the victims themselves, the good news is that the free decrypter released today by Bitdefender should, in theory, work for all recent versions of the Darkside ransomware, regardless of the file extension that crooks added at the end of each encrypted file.

This extension is unique per victim, as it’s computed from local characteristics, but that shouldn’t be a problem, Bitdefender said.