DarkSide Ransomware With Self-Propagating Feature in AD Environments

In order to evade analysis and sandbox detection, DarkSide ransomware only operates when the loader and data file are both present. The loader with the name “msupdate64.exe” reads the “config.ini” data file within the same path that contains the encoded ransomware and runs the ransomware on the memory area of a normal process. The ransomware is structured to only operate when a specific argument matches. It will then register itself to the task scheduler and run itself periodically.

analysis area argument darkside darkside ransomware data detection environments evade file loader malware analysis memory name order path process ransomware register sandbox