Threat analysis: DarkSide Ransomware

Cyber Protect Cloud

DarkSide is a new ransomware attack that started at the beginning of August 2020. It is supposedly run by former affiliates of other ransomware campaigns that extorted money who decided to come up with their own code. According to the known incidents, the ransom demanded falls in the range of between $200,000 and $2,000,000 (US). 

Summary

Discovered in August 2020 Targets only English-speaking countries, avoiding the former Soviet countries Does not attack hospitals, hospices, schools, universities, non-profit organizations, or government institutions Uses Salsa20 with custom matrix and RSA-1024 encryption algorithms Ransom demands range from $200,000 to $2,000,000 Caused shutdown of the Colonial Pipeline — the largest fuel pipeline in the U.S. Uses Silent Night botnet (Zloader backdoor) for delivery. Attackers have exploited Palo Alto’s CVE-2019-1579 and Microsoft Exchange vulnerabilities to breach a target environment Attack vectors and targets DarkSide ransomware recently attacked the Colonial Pipeline — the largest pipeline in the United States, used to transfer fuel from New York to Texas. According to a recent Bloomberg publication, Colonial Pipeline Co. paid the demanded $5 million ransom with cryptocurrency. However, they faced a performance issue — DarkSide ransomware, despite using a fast Salsa20 file encryption algorithm, has a slow file encryption/decryption procedure. As a result, the company continued using their own backups to hasten the restoration of pipeline operations. DarkSide stands out from other ransomware as a service (RaaS) threats, as one of the attack vectors is based on the Zloader botnet (also known as “Silent Night”) which played a key role in DarkSide's success. Zloader is a variant of the Zeus financial malware that has been targeting banks since 2006. After a short break, its activity resumed in January 2020. Since then, the botnet’s affiliates have carried out a series of attacks on the United States, Canada, Germany, and Poland. Zloader is a first-stage Trojan loader that infects the victim's peripheral domain. Once a foothold is established, the Cobalt Strike red teaming tool is used to spread and deploy DarkSide ransomware. In some cases, DarkSide ransomware has also been delivered through compromised third-party service providers. In others, the CVE-2019-1579 vulnerability in Palo Alto’s GlobalProtect portal and GlobalProtect Gateway interface products and Microsoft Exchange server exposure were used. As a result of exploitation, an unauthenticated attacker could execute malicious code remotely (RCE). We have already analyzed the previous version of DarkSide ransomware here. This article provides an update on the latest version of the DarkSide ransomware. Configuration As DarkSide employs an RaaS model, the configuration data is embedded in the binary built for a specific affiliate. To hide these settings from analysis, the configuration data is compressed with a PLib. At the very start of its execution, immediately after loading libraries, the ransomware locates its configuration by searching for the terminating hex string “0xDEADBEEF”. In the past, this string was usually used to mark deallocated memory.     After that, the configuration is decoded.   This configuration defines which particular features are enabled in this ransomware sample by an affiliate. The ransomware configuration includes the following parameters: Victim’s ID — used for encrypted file extension, in README.[Victim's ID].TXT, and to access the decryption service in Tor. Encryption mode – can be chosen from one of the following values: ‘1’: ‘FULL’ ‘2’: ‘FAST’ Any other values: ‘AUTO’ Flags — enable/disable the following features (all flags are set to ‘yes’ in the analyzed sample) Encrypt local disks Encrypt network shares Perform language check Delete volume shadow copies Empty Recycle Bin Self-delete Perform UAC bypass if necessary Adjust token privileges Logging Ignore specific folders Ignore specific files Ignore specific file extensions Terminate processes Stop services Drop ransom note Create a mutex Folders to skip. For example: "$recycle.bin, config.msi, $windows.~bt, $windows.~ws, windows, appdata, application data, boot, google, mozilla, program files, program files (x86), programdata, system volume information, tor browser, windows.old, intel, msocache, perflogs, x64dbg, public, all users, default". Files to skip. For example: "autorun.inf, boot.ini, bootfont.bin, bootsect.bak, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db". Extensions to skip. For example: "386, adv, ani, bat, bin, cab, cmd, com, cpl, cur, deskthemepack, diagcab, diagcfg, diagpkg, dll, drv, exe, hlp, icl, icns, ico, ics, idx, ldf, lnk, mod, mpa, msc, msp, msstyles, msu, nls, nomedia, ocx, prf, ps1, rom, rtp, scr, shs, spl, sys, theme, themepack, wpx, lock, key, hta, msi, pdb". Folders to delete. For example: "backup". Processes to skip when terminating Processes to terminate to unlock the files C&C URLs Services to stop Message for a wallpaper directing victims to the ransom note Ransom note   The latest version of DarkSide attempts to stop the same list of backup and anti-malware services as previous versions targeted: vss sql svc$ memtas mepocs sophos veeam backup GxVss GxBlr GxFWD GxCVD GxCIMgr   DarkSide kills processes that contain the following strings in their names to unlock the files: sql oracle ocssd dbsnmp synctime agntsvc isqlplussvc xfssvccon mydesktopservice ocautoupds encsvc firefox tbirdconfig mydesktopqos ocomm dbeng50 sqbcoreservice excel infopath msaccess mspub onenote outlook powerpnt steam thebat thunderbird visio winword wordpad notepad   It doesn’t touch the following processes to prevent their accidental termination, which may lead to system crash or the disconnection of a remote session: vmcompute.exe vmms.exe vmwp.exe svchost.exe TeamViewer.exe explorer.exe   These lists have been not changed since the previous analyzed version of DarkSide. File encryption No changes here since our last analysis. DarkSide ransomware still uses Salsa20 for file encryption and RSA1024 for file keys encryption. C&C communication The analyzed DarkSide sample has a C&C connection flag enabled in the configuration. It connects to the following domains, sending a check-in request and providing information that will be used to uniquely identify an infected computer: securebestapp20.com temisleyes.com   Ransom note The string from the configuration is used to generate the following wallpaper: The ransom note template hasn’t changed since our last analysis. Detection by Acronis Acronis’ Active Protection technology uses machine intelligence and behavioral analysis to successfully identify and stop DarkSide attacks — as well as any other known or unknown cyberthreats. Backups are protected against tampering, and enable the automatic and rapid restoration of any encrypted files.     Conclusion Compared to previous variants, we haven’t found significant changes in the DarkSide ransomware code and configuration. However, DarkSide's new TTPs rely on exploitation of Palo Alto’s CVE-2019-1579 and Microsoft Exchange vulnerabilities as well as the Silent Night (Zloader) botnet in recent major attacks. IoCs SHA256: 151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5 securebestapp20.com temisleyes.com