The DarkSide Ransomware
DarkSide is a ransomware strain that threat actors have been using to target multiple large, high-revenue organizations resulting in the encryption and theft of sensitive data and threats to make it publicly available if the ransom demand is not paid.
About DarkSide Ransomware
DarkSide ransomware, first seen in August 2020 and updated as v2.0 in March 2021, is associated with the DarkSide group and now often operates as ransomware-as-a-service (RaaS).
The DarkSide group has a history of double extortion of its victims.
It asks for payment to unlock the affected computers and also to retrieve the exfiltrated data.
Techniques that the attackers have used in DarkSide ransomware can be very sophisticated: Initial access by Exploiting Public-Facing Applications (e.g. RDP), Privilege Escalation, and Impair Defenses.
DarkSide makes use of vulnerabilities CVE-2019-5544 and CVE-2020-3992.
Both vulnerabilities have widely available patches, but attackers are targeting to organizations using unpatched or older versions of the software.
During encryption, DarkSide uses a customized ransom note and file extension for their victims.
Although DarkSide has reportedly shut its doors following the six-day outage at Colonial Pipeline in early May, the US government is making significant efforts to counter the ransomware industry as a potential threat to national security.
Technical Details
Initial Access
DarkSide ransomware performs brute force attacks and exploits known vulnerabilities in the remote desktop protocol (RDP) to gain initial access.
After initial access DarkSide does validation on the machines to infect.
DarkSide collects the information about computer name and system language in its initial code execution (is mainly used to target English-speaking countries), and then checks the default system language.
Privilege Escalation and Lateral Movement
Privilege Escalation consists of techniques that are used to gain higher-level permissions on a system or network.
These kinds of attacks can be performed if a malicious user exploits a bug or configuration error in an application or operating system.
Privilege Escalation is used to gain elevated access to resources that should not normally be available to the user.
DarkSide checks for if the user has administrator privileges; if not, it will try to get administrator privileges by using UAC bypass technique making use of CMSTPLUA COM interface.
Data Exfiltration
DarkSide ransomware identified data backup applications, exfiltrates data, and then encrypts local files as part of the ransomware deployment.
Delete Volume Shadow Copies
Ransomware campaigns often attempt to delete the volume shadow copies of the files on a given computer so that their victims will not be able to restore file access by reverting to the shadow copies. DarkSide deletes the volume shadow copies via PowerShell scripts.
Impair Defenses
DarkSide disables security protection services using the Impair Defenses technique to avoid possible detection of their tools and activities.
This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Ransomware Execution
Ransomware generates the custom file extension based on machine GUID and using API RtlComputeCRC32.
File extension generated by using Machine GUID is of 8 characters and will be added to each encrypted file name.
To prevent ransomware detection, DarkSide uses encrypted APIs (that will be dynamically resolved), strings and ransom notes.
DarkSide ransomware excludes some of the files based on the file extension.
Files are encrypted using Salsa20 and a key randomly generated using RtlRandomEx API and encrypted using an RSA-1024 public key.
Vulnerabilities Exploited
As reported by ZDNet, Ransomware attackers can attack virtual infrastructure through weak versions of the VMware ESXi hypervisor.
DarkSide attackers have used CVE-2019-5544 and CVE-2020-3992 vulnerabilities in VMware ESXi.
Both vulnerabilities are patched, but attackers are still targeting organizations using unpatched or older versions of the software.
Open SLP (Service Layer Protocol) is used for multiple virtual machines to store information on a single server in VMware ESXi hypervisor.
How to Prepare for Threat Actors
Find and fix the weak links before attackers do: any unpatched internet-facing server is an exploit away from script-kiddie payday.
Assume breach and fix weak links inside: threat actors look for quick ways to obtain domain admin credentials.