Threat Thursday: Delving Into the DarkSide

RESEARCH & INTELLIGENCE / 05.20.21 / The BlackBerry Research and Intelligence Team

Summary

The DarkSide ransomware variant first appeared in mid-2020. It is distributed as a Ransomware as a Service (RaaS) that is used to conduct targeted attacks. DarkSide targets machines running both Windows® and Linux, and made headlines recently due to its attack on the U.S. fuel pipeline system, the Colonial Pipeline.

DarkSide uses a double extortion scheme where data is both encrypted locally and exfiltrated before the ransom demand is made. If the victim refuses to pay, their data is published to a site located on the dark web:

hxxp[:]//darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id[dot]onion

Upon execution, this ransomware deletes volume shadow copies and system backups to hamper recovery efforts. It then encrypts files, changes the file icons, and appends an extension to the affected files. Finally, it drops a README file to the affected directories and changes the desktop wallpaper, in a similar way to other ransomware families.

In the aftermath of the Colonial Pipeline attack, the DarkSide Group has stated publicly that it was not their intent to affect hospitals or medical facilities, education, not-for-profit, or Government systems.

It’s important to note that current indications point towards the DarkSide group shuttering operations, possibly with the hopes of restarting and rebranding once the bad publicity quietens down. While the threat of the current iteration of this ransomware may be winding down, it’s important to be aware of their tactics, techniques, and procedures (TTPs), as these may clue us in to the group’s future endeavors.

Operating System

Risk and Impact

Technical Analysis

Upon encryption, DarkSide utilizes the Machine’s GUID value to generate a ransom extension for affected files; for example, ‘5364a99b’. This value is then used to create <ransom_extension>.bmp and <ransom_extension>.ico files under ‘C:\ProgramData\’. This value is also used when malware creates registry keys, as seen in the images below:

Figure 1: HKLM\Software\Classes\.5364a99b registry key creation.

Figure 2: HKLM\Software\Classes\5364a99b\DefaultIcon registry key creation.

Figure 3: Registry key creation.

This threat performs checks to find specific processes running, and if found they are terminated:

Figure 4: Terminated processes.

The malware also carries out checks to find specified services, which are also terminated if present:

Figure 5: Stopped services.

Certain folders and locations are exempt from encryption:

Figure 6: Excluded folders.

As well as certain file types as seen in the screenshot below:

Figure 7: Excluded extensions.

During the encryption process, custom <ransom_extension>.bmp and <ransom_extension>.ico files are dropped in ‘C:\ProgramData’ directory. The <ransom_extension>.bmp is used to change the wallpaper on the Desktop to inform the affected user that their files are encrypted:

Figure 8: Desktop wallpaper change.

The <ransom_extension>.ico is used to change icons of every file that is targeted by DarkSide:

Figure 9: Encrypted file icon change.

A ransom note is dropped in the affected directories, which follows the ‘README.<ransom_extension>.TXT’ naming convention:

Figure 10: DarkSide ransom note creation.

DarkSide utilizes a double extortion scheme similar to REvil, to further compel victims to pay the ransom. Within the ransom note is a URL that allows the victim to view the contents of the data that was downloaded and stolen by DarkSide. However, this information is housed on a .onion domain, allowing the threat actors a further level of anonymity. In order to access this domain, the victim must use a TOR browser that directs Internet traffic through multiple nodes, thereby enabling anonymous communication.

Figure 11: DarkSide ransom note.

The ransom note also contains instructions on how to pay the ransom. In order to pay up, the victim needs to visit the provided URL and input the key which is contained within the ransom note:

Figure 12: DarkSide URL for key input.

Yara Rule

The following Yara rule was authored by the BlackBerry Threat Research Team to catch the threat described in this document:

rule darkside_ransomware {

meta:

        author = "Blackberry Threat Research team”
        created = "11 May 2021"
        comment = "Opcodes unique to DarkSide ransomware executable"

    strings:
        $md5_1 = { C7 03 01 23 45 67 }
        $md5_2 = { C7 43 04 89 AB CD EF }
        $md5_3 = { C7 43 08 FE DC BA 98 }
        $md5_4 = { C7 43 0C 76 54 32 10 }

        $hex_1 = { 68 A4 04 2B 1E }
        $hex_2 = { 68 5E 04 98 3B }
        $hex_3 = { 68 88 05 8B 28 }

    condition:
        all of ($md5*) and
        all of ($hex*)
}

Indicators of Compromise (IoCs)

File System Actions Created:

C:\ProgramData\<ransom_extension>.bmp (A ‘.bmp’ file for wallpaper)
C:\ProgramData\<ransom_extension>.ico (A ‘.ico’ file for encrypted file icon)
README.<ransom_extension>.TXT (A ransom note, which is dropped in each affected directory)

Deleted:

Shadow Volume Copies

Modified:

All targeted files post-encryption

Registries Created:

Key

Value

HKLM\Software\Classes\<ransom_extension>\DefaultIcon

C:\ProgramData\<ransom_extension>.ico

HKLM\Software\Classes\.<ransom_extension>

<ransom_extension>

HKCU\Control Panel\Desktop\WallPaper

C:\ProgramData\<ransom_extension>.BMP

HKCU\Control Panel\Desktop\WallPaperStyle

NOTE: The name ‘5364a99b’ (<ransom_extension>) depends on Machine GUID of the victim’s machine and varies per each victim’s environment.

Processes Terminated:

sql, oracle, ocssd, dbsnmp, synctime, agntsvc, isqlplussvc, xfssvccon, mydesktopservice, ocautoupds, encsvc, firefox, tbirdconfig, mydesktopqos, ocomm, dbeng50, sqbcoreservice, excel, infopath, msaccess, mspub, onenote, outlook, powerpnt, steam, thebat, thunderbird, visio, winword, wordpad, notepad

Services Created:

ServiceName: .<ransom_extension>
Binary path: The full path to the DarkSide’s executable file

Terminated:

vss, sql, svc$, memtas, mepocs, sophos, veeam, backup, GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr

Network URL:

hxxps://baroquetees[dot]com
hxxps://rumahsia[dot]com

IP:

IP Traffic	Port	Protocol
176[.]103[.]62[.]217	443	HTTP
99[.]83[.]154[.]118	443	HTTP

BlackBerry Assistance

If you’re battling DarkSide ransomware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global consulting team standing by to assist you providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment.

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.

Whether it's identifying new vulnerabilities or staying ahead of sophisticated attack tactics, we are dedicated to securing your digital assets with cutting-edge research and innovative solutions.

Back