Dark Side Ransomware

Ransomware, malicious software, is the most common threat in the digital security environment. Ransomware attacks are becoming more prevalent as threat actors find new ways to profit from them.

As the capacity to execute efficient spying could be vital to the success of any ransomware activity, threat actors will organize their cyberattacks with caution and persistence and attack under ideal circumstances. The DarkSide gang illustrates curiosity regarding the extensive investigation needed to identify a target.

Hackers utilize the recent DarkSide ransomware strain to attack numerous large, high-profile enterprises. It encrypts and steals sensitive data and sends a ransom note to render it freely accessible if the imposition is not met.

About Dark Side Ransomware Group

DarkSide ransomware gang targets businesses worldwide. It was first identified in July 2020.

DarkSide Ransomware Targets

The DarkSide ransomware operators claim to target high-revenue, large corporations that can pay large sums in exchange for system decryption. They stated that schools, hospitals, governments, and non-profits would not be their victims.

DarkSide Ransomware Techniques

The attack vectors that DarkSide ransomware hackers employ include Privilege Escalation, Impair Defenses, and Initial Access via Exploiting Public-Facing Applications (like RDP).

The DarkSide team possesses Linux and Windows toolkits. Its affiliate program pays approx. 10%-25% of the proceeds to entities preferring to aid in transmitting their ransomware, like REvil and NetWalker. DarkSide’s ransomware code resembles REvil software’s ransomware code.

Vulnerabilities Exploited By DarkSide Ransomware.

DarkSide ransomware exploits vulnerabilities like CVE-2019-5544 and CVE-2020-3992. Although these vulnerabilities have freely accessible protections, cyber attackers focus on companies running an unencrypted or outdated operating system or software. When DarkSide ransomware encrypts files, it gives each target a unique file extension and ransom message.

What Type Of Ransomware Is Utilized By DarkSide?

DarkSide uses a Ransomware-as-a-Service provider (RaaS). Different organizations probably affiliate with the group to devise ransomware attacks. The DarkSide attackers self-acknowledge that they purchase business network access, as they do not know about obtaining access. Despite using RaaS, the gang has expertise from other financially lucrative cyberattack campaigns.

A DarkSide affiliate can use DarkSide’s RaaS (Ransomware-as-a-Service) in exchange for a revenue cut. The DarkSide ransomware gang uses a sophisticated economic strategy. This sophisticated ransomware attacks high-profile organizations and monetizes hacked network assets (like the ones using double extortion linking file encryption with data theft).

Additionally, multiple gangs collectively execute advanced ransomware operations and share the proceeds. The ransom payments that DarkSide threat actors receive are split among the affiliated groups granting businesses access. The DarkSide ransomware group offers them about 25% of the total sum. These threats may resemble advanced persistent threat (APT) attacks compared to conventional ransomware incidents.

The DarkSide attacks reveal a detailed knowledge of the targets’ critical infrastructure, security measures, and weaknesses. After a detailed study of a few of their attacks, the FBI has established that the DarkSide hacktivist gang might be based in Eastern Europe.

DarkSide Ransomware Timeline

An overview of DarkSide’s documented activities is shown below:

August 2020:

• Unveiled its ransomware.

October 2020:

• Donated $20,000 of ransom payment to charity.

November 2020:

• Introduced its service, RaaS.
• Welcomed affiliates to join their services.
• Later, a data leak site of DarkSide was found.
• Released its CDN (Content Delivery Network) for depositing and distributing exploited sensitive data.

December 2020:

• Requested data retrieval companies and media sources to join the organization’s press center on its open leak website.

March 2021:

• Launched an updated version 2.0 of their ransomware.

May 2021:

• Launched the Colonial Pipeline attack.

After this assault, DarkSide declared itself politically neutral and began assessing its victims.

Attack Components Of DarkSide Ransomware

Primarily, the DarkSide ransomware attack operations were distinguished for employing covert tactics. The group conducted thorough investigations and practiced precautions to ascertain that their exploitation techniques and tools would go undetected on surveilled endpoints and devices.

Although its access points differ initially, upon gaining initial access, its methods become highly systematic, making its eventual goal ruthlessly effective.

Some covert strategies are:

• TOR browser control and command.
• Abstaining from nodes in EDR active zones.
• Delayed attack, reserving harsher activities for later phases.
• Assigning unique host connections and code to each target organization.
• Utilizing dynamic library loading and encoding as shielding methods.
• Strategies to evade forensics (e.g., erasing log files).

The conclusive steps of the attack cycle included:

• Retrieve credentials from domain controllers, files, and memory.
• Provide attack tools and save file archives using file sharing.
• Flexible file share permissions for simple extraction.
• Erase volume shadow copies and backups.
• Employ personalized ransomware.

How Does DarkSide Ransomware Operate?

The following are DarkSide ransomware attack tools and techniques:

Initial Access

For gaining initial access, the DarkSide ransomware employs brute force assaults and leverages identified Remote Desktop Protocol (RDP) vulnerabilities. They can now gain initial access through the Virtual Desktop Infrastructure (VDI) that enables remote access.

Following initial access, DarkSide ransomware evaluates the systems it will infect. Its initial validation comprises gathering information, like system language and the computer’s name. DarkSide ransomware verifies the default system language as it targets English-speaking states.

The following tools were utilized for particular objectives during the investigation and access-gaining phases:

Reconnaissance Tools:

• Mimikatz.
• Metasploit Framework.
• BloodHound.
• PowerShell (for tenacity as well).

Deployment Tools:

• Cobalt Strike.

DarkSide operators nevermore instantly drop ransomware right after gaining preliminary access. There are numerous stages before ransomware infection, which the hacker manually performs.

Command And Control

The DarkSide ransomware hackers initiated command and control leveraging Remote Desktop Protocol (RDP) client running on port 443, transmitted through the TOR browser.

Escalation of Privilege and Lateral Movement

The practice of escalating one’s authority level on a network or system is known as privilege escalation. Privilege Escalation attacks can be applied if a malevolent user abuses a misconfiguration or defect in a system or application. Privilege escalation is a technique for gaining enhanced resources and network access the user does not have. Employing the User Account Control (UAC) bypass technique utilizing the CMSTPLUA COM interface, the DarkSide ransomware attempts to gain administrator controls if the user does not have them.

Reconnaissance And Credential Harvesting

In addition to scanning networks, running scripts, dumping files, and stealing passwords, DarkSide ransomware is infamous for its Live-Off-the-Land (LOtL) capacity. This strategy involves legitimate tools and credentials that system administrators and network defenders use.

Data Exfiltration

Another step of DarkSide ransomware installation involves:

• Analysis of data backup software.
• Performing data exfiltration.
• And then locking the files.

DarkSide utilizes the following tools for data exfiltration:

• 7-Zip: to archive files in advance of exfiltration.
• Mega Client and Rclone: to move exfiltrated data files to cloud storage.
• PuTTy: a network file transfer substitute program.

Remove Volume Shadow Copies

DarkSide ransomware tries to delete volume shadow copies of the files on an infected computer through PowerShell programs. It is done to prevent the targets from recovering file access by restoring the volume shadow copies.

Weaken Defenses

DarkSide deactivates security controls to prevent their tools and operations from being exposed utilizing the Impair Defenses approach. It may involve:

• Terminating event logging operations or security software.
• Erasing Registry keys to prevent software from activating at startup.
• Using other techniques to obstruct security programs from data scrutinizing or providing reports.

Ransomware Deployment And The Encryption Process

Ransomware creates a unique file extension by leveraging the system GUID and the API RtlComputeCRC32. All encrypted files are named with an 8-character file extension created through Machine GUID.

DarkSide employs ransom notes, strings, and encrypted APIs to thwart ransomware detection. APIs can be accessed periodically.

The DarkSide ransomware disregards some files according to the file extension. DarkSide ransomware leverages Salsa20 to encrypt files. A key randomly generated through the RtlRandomEx API is encrypted with an RSA-1024 public key.

Exploited Vulnerabilities

According to ZDNet, ransomware hackers can target virtual desktop infrastructure using a defective ESXi hypervisor from VMware. The DarkSide cybercriminals exploited the VMware ESXi CVE-2019-5544 and CVE-2020-3992 vulnerabilities. Although these flaws have been fixed, hackers continue to attack businesses running unencrypted or outdated operating systems. The VMware ESXi hypervisor employs Open SLP (Service Layer Protocol) to store files for several virtual systems on a single server.

Known Vulnerabilities

CVE-2019-5544

The boatload of the OpenSLP program may be overwritten by a hacker having Horizon DaaS management appliance network access or ESXi host port 427 network access, enabling remote code execution.

CVE-2020-3992

If a cybercriminal with ESXi system port 427 access is present over the management network, it can activate a UAF (use-after-free) in the OpenSLP application, enabling remote code execution.

Notable Attacks By DarkSide Group

Toshiba Attack

The Japanese multinational firm Toshiba offers a range of goods, including printers, escalators, elevators, IT solutions, and systems for the industrial, social, and energy infrastructure.

The firm claims that the DarkSide cyberattack was restricted to a tiny fraction of Europe and that just minimal work data had been destroyed, with cybercriminals unable to obtain consumer data.

After the incident, the corporation suspended networks between Japan, Europe, and its divisions to prevent further harm while recovery procedures and data backups were implemented.

The Japanese corporation claims that an investigation has been started to evaluate the harm caused, and a third-party cyber forensics expert was thus enlisted to assist.

Brenntag Attack

German chemical supply chain firms with operations in over 77 nations worldwide were the victims of a DarkSide Cyberattack, for which the company paid a $4.4 million Bitcoin ransom.

Brenntag prevented the hackers from releasing the firm’s hacked files after paying the ransom and obtaining a decryption key for encrypted files.

Typically, the DarkSide affiliate in an extortion agreement must disclose the source of obtaining access to the target’s data. It is accomplished by stating it in a sentence in the Tor chat window or by a comprehensive cybersecurity audit report.

Brenntag’s DarkSide agent stated that they gained network access after purchasing stolen data, although they were unsure how the login details were acquired.

Colonial Pipeline Attack

The major fuel pipeline company in the US, Colonial Pipeline, transports jet fuel and processed gasoline from Texas to New York.

The corporation was compelled to cease operations in 2021 following the ransomware attack, highlighting the susceptibility of the power generation framework to DarkSide attacks.

The pipeline management briefly stopped pipeline services and various IT platforms after realizing it became a cyberattack target. To further evaluate, it also reached out to an external cybersecurity company.

The business said in a press announcement that it had to suspend its 5,500 miles of pipeline, which transports 45% of the fuel supply for the East Coast, to control the ransomware incident.

DarkSide Ransomware Prevention And Mitigation

DarkSide was developed to encrypt files like documents, pictures, music files, movies, etc., and prevent access.

After a DarkSide attack, target organizations must instantly uninstall the ransomware and any associated devices from PCs before starting data retrieval procedures. Here are some ransomware protection techniques that may be useful:

• Enable robust spam detection to prevent end users from receiving phishing emails. Prevent emails that contain executable files from end users’ reach.
• Implement multi-factor authentication to IT and operational networks’ remote access.
• Establish spearphishing user training sessions and model spear-phishing attacks to instill appropriate user responses. It will prevent users from downloading malicious attachments or accessing risky sites.
• Filter network traffic to restrict connections transmitting in and out of the network from known malicious IP addresses. Install URL allowlists, blocklists, or both to prevent people from accessing malicious sites.
• Adopt network resource access restrictions, particularly for RDP. If risk evaluation reveals that RDP is functionally necessary, restrict the origins and require multi-factor authentication.
• Establish routine IT network assets software updates, such as applications, firmware, and operating systems.
• Only use .gov websites with HTTPS lock to share crucial data, as they are secure websites belonging to an official government organization.
• Contemplate building a centralized patch management system. Utilize a risk-based assessment technique to determine the OT network assets and locations that the patch management program must cover.
• Install antimalware and antivirus software to scan IT network assets using up-to-date signatures regularly. Use a risk-based stock management strategy to describe the OT network assets identification and examination for ransomware presence.

In case an organization faces a ransomware incident, the FBI and CISA advise them:

• shutting down and isolating the infected computer, and the infected system from all networks.
• deactivating the computer’s wireless, Bluetooth, and other potential networking capabilities.
• ensuring data backups are secured and offline.
• consulting the Joint Cybersecurity Advisory.

Conclusion

The ransomware industry will keep advancing. Hence, businesses must take the time to implement an incident response strategy tailored to the latest ransomware assault paradigm. Ironically, some businesses may be neglecting cybersecurity. For instance, numerous security professionals pointed out that Colonial Pipeline had several security flaws, including using a previously exposed weak variant of Microsoft Exchange.

Safeguarding these assets must be a primary concern since a potential cyberattack on a corporation offering essential services can have knock-on repercussions that could negatively impact many facets of society.