The recent campaign targeting the Colonial Pipeline in the United States is a sobering example of the extent to which cybersecurity – specifically ransomware – threatens everyday life. There is a lot more to this than encrypted or stolen data. It’s hard to understand the economic reverberations of a disruptive attack on critical infrastructure, whether for financial gain or otherwise. With the pipeline being proactively shut down as of Sunday, May 9th, there are concerns around how this outage will affect ongoing fuel prices and for how long. How the coming weeks and months play out may serve as a template for predicting impact and risk associated with similar attacks that will inevitably follow.
NovaCare Business Protect detects and protects against DarkSide ransomware. No action is required for our customers.
NovaCare Business Protect Protects from DarkSide Ransomware
In this post, we discuss the evolution of the DarkSide malware and affiliate networks, including the evolution of their feature sets and recruitment areas.
Watch How TN Team Mitigates DarkSide Ransomware
Beyond Protection, it’s important that your security tool can mitigate and rollback in the case of a Ransomware attack
Who is DarkSide?
The attack on the Colonial Pipeline has been attributed to DarkSide, a relatively new ransomware family that emerged on the crimeware market in November 2020.
DarkSide launched as a RaaS (Ransomware-as-a-Service) with the stated goal of only targeting ‘large corporations.’ They are primarily focused on recruiting Russian (CIS) affiliates, and are very skeptical of partnerships or interactions outside of that region. From the onset, DarkSide was focused on choosing the ‘right’ targets and identifying their most valuable data. This speaks to their efficiency and discernment when choosing where to focus their efforts. From their inception, DarkSide claimed they’d avoid attacking the medical, educational, non-profit, or government sectors.
At the time of launch, the features offered by DarkSide were fairly standard. They emphasized their speed of encryption and a wealth of options for dealing with anything that may inhibit the encryption process (i.e., security software). They also advertised a Linux variant with comparable features. Following in the footsteps of recently successful ransomware families like Maze and Cl0p, DarkSide established a victim data leaks blog as further leverage to encourage ransom payouts.
The original DarkSide 1.0 Feature set was advertised as follows:
full ASM, salsa20 + rsa 1024,
i / o, own implementation of salsa and rsa,
fast / auto (improved space) / full,
token impersonalization for working with balls,
slave table, freeing busy files,
changing file permissions,
drag-and-drop and much more].
C ++, chacha20 + rsa 4096,
multithreading (including Hyper-threading, analog of i / o on windows),
support for truncated OS assemblies (esxi 5.0+),
fast / space,
directory configuration and much more].
Admin panel [
automatic acceptance of Bitcoin, Monero,
generation of win / lin builds with indication of all parameters (processes, services, folders, extensions ...),
bots reporting and detailed statistics on the company’s performance,
automatic distribution and withdrawal of funds,
online chat and many others].
Leak site [
phased publication of target data and many more functionality].
CDN system for data storage [
fast data loading,
storage 6m from the moment of loading].
A Well-Organized Affiliate Network
Hopeful affiliates are subject to DarkSide’s rigorous vetting process, which examines the candidate’s ‘work history,’ areas of expertise, and past profits among other things. To get started, affiliates were required to deposit 20 BTC (at the time, that amounted to around $300,000 USD).
Over the following months, DarkSide continued to improve its services, while also expanding its affiliate network. By late November 2020, DarkSide launched a more advanced Content Delivery Network (CDN) that allowed their operators to more efficiently store and distribute stolen victim data. Many of their high-value targets found themselves listed on the victim blog, including a number of financial, accounting, and legal firms, as well as technology companies.
Initial access can take many forms depending on the affiliate involved, their needs, and timeline. A majority of the campaigns observed were initiated only after the enterprise had been thoroughly scouted via Cobalt Strike beacon infections. After the initial reconnaissance phase, the operators would deploy the DarkSide ransomware wherever it would cause the greatest disruption.
DarkSide Decryption Tool – Is it Working?
In January 2021, Bitdefender released a DarkSide decryption tool. This tool was also posted to the NoMoreRansom project website. The tool had a reportedly high success rate.
By March, the group announced the launch of the new and improved DarkSide 2.0. The new iteration included many improvements for both their Windows and Linux variants and is no longer subject to the decryption tool. DarkSide 2.0 reportedly encrypts data on disk twice as fast as the original.
Other updated features include:
- Expanded multi-processor support (parallel/simultaneous encryption across volumes)
- EXE and DLL-based payloads
- Updated SALSA20+RSA1024 implementation with “proprietary acceleration”
- New operating modes (Fast / Full / Auto)
- 19 total build settings
- Active account impersonation
- Active Directory support (discovery and traversal)
- New CMD-line parameter support
On the Linux side, DarkSide 2.0 offers the following updates:
- Updated multithreading support
- Updated CHACHA20 + RSA 4096 implementation
- 2 new operating modes (Fast / Space)
- 14 Total build settings
- Support for all major ESXi versions
- NAS support (Synology, OMV)
Along with this expanded feature set, SentinelLabs researchers have seen a shift in the deployment of the DarkSide ransomware, from standard packers like VMProtect and UPX to a custom packer internally referred to as ‘encryptor2.’
A Battle for Territory
With the release of DarkSide 2.0, the group has continued to increase its footprint in the Ransomware landscape. Along with their territorial expansion throughout 2021, DarkSide also increased their ‘pressure campaigns’ on victims to include DDoS attacks along with the threat of data leakage. They are able to invoke L3/L7 DDoS attacks if their victims choose to resist ‘cooperation’.
More recently, DarkSide operators have been attempting to attract more expertise around assessing data and network value, along with seeking others to provide existing access or newer methods of initial access. These efforts are meant to make operations more streamlined and increase efficiency.
New methods and talent areas
The Colonial Pipeline attack is only the latest in a slew of increasingly daring ransomware attacks. The absolute best defense against a severe ransomware attack (and the nightmare that follows) is preparation and prevention. Technology is a huge part of that, but one must not discount user hygiene and education. It is vital to keep end users up to date on what threats are out there and how to spot them. Vigilant users, along with robust preventative controls are key. Business continuity planning and disaster recovery drills are not fun, but they are critical and necessary to ensure readiness and resilience against these threats.
NovaCare Business Protect Customers Protected
SentinelOne is the flagship EDR tool within TN Team’s NovaCare Business Protect platform. This protective technology would have stopped the Colonial Pipeline attack in its tracks – this tool is fully capable of preventing and detecting the malware and artifacts associated with DarkSide ransomware. We hope that the pipeline starts flowing again soon; our society depends on it to live.
Indicators of Compromise
08d1da979f8d568b62701d7cedf1d0e81b7bab4d c511ae4d80aaa281c610190aa13630de61ca714c ff9da8ec309210e2324dbe4a79d416f90de285c0 2269cdc706b412d55749dd7b8a8b7cc14ce83532 06856cab5b85104788d679bbbb75d270a90eabb0 e5b0a0f4a59d6d5377332eece20f8f3df5cebe4e 3ed7c6f0f90e176eeca091ebe8528fba10603d51 62d8735539d102f92a8a30b15a94e242bff3613e 5f1cbc3d99558307bc1250d084fa968521482025 d1dfe82775c1d698dd7861d6dfa1352a74551d35 9d39c0d21b96ebb210fe467ad50604f05543db8e e6b47869caa776840ab79856b04096152103c71d 666a451867ce40c1bd9442271ef3be424e2d9b17 4bd6437cd1dc77097a7951466531674f80c866c6 e50d9e3bd91908e13a26b3e23edeaf577fb3a095 142ab367d5f83018d30c3d17b9dd87f2e35eba08 2715340f82426f840cf7e460f53a36fc3aad52aa 86ca4973a98072c32db97c9433c16d405e4154ac 7944ae1d281bbeeb6f317e2ececf6b4c83e63a06 a4e2deb65f97f657b50e48707b883ce2b138e787 f90f83c3dbcbe9b5437316a67a8abe6a101ef4c3 483c894ee5786704019873b0fc99080fdf1a0976 7ae73b5e1622049380c9b615ce3b7f636665584b 2fc8514367d4799d90311b1b1f277b3fca5ca731 d3495ac3b708caeceffab59949dbf8a9fa24ccef 7a29a8f5e14da1ce40365849eb59487dbb389d08 1f90eb879580faef3c37e10d0a0345465eebd4ee 88fc623483f7ffe57f986ed10789e6723083fcd8 996567f5e84b7666ff3182699da0de894e7ea662 21145fd2cc8767878edbd7d1900c4c4f926a6d5b 076d0d8d07368ef680aeb0c08f7f2e624c46cbc5 33a6b39fbe8ec45afab14af88fd6fa8e96885bf1 47ee1b6f495db98143f821f9f8dd49448fe607c8 b16a1eb8bc2e5d4ded04bfaa9ee2b861ead143ba 539c228b6b332f5aa523e5ce358c16647d8bbe57
T1112 Modify Registry
T1012 Query Registry
T1082 System Information Discovery
T1120 Peripheral Device Discovery
T1005 Data from Local System
T1486 Data Encrypted for Impact
T1543.003 Create or Modify System Process: Windows Service
T1490 Inhibit System Recovery
T1553.004 Subvert Trust Controls: Install Root Certificate
T1078 Valid Accounts