Cyber Threat Advisory: DarkSide Ransomware Variant

Author: Avinash Shende

TLP: WHITE

 

1.  Executive Summary

On 8 July, the Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report (AR21-189A) on a variant of DarkSide ransomware.¹ To date, there is no evidence that the variant has any association with the Colonial Pipeline security breach, which happened on 7 May, and about which Infoblox released a Cyber Threat Advisory on 13 May.²

This Cyber Threat Advisory will summarize the information from CISA on DarkSide’s new variant: a 32-bit dynamic-link library (DLL) named encryptor2[.]dll. This variant can delete Microsoft Volume Shadow copies,³ collect and encrypt files, and exfiltrate system information to its command and control (C&C) server. After encrypting the files, the program creates a bitmap image and sets it as the user’s wallpaper. In the wallpaper, the program stores the details that the victim would need to recover data.

The DarkSide group announced the existence of their ransomware-as-a-service (RaaS) in August 2020. Since then, the group has become known for their professional operations and large ransoms. They provide web chat support to victims, build intricate redundant systems for storing leaked data, and perform financial analysis of targets prior to attacking them. The group has a history of double-extorting their victims by demanding ransom in exchange for 1) deleting their victims’ exfiltrated data, and 2) for providing the decryption keys that victims need to unlock their infected computers.

2.  Analysis

To gain initial access to target organizations, DarkSide performs brute-force attacks and exploits vulnerabilities in Remote Desktop Protocol (RDP). After compromising a target network, DarkSide collects system information (operating system, usernames, hostnames, default language, and more) and sends it to their C&C server.

When encryptor2[.]dll is executed, it invokes the Volume Shadow service (vssvc.exe) to delete any Volume Shadow copies available in the system. Encryptor2[.]dll then collects system information and sends it to the C&C domains baroquetees[.]com and rumahsia[.]com.

This DarkSide variant uses the system GUID to generate a unique eight-character hexadecimal extension, which it then uses to append encrypted files. It contains the hard-coded key _M8607761bf3212d6 that it uses to decrypt an embedded base64 encoded configuration that runs the ransomware program.

Before launching the encryption module, DarkSide checks for and terminates non-essential processes and services that might be running on the target system. Also, while running, it avoids encrypting certain file directories (for example, Program Files, Windows, and Appdata) and file extensions, which deal with binaries, icons, installer packages and scripts.

After encrypting the files, DarkSide creates a bitmap image in C:\ProgramData and gives it the same name as that of the extension it used to append encrypted files. The image shows the instructions the victims should use to recover their files. To display the image as the desktop wallpaper, DarkSide modifies system registry keys. Also, to ensure that the ransom note is automatically displayed after every system reboot, DarkSide drops it in encrypted locations and in the Startup folder.

3.  Prevention and Mitigation

The CISA recommends the following:

• Maintain up-to-date antivirus signatures and engines, and operating system patches.
• Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability to install and run unwanted software applications. Unless required, do not add users to the local administrators group.
• Require that users use strong passwords and change them regularly.
• Exercise caution when opening all email attachments, even those in the emails that are expected and from senders that appear familiar.
• On agency workstations, enable personal firewalls configured to deny unsolicited requests for connection.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious email attachments. Ensure that a scanned attachment is of true file type: that is, the attachment’s extension matches the file header.
• Monitor users’ web-browsing habits. Restrict access to sites with unfavorable content.
• Exercise caution when using removable media.
• Scan software before executing downloaded software.
• Maintain situational awareness of the latest threats, and implement appropriate access control lists (ACLs).

 4.  Indicators of Compromise

Indicator	Description
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673 3ba456cafcb31e0710626170c3565aae305bc7c32a948a54f0331d0939e0fe8a f6fba207c71d1f53f82d96a87c25c4fa3c020dca58d9b8a266137f33597a0b0e	Hashes related to DarkSide ransomware4,5
baroquetees[.]com rumahsia[.]com	Associated domains
176[.]103[.]62[.]217 99[.]83[.]154[.]118	Associated IPs

Endnotes

1.  https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a

2. https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory-darkside-ransomware-attack-on-colonial-pipeline/

3. https://en.wikipedia.org/wiki/Shadow_Copy

4. https://app.any.run/tasks/17681cfd-dec2-46a9-b09e-fd5377451d5e/

5. https://www.virustotal.com/gui/file/156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673/community