Author: Yadu Nadh

TLP: WHITE

 

1. Executive Summary

On 11 May, the Cybersecurity and Infrastructure Security Agency (CISA) published analytic report AA21-131A,¹ which detailed a ransomware attack on the Colonial Pipeline, an important infrastructure entity in the U.S. In this attack, the threat actor(s) deployed DarkSide ransomware against the pipeline company’s critical IT infrastructure, causing the company to take the precautionary measure of shutting down 5,550 miles of the pipeline, which left fuel stranded on the Gulf Coast.²

Although first observed in the wild in August 2020, DarkSide ransomware officially appeared on XSS, a popular Russian-language hacker forum in November 2020.³ Infoblox has observed and can confirm this activity since early 2021.

DarkSide is a ransomware-as-a-service (RaaS), where the threat actors who deploy the ransomware, also known as “affiliates,” share a portion of the profits with the developers. Threat actors use DarkSide to encrypt and steal sensitive data, and have been known to target large, high-revenue organizations that can afford to pay large ransoms versus hospitals, schools, governments, etc.

Once the DarkSide actors gain access to a victim’s network, they deploy the ransomware to encrypt and exfiltrate sensitive data. The actors then use a double extortion method where they threaten to publicly release this data to pressure the victims into paying the ransom demand, as well as demand another ransom for a digital key to decrypt their files.

2. Analysis

DarkSide affiliates have been known to use a variety of strategies to gain initial access to networks such as brute-force attacks, spam campaigns, credentials purchased from underground forums, or by exploiting vulnerable software such as Remote Desktop Web (RDWeb), Remote Desktop Protocol (RDP) or Citrix. Actors have also purchased access to popular botnets, including Dridex, Trickbot and Zloader.

The DarkSide attackers establish communication with a command and control (C&C) system using an RDP that runs over a TOR network. As a secondary C&C communication method, the attackers used Cobalt Strike and other post-exploitation tools. Threat actors associated with DarkSide have also been known to use additional tools such as Metasploit, Mimikatz and BloodHound.

DarkSide uses a “living off the land” (LotL) tactic,⁴ but researchers at Varonis observed the ransomware also scanning for networks, running commands, dumping processes, and stealing credentials. It will use Salsa20 encryption with an RSA-1024 public key to encrypt files on both fixed and removable hardware, as well as on network devices.⁵ This malware also specifically creates executables and extensions to evade signature-based detection mechanisms.

On execution, DarkSide copies itself to the path “%Temp%” and injects its code into an existing process. It will dynamically load its libraries to avoid detection by an antivirus (AV) or an endpoint detection and response (EDR) solution, as well as stop running if it observes any indication that it is being run in a virtual machine.⁶

3. Prevention and Mitigation

CISA urges critical infrastructure owners and operators to apply the following mitigations to reduce the risk of compromise by ransomware attacks:

• Require multi-factor authentication for remote access to OT and IT networks.
• Filter network traffic to prohibit ingress and egress communications with known malicious IP.
• Update software, including operating systems, applications and firmware on IT network assets in a timely manner.
• Limit access to resources over networks, especially by restricting RDP.
• Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures.
• Monitor and/or block inbound connections from TOR exit nodes Originating from TOR.
• Deploy signatures to detect and/or block inbound connections from Cobalt Strike.
• Implement and ensure robust network segmentation between IT and OT networks.
• Organize OT assets into logical zones.
• Identify OT and IT network inter-dependencies and develop workarounds manual controls.
• Implement regular data backup procedures on both the IT and OT networks.

    4. Indicators of Compromise

Indicator	Description
5467a0aa064d7340031e9087cdbdacc2c656c80a45 8a913889f308056533d9eb           0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9           48a848bc9e0f126b41e5ca196707412c7c40087404c0c8ed70e5cee4a418203a           7375adedb82fd62cefc6b6fd20a704a164e056022f3b8c2e1b94f3a9b8361478           9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297 b9d60d450664c1e8fbfd6b2ec58fdeb2fd81797e183906a4536b59bc4f79846f	Hashes related to Darkside ransomware attack
51[.]210[.]138[.]71 185[.]105[.]109[.]19 104[.]21[.]69[.]79 185[.]203[.]116[.]7 198[.]54[.]117[.]197 172[.]67[.]206[.]76 159[.]65[.]225[.]72 198[.]54[.]117[.]199 108[.]62[.]118[.]232 212[.]109[.]221[.]205	Associated IPs

fotoeuropa[.]ro kgtwiakkdooplnihvali[.]com ironnetworks[.]xyz lagrom[.]com ironnetworks[.]xyz darksidfqzcuhtk2[.]onion de2pv25fb37xbq32qqfjooyegaucbnaupfu3aoti56c2i744hjxuwpqd[.]onion

Associated domains

 Endnotes

1. https://us-cert.cisa.gov/ncas/alerts/aa21-131a
2. https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/
3. https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack
4. https://logrhythm.com/blog/what-are-living-off-the-land-attacks/
5. https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
6. https://www.varonis.com/blog/darkside-ransomware/