Darkside Ransomware Overview

Darkside Ransomware
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

TIR-20210307 Overview

This report is an overview of Darkside Ransomware. DarkSide is a Ransomware-as-a-Service (RaaS) which primarily targets Windows systems but also has the ability to target Linux OS variants. A Russian-speaking cybercriminal using the handle ‘darksupp’ has posted several announcements regarding Darkside including an official recruitment for affiliates to participate in the Darkside RaaS affiliate program, a pledge not to attack hospitals, schools, nonprofits or government targets and to only attack businesses who can afford to pay a ransom. The operators guarantee test file decryption, support during the decryption process and deletion of all data upon payment. They also warn that if the ransom is not paid, they will publish the encrypted data for a period of 6 months. This report details the tactics, techniques, and procedures (TTPs), which may vary amongst operators, and mitigation techniques that can be implemented to help protect against Darkside Ransomware.

Darkside Ransomware Tactics, Techniques, and Procedures

On August 8, 2020 the operators of DarkSide initially announced their malware in a press release on the dark web and in November, ‘darksupp’ announced the launch of a recruitment effort for affiliates.

Source: https://www.areteir.com/darkside-ransomware-caviar-taste-on-your-big-game-budget

Since the initial announcement, various Darkside attacks have been investigated and the following statistics have been documented:

Targeted Sectors of Clients: Professional Services and Manufacturing

 – Average Ransom Demand: US $6,527,402.02

 – Average business downtime: 5 days

 – Data exfiltration observed in 100 percent of cases

The attack starts with the reconnaissance phase, in which the attacker makes use of MetaSploit and other Offensive Security Tool (OST) frameworks to locate vulnerabilities in the victim’s network with a goal of establishing initial access into the environment. From here, the investigations show the attackers start to move throughout the environment by obtaining access to privileged accounts such as an Administrator RDP sessions on a Domain Controller or by accessing another privileged account to access a file server, etc.

Once the attacker gains privileged access, they begin harvesting data from the victim’s server before encrypting it. The operators of Darkside ransomware have established a content delivery network (CDN) used to store and deliver compromised data exfiltrated from victims. Once the data is exfiltrated, it is uploaded to servers in their CDN which are used as an extortion tool for the threat group.

After the data has been stolen, DarkSide creates a log file named ‘LOG.{userid}.TXT’, where it writes the step-by-step ransomware’s execution process. This file includes the encryption of files, the deletion of Shadow Volume Copies on the system, termination of various processes, etc.

Source: https://www.acronis.com/en-us/articles/darkside-ransomware/

After the files have been encrypted, DarkSide leaves the ransom note as ‘README.{userid}.TXT’ file. DarkSide customizes the ransomware executable for each company they attack charging different ransoms based on the size of the company, the number of devices encrypted, and the amount of data stolen. 

Source: https://www.acronis.com/en-us/articles/darkside-ransomware/

Business Unit Impact

  • Attackers may encrypt data on the victim’s system or on large numbers of systems in a network to interrupt the availability of system and network resources.
  • Data and sensitive information may lost or destroyed.
  • Sensitive data may be release to the public

Our Recommendations

  • Ensure anti-virus software and associated files are up to date.
  • Keep applications and operating systems running at the current released patch level.
  • Block indicators of compromise from the IOC list at the firewall
  • Ensure users are only downloading software from legitimate vendors.
  • Implement an email security solution to detect and protect against known and unknown threats.
  • Ensure backups are stored off system and are protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
  • Implement multifactor authentication (MFA).
  • Use Group Policy Software Restriction Policies (SRP) to prevent users from executing Windows executable filetypes (e.g., .exe, .dll, .hta, .bat, .scr) from the \AppData\Local\Temp\ path of Office365, Microsoft Word, Excel, and Outlook.

IOC List

  • Visit the following sites for a list of file names, hashes and domains associated with this attack:
    • https://www.areteir.com/darkside-ransomware-caviar-taste-on-your-big-game-budget
    • https://www.acronis.com/en-us/articles/darkside-ransomware/
    • https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/

Sources

Supporting Documentation

  • https://www.areteir.com/darkside-ransomware-caviar-taste-on-your-big-game-budget
  • https://www.acronis.com/en-us/articles/darkside-ransomware/
  • https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/
  • MITRE Mapping(s)
    • https://attack.mitre.org/techniques/T1082/
    • https://attack.mitre.org/techniques/T1057/
    • https://attack.mitre.org/techniques/T1078/
    • https://attack.mitre.org/techniques/T1098/
    • https://attack.mitre.org/techniques/T1059/001/
    • https://attack.mitre.org/techniques/T1569/
    • https://attack.mitre.org/techniques/T1087/
    • https://attack.mitre.org/techniques/T1222/
    • https://attack.mitre.org/techniques/T1486/
    • https://attack.mitre.org/techniques/T1490/
    • https://attack.mitre.org/techniques/T1569/002/
    • https://attack.mitre.org/tactics/TA0010/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates