The recent campaign targeting the Colonial Pipeline in the United States is a sobering example of the extent to which cybersecurity – specifically ransomware – threatens everyday life. There is a lot more to this than encrypted or stolen data. It’s hard to understand the economic reverberations of a disruptive attack on critical infrastructure, whether for financial gain or otherwise. With the pipeline being proactively shut down as of Sunday, May 9th, there are concerns around how this outage will affect ongoing fuel prices and for how long. How the coming weeks and months play out may serve as a template for predicting impact and risk associated with similar attacks that will inevitably follow.
SentinelOne detects and protects against DarkSide ransomware. No action is required for our customers.
In this post, we discuss the evolution of the DarkSide malware and affiliate networks, including the evolution of their feature sets and recruitment areas.
Who is DarkSide?
The attack on the Colonial Pipeline has been attributed to DarkSide, a relatively new ransomware family that emerged on the crimeware market in November 2020.
DarkSide launched as a RaaS (Ransomware-as-a-Service) with the stated goal of only targeting ‘large corporations.’ They are primarily focused on recruiting Russian (CIS) affiliates, and are very skeptical of partnerships or interactions outside of that region. From the onset, DarkSide was focused on choosing the ‘right’ targets and identifying their most valuable data. This speaks to their efficiency and discernment when choosing where to focus their efforts. From their inception, DarkSide claimed they’d avoid attacking the medical, educational, non-profit, or government sectors.
At the time of launch, the features offered by DarkSide were fairly standard. They emphasized their speed of encryption and a wealth of options for dealing with anything that may inhibit the encryption process (i.e.: security software). They also advertised a Linux variant with comparable features. Following in the footsteps of recently successful ransomware families like Maze and Cl0p, DarkSide established a victim data leaks blog as further leverage to encourage ransom payouts.
The original DarkSide 1.0 Feature set was advertised as follows:
Windows [full ASM, salsa20 + rsa 1024, i / o, own implementation of salsa and rsa, fast / auto (improved space) / full, token impersonalization for working with balls, slave table, freeing busy files, changing file permissions, arp scanner, process termination, service termination, drag-and-drop and much more]. Linux [C ++, chacha20 + rsa 4096, multithreading (including Hyper-threading, analog of i / o on windows), support for truncated OS assemblies (esxi 5.0+), fast / space, directory configuration and much more]. Admin panel [full ajax, automatic acceptance of Bitcoin, Monero, generation of win / lin builds with indication of all parameters (processes, services, folders, extensions ...), bots reporting and detailed statistics on the company’s performance, automatic distribution and withdrawal of funds, sub -accounts, online chat and many others]. Leak site [hidden posts, phased publication of target data and many more functionality]. CDN system for data storage [Receiving quotas, fast data loading, storage 6m from the moment of loading].
A Well-Organized Affiliate Network
Hopeful affiliates are subject to DarkSide’s rigorous vetting process, which examines the candidate’s ‘work history,’ areas of expertise, and past profits among other things. To get started, affiliates were required to deposit 20 BTC (at the time, that amounted to around $300,000 USD).
Over the following months, DarkSide continued to improve its services, while also expanding its affiliate network. By late November 2020, DarkSide launched a more advanced Content Delivery Network (CDN) that allowed their operators to more efficiently store and distribute stolen victim data. Many of their high-value targets found themselves listed on the victim blog, including a number of financial, accounting, and legal firms, as well as technology companies.
Initial access can take many forms depending on the affiliate involved, their needs, and timeline. A majority of the campaigns observed were initiated only after the enterprise had been thoroughly scouted via Cobalt Strike beacon infections. After the initial reconnaissance phase, the operators would deploy the DarkSide ransomware wherever it would cause the greatest disruption.
DarkSide Decryption Tool – Is it Working?
In January 2021, Bitdefender released a DarkSide decryption tool. This tool was also posted to the NoMoreRansom project website. The tool had a reportedly high success rate.
By March, the group announced the launch of the new and improved DarkSide 2.0. The new iteration included many improvements for both their Windows and Linux variants and is no longer subject to the decryption tool. DarkSide 2.0 reportedly encrypts data on disk twice as fast as the original.
Other updated features include:
- Expanded multi-processor support (parallel/simultaneous encryption across volumes)
- EXE and DLL-based payloads
- Updated SALSA20+RSA1024 implementation with “proprietary acceleration”
- New operating modes (Fast / Full / Auto)
- 19 total build settings
- Active account impersonation
- Active Directory support (discovery and traversal)
- New CMD-line parameter support
On the Linux side, DarkSide 2.0 offers the following updates:
- Updated multithreading support
- Updated CHACHA20 + RSA 4096 implementation
- 2 new operating modes (Fast / Space)
- 14 Total build settings
- Support for all major ESXi versions
- NAS support (Synology, OMV)
Along with this expanded feature set, SentinelLabs researchers have seen a shift in the deployment of the DarkSide ransomware, from standard packers like VMProtect and UPX to a custom packer internally referred to as ‘encryptor2.’
A Battle for Territory
With the release of DarkSide 2.0, the group has continued to increase its footprint in the Ransomware landscape. Along with their territorial expansion throughout 2021, DarkSide also increased their ‘pressure campaigns’ on victims to include DDoS attacks along with the threat of data leakage/loss. They are able to invoke L3/L7 DDoS attacks if their victims choose to resist ‘cooperation’.
More recently, DarkSide operators have been attempting to attract more expertise around assessing data and network value, along with seeking others to provide existing access or newer methods of initial access. These efforts are meant to make operations more streamlined and increase efficiency.
The Colonial Pipeline attack is only the latest in a slew of increasingly daring ransomware attacks. The absolute best defense against a severe ransomware attack (and the nightmare that follows) is preparation and prevention. Technology is a huge part of that, but one must not discount user hygiene and education. Keep end users up to date on what threats are out there and how to spot them. Vigilant users, along with robust preventative controls are key. Business continuity planning and disaster recovery drills are not fun, but they are critical and necessary to ensure readiness and resilience against these threats.
The SentinelOne platform is fully capable of preventing and detecting the malware and artifacts associated with DarkSide ransomware. We hope that the pipeline starts flowing again soon; our society depends on it to live.
How SentinelOne Mitigates
b9d60d450664c1e8fbfd6b2ec58fdeb2fd81797e183906a4536b59bc4f79846f 0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9 b09cb9d531931fb4725b0e49d85bb81cfc2691ce19ff3567ca0f7b44af6594a1 ca77f63a08f4e01e7e7294695eb300610e65f22333256d547d0125075bed2cc8 6184e4c8915a3924a9a12e26c42cffef35a1d1380a8c0a236ef65df71b20c217 7375adedb82fd62cefc6b6fd20a704a164e056022f3b8c2e1b94f3a9b8361478 f7eda7111ac0f95dfbd817bd0962defe35412de12964f178421122e96c72495b b43bde75780244aeee719ae926c1f901291574c9400b5e6d0c2fdc135d0c6fe5 2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297 459d655c416cc429a7661c0dddc3826a6b34cce0c662ccd8db735934858aa010 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7 bafa2efff234303166d663f967037dae43701e7d63d914efc8c894b3e5be9408 48a848bc9e0f126b41e5ca196707412c7c40087404c0c8ed70e5cee4a418203a 3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef b1c7872598053eb2fd07b0eabe223cbccef2edd2e403255b5ab8646e32124862 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673 4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a 61ca175c2f04cb5279f8507e69385577cf04e4e896a01d0b5357746a241c7846 bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210 2dcac9f48c3989619e0abd200beaae901852f751c239006886ac3ec56d89e3ef 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60 12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975 5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7 78782fd324bc98a57274bd3fff8f756217c011484ebf6b614060115a699ee134 dc4b8dfff72ff08ec4daa8db4c096a350a9a1bf5434ba7796ab10ec1322ac38c 8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc 4edb883d1ac97824ee42d9f92917cc84b52995abcd17b2852a7e3d5bb567ffbe e9417cb1baec2826e3f5a6f64ade26c1374d74d8aa41bfabd29ea20ea5894b14 fb76b4a667c6d790c39fcc93a3aac8cd2a224f0eb9ece4ecfd7825f606c2a8b6 36bc32becf287402bf0e9c918de22d886a74c501a33aa08dcb9be2f222fa6e24 2aa1bbbe47f04627a8ea4e8718ad21f0d50adf6a32ba4e6133ee46ce2cd13780 7d57e0ba8b36ec221b16807ce4e13a1125d53922fa50c3827a5ebd6811736ffd e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173
08d1da979f8d568b62701d7cedf1d0e81b7bab4d c511ae4d80aaa281c610190aa13630de61ca714c ff9da8ec309210e2324dbe4a79d416f90de285c0 2269cdc706b412d55749dd7b8a8b7cc14ce83532 06856cab5b85104788d679bbbb75d270a90eabb0 e5b0a0f4a59d6d5377332eece20f8f3df5cebe4e 3ed7c6f0f90e176eeca091ebe8528fba10603d51 62d8735539d102f92a8a30b15a94e242bff3613e 5f1cbc3d99558307bc1250d084fa968521482025 d1dfe82775c1d698dd7861d6dfa1352a74551d35 9d39c0d21b96ebb210fe467ad50604f05543db8e e6b47869caa776840ab79856b04096152103c71d 666a451867ce40c1bd9442271ef3be424e2d9b17 4bd6437cd1dc77097a7951466531674f80c866c6 e50d9e3bd91908e13a26b3e23edeaf577fb3a095 142ab367d5f83018d30c3d17b9dd87f2e35eba08 2715340f82426f840cf7e460f53a36fc3aad52aa 86ca4973a98072c32db97c9433c16d405e4154ac 7944ae1d281bbeeb6f317e2ececf6b4c83e63a06 a4e2deb65f97f657b50e48707b883ce2b138e787 f90f83c3dbcbe9b5437316a67a8abe6a101ef4c3 483c894ee5786704019873b0fc99080fdf1a0976 7ae73b5e1622049380c9b615ce3b7f636665584b 2fc8514367d4799d90311b1b1f277b3fca5ca731 d3495ac3b708caeceffab59949dbf8a9fa24ccef 7a29a8f5e14da1ce40365849eb59487dbb389d08 1f90eb879580faef3c37e10d0a0345465eebd4ee 88fc623483f7ffe57f986ed10789e6723083fcd8 996567f5e84b7666ff3182699da0de894e7ea662 21145fd2cc8767878edbd7d1900c4c4f926a6d5b 076d0d8d07368ef680aeb0c08f7f2e624c46cbc5 33a6b39fbe8ec45afab14af88fd6fa8e96885bf1 47ee1b6f495db98143f821f9f8dd49448fe607c8 b16a1eb8bc2e5d4ded04bfaa9ee2b861ead143ba 539c228b6b332f5aa523e5ce358c16647d8bbe57
T1112 Modify Registry
T1012 Query Registry
T1082 System Information Discovery
T1120 Peripheral Device Discovery
T1005 Data from Local System
T1486 Data Encrypted for Impact
T1543.003 Create or Modify System Process: Windows Service
T1490 Inhibit System Recovery
T1553.004 Subvert Trust Controls: Install Root Certificate
T1078 Valid Accounts
Read more about Cyber Security
- XDR Data Retention | Making Sure Your XDR Platform Outlasts Your Adversaries
- The Hunt For The Right Security Solution
- Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows
- Understanding Ransomware in the Enterprise – SentinelOne
- MITRE ATT&CK Engenuity: AI & Big Data Powered EDR > Human Powered Products
- MITRE Mania: Your Guide to Understanding Vendor Positioning and Why It All Matters
- Why XDR Vendors Must Build, Buy, and Partner
- Singularity XDR: One Platform to Revolutionize XDR
- Feature Spotlight: Announcing Native Support for Apple M1
- Six Steps to Successful and Efficient Threat Hunting
– Read More – SentinelOne