DarkSide ransomware, a relatively novel player in the cyber threat arena, continues to gather news headlines for successful attacks against world-leading vendors. The list of the recent intrusions includes the chemical distribution company Brenntag, which paid adversaries $4.4 million ransom, and Colonial Pipeline, a company providing fuel supply for the US East Coast.
After emerging on Russian-speaking underground forum in August 2020, DarkSide became a popular Ransomware-as-a-Service (RaaS) threat that relies on third-party adversaries for infection and network encryption. In turn, DarkSide developers earn 20-30% of the proceeds in case of a successful attack. Notably, the ransomware maintainers follow strict rules and forbid their affiliates to target companies operating in healthcare, education, NGO, and public sectors. Furthermore, the DarkSide gang strives to play the big game, instructing its partners only to go after prominent businesses.
To add to DarkSide’s notoriety, ransomware maintainers support the recent trend of double extortion. Particularly, hackers not only encrypt sensitive data during the attack but also steal confidential details. As a result, companies are pushed to pay the ransom to prevent data leaks, despite the ability to restore information from backups.
To put maximum pressure on victims, in March 2021, DarkSide operators arranged a dedicated “call service,” allowing hackers to call their targets right from the management panel. Also, DarkSide maintains a data leak site that has advanced media coverage and regular visits. In case the above-mentioned methods are ineffective, since April 2021, DarkSide affiliates have the ability to launch distributed denial-of-service (DDoS) attacks against their targets to push them to pay the ransom.
DarkSide operators usually rely on phishing, remote desktop protocol (RDP) abuse, or known vulnerabilities for initial infection. Additionally, adversaries maliciously leverage legitimate tools to evade detection and obfuscate their activity.
Upon intrusion, attackers perform lateral movement inside the compromised network to gain Domain Controller (DC) or Active Directory access. The goal of this operation is to dump credentials, escalate privileges, and identify other important assets serving for data exfiltration. It is an extra-important phase of the attack, allowing ransomware operators to identify critical corporate data that would be further exfiltrated and used for double-extortion.
The next step in the attack kill chain is DarkSide ransomware execution. Threat actors typically use Certutil and Bitsadmin tools to download the ransomware. The encryption methods vary depending on the targeted operating system. In the case of Linux, adversaries apply a ChaCha20 stream cipher with RSA-4096. And for Windows devices Salsa20 with RSA-1024 is used. After encryption, ransomware leverages the Powershell command to delete shadow copies from the network and drops a ransom note.
DarkSide maintainers choose their victims by analyzing the companies’ financial records and picking up the most profitable ones. This information also helps hackers in determining the amount of ransom to extort, with typical figures varying between $200,000 and $2 million. According to the research from Trend Micro, DarkSide operators have targeted more than 40 major organizations, mostly located in the US, France, and Belgium. Notably, DarkSide avoids targeting companies in CIS countries.
On May 7, 2021, DarkSide successfully targeted the Colonial Pipeline, forcing part of its infrastructure to shut down. The incident heavily affected the US East Cost supplies, causing significant gasoline, diesel, home heating, and other shortages in 18 states. The FBI confirmed DarkSide’s responsibility for this attack and suggested with a high level of confidence that adversaries are of Eastern European origin. Also, on May 14, 2021, DarkSide successfully hit Brenntag chemicals distributor and forced it to pay a $4.4 million ransom for data restoration.
To protect your company infrastructure from DarkSide infections, you can download a set of Sigma rules developed by the SOC Prime Team in cooperation with our seasoned Threat Bounty developers.
Possible DarkSide Ransomware Execution Patterns (via cmdline)
Possible Powershell Obfuscation Indicators (via cmdline)
Also, we recommend you inspect an insightful article on the DarkSide overview provided by our Threat Bounty member, Emanuele De Lucia. The article contains valuable details on ransomware detection alongside the description of existing detection content.
Subscribe to Threat Detection Marketplace, a world-leading Detection as Code platform allowing security practitioners to boost their cyber defense operations. SOC Prime’s library aggregates over 100K queries, parsers, SOC-ready dashboards, YARA and Snort rules, Machine Learning models, and Incident Response Playbooks tailored to 23 market-leading SIEM, EDR, and NTDR technologies. Want to participate in threat hunting initiatives? Join our Threat Bounty program for a safer future!