The recent ransomware intrusion of a major US gasoline pipeline operator was the work of an affiliate of DarkSide, a ransomware-as-a-service ring that has been responsible for at least 60 known cases of double-extortion so far in 2021. DarkSide has struck several high-profile victims recently, including companies listed on the NASDAQ stock exchange. But the disruption of Colonial Pipeline’s network led to the company shutting down its operational technology (OT) network as well—effectively cutting off a majority of the gasoline supply to the eastern United States.
Colonial Pipeline’s shutdown is not the first critical infrastructure issue triggered by a ransomware attack. “Last February, a US-based natural gas facility was shut down for two days by a ransomware intrusion that spread to its OT network. And DarkSide has not avoided these types of companies, either, hitting a Brazilian energy company earlier this year. But the Colonial incident has potentially greater real-world impact—and has apparently made DarkSide’s operators more notorious than they’re comfortable with,” says Ross Anderson, Sophos Product Development Manager at Duxbury Networking.
The Sophos Rapid Response team has been called in for incident response or to intervene during an attack involving DarkSide in at least five different instances in the past year.
DarkSide follows in the footsteps of double-extortion ransomware operators such as REvil, Maze, and LockBit—exfiltrating business data before encrypting it, and threatening public release if the victims do not pay for a decryption key. Like those other targeted operations, DarkSide makes hefty ransom demands. In one case Sophos Rapid Response worked on last year, the ring demanded $4-million (R54.77-million). It went unpaid.
Beyond the business model, DarkSide follows generally the same tactics, techniques, and procedures of many other targeted ransomware campaigns — a mix of native Windows features, commodity malware (including SystemBC), and off-the-shelf system and exploit tools (including Cobalt Strike). This is in part because of DarkSide’s affiliate model.
The creators of DarkSide outsource the initial compromise of targets and deployment of DarkSide’s cryptographic ransomware to network penetration specialists, who hand off ransom victim ‘customer service’ to DarkSide’s core operators. Those affiliates likely have prior experience playing the same role for other ransomware syndicates.
In Sophos’ experience in data forensics and incident response to DarkSide attacks, the initial access to the target’s network came primarily as a result of phished credentials. This is not the only way ransomware attackers can gain a foothold but it seems to be prevalent in cases involving this type of ransomware, possibly as a result of the affiliates’ preferences.
Unlike some other ransomware players, DarkSide is capable of encrypting Linux computers as well as those running Windows, which makes it a more desirable tool for threat actors who want to target large enterprises.
While some recent targeted ransomware operations from other gangs have sprung quickly, launching their attack within days, the actors behind DarkSide campaigns may spend weeks-to-months poking around inside an organisation’s network before activating their ransomware payload.
“Over the course of that dwell time, the intruders exfiltrate as much data as possible. Darkside’s ransom notes claim the theft of large amounts of data, often from several departments within an organisation, such as accounting and R&D. Using PSExec, Remote Desktop connections, and (in the case of Linux servers) SSH to move laterally within the network, the DarkSide actors uploaded archives of stolen files to the cloud storage providers Mega or pCloud in cases Sophos has investigated,” says Anderson.
The DarkSide ransomware performs specific steps to encrypt a document, first appending a unique file extension to the name of every targeted document type before encrypting the file. The malware checks whether the Windows 10 user account under which it is running has administrative privileges; If it does not, the malware attempts to elevate its privileges using the CMSTPLUA technique.
The attackers (likely the same affiliates involved in the initial access) also make an effort to terminate software that, if it was running, might otherwise interfere with the encryption process. “Encrypting every document file type on a hard drive takes time, and if the process gets interrupted mid-way through, some of the unencrypted files could be recovered easily. Renaming the file with a new extension before encrypting it gives an attacker the ability to make it appear as though everything has been encrypted, as the file extension change cuts the ties between the document file type and its associated application,” Anderson explains.
The DarkSide ransomware adversary not only attacks Windows machines, but also deploys ELF binaries (Executable and Link Format) to attack data on Linux machines. The Linux version of the DarkSide ransomware specifically targets VMDK files, which are virtual hard disk drives to be used in virtual machines like VMware and VirtualBox.
“Sophos defends against DarkSide in multiple ways. There are behavioural and dynamic protections, which include the CryptoGuard feature in Intercept X, and both conventional endpoint detections for Windows (Troj/Ransom-GAZ, Troj/PShl-E, VBS/Agent-BGYV) and Linux (Linux/Ransm-J) malicious executables, and next-gen detections for in-memory functions (Mem/DarkSide-A, HPmal/DarkS-A) and behaviors (AMSI/Inject-H, AMSI/PSRans-A, ML/PE-A) on Windows. We suggest that you speak to one of our team about a suitable Sophos solution to protect your company against DarkSide,” says Anderson.