On May 7, 2021, the ransomware attack on the Colonial Pipeline Company, the largest refined-products pipeline in the U.S., came to the public attention. After investigations, the attack was attributed to the DarkSide ransomware group and caused the pipeline operators to shut it down for various reasons. The pipeline carries gasoline and diesel fuel to the U.S. East Coast.
The Colonial Pipeline is the largest pipeline for refined products in the U.S. It transports over 100 million gallons of fuel between the Texas city of Houston and New York Harbor. Being the largest pipeline system for refined oil products in the U.S., it carries about 45% of the fuel consumed on the U.S. East Coast. The pipeline halted operations after it learned of the cyberattack.
After probing the incident, analysts said that the attack’s impact could be minimized by keeping the pipeline shut down for several days. The attack happened to be limited to information systems and does not seem to have infiltrated operational systems.
The DarkSide ransomware attack was first seen at the beginning of August 2020. The attack group demands a ransom in the range of $200,000 to $2,000,000. It mostly targets English-speaking countries and follows the RaaS (ransomware-as-a-service) model, working on both Windows and Linux platforms by using the multithreading technique for faster encryption. DarkSide uses the double extortion method where it takes backup of data for further extortion and encrypts the files for ransom. If the malware fails to encrypt the assets, the exfiltrated data is used for additional extortion. It primarily targets the Domain Controller (DC) in an organization.
The primary tools used by DarkSide are LOLBAS (Living Off The Land Binaries and Scripts) such as cmd, PowerShell, certutil.exe. It is a human-operated ransomware. Before ransomware attacks, it customizes the ransomware based on the company’s network infrastructure.
DarkSide Ransomware and its recent attack analysis:
DarkSide is known to target private midsize organizations from multiple sectors in North America and West Europe.
The threat actors were recently expanding their affiliates network and posted advertisements in hacking forums as below:
The list of organizations targeted by the DarkSide ransomware gang is given below:
Figures 3 and 4 depict DarkSide Leaks from various organizations.
Figure 3: DarkSide Leak of Smile Brands Inc. and carolina-eastern.com
Figure 4: DarkSide Leak of NASDAQ
Technical analysis of Darkside Ransomware:
Researchers at Cyble analyzed the sample of DarkSide malware sample. Following are the findings of our researchers.
The ransomware binary file is loaded into the debugger and unpacked. After the initial loading, the malware searches the $Recyclebin, config.msi, appdata, application data, google, Mozilla, and program files (x86) in the system, as shown in figure 1.
Figure 1 Memorydump showing the strings to search.
The ransomware also looks for important system files having desktop configuration information, and user and boot information. These files contain system information regarding configurations, user accounts and shared services.
Figure 2 Memory dump for additional files.
Figure 2 shows the name of the files that the malware is looking for into the system, such as autorun.inf, boot.ini, bootfont.bin, bootsect.bak, desktop.ini, iconcache.db, ntuser.dat, ntuser.ini, and thumbs.db.
After searching for the files, the malware stops the Volume Shadow Service (VSS). VSS is used for the backup and restoration of system data, as it can write backups in the hard drives or the network shared drives. This service creates checkpoints and shadow copies of the system data as backup. In addition, it helps in restoring the data and system to the previous checkpoint. By stopping this service, the attacker can remove any chance of the backup of the system. Figure 3 shows the registry keys related to the VSS entries deleted by the malware.
Figure 3 VSS service stopped by the malware.
The malware then adds shellBag entries in registries. BagMRU and Bags are the two main entries in the registry, in which BagMRU stores the trees structure of folders in the system, and Bags stores the properties like window size, view mode, and location of the files and folders in the BagMRU. This feature is useful for directory traversal.
Figure 4 ShellBag entries
The malware deletes the VMVSS artifacts as well with the VSS service for disabling the backup services in the virtual environment. VMVSS is the service for the vmware virtualization software, and the VMware Snapshot Provider service is specifically targeted at disrupting the backup and restore service.
Figure 5 ransomware deleting VMVSS services
After stopping the VSS services, the malware creates a custom file extension for every system which is unique to that system only. In the case of our research, the file extension is c******c. This extension is created using the victim’s MachineGuid, which is different from previous attacks that were carried out using Mac address, as shown in figure 6.
Figure 6 Extention and unique id is created
After creating a unique extension, the DarkSide malware starts to encrypt data in the file system and appends the extension after the file name. Both operations are shown in figure 7.
Figure 7 Files are being encrypted
After completing the data encryption process, the DarkSide ransomware creates readme files containing instructions to pay the ransom.
Figure 8 Ransome note is created with instruction
Figure 9 below shows the ransom note dropped by the malware. Threat actors usually create custom ransom notes according to their target victims. In the note below, attackers have shared an Onion link, which is further used to make ransom payments.
Figure 9 Ransom note with tor location.
Additional resources:
The DarkSide Ransomware also contains hardcoded URLs inside its code. These URLs can be used for further infection on the victim’s computer, and these can be seen in the image below:
The ransomware uses an encoded PowerShell command to delete volume shadow copies. On decoding the script, the ransomware checks if it is being executed in a Win32 environment and deletes shadow copies, as shown in the image below.
Like most malware, the DarkSide ransomware is also uses Mutex in order to avoid running multiple instances and encrypt files more than once. The Ransomware dynamically creates a Mutex, which makes it even harder to detect. The creation of the Mutex can be seen in the image below
From historical data as well as current findings, we can assume that attacks by the DarkSide ransomware group are highly sophisticated, with each malware being customized according to its target. The targets of the DarkSide malware group are mid-level B2B organizations, especially located in North America and English-speaking countries.
Organizations should implement the following practices to strengthen the security posture of their organization’s systems.
- Check for instances of standard executables executing with the hash of another process.
- Implement multi-factor authentication (MFA), especially for privileged accounts.
- Use separate administrative accounts on different administration workstations.
- Employ Local Administrator Password Solution (LAPS).
- Allow the least privilege to employees on data access.
- Use MFA to secure Remote Desktop Protocol (RDP) and ”jump boxes” for access.
- Secure your endpoints by deploying and maintaining endpoint defense tools.
- Always keep all software up to date.
- Keep antivirus signatures and engines up to date.
- Avoid adding users to the local administrators’ group unless required.
- Implement a strong password policy and enforce regular password changes.
- Configure a personal firewall on organization workstations to deny unwanted connection requests.
- Deactivate unnecessary services on organization workstations and servers.
Indicators of Compromise from previous attacks:
| File hash | 8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc |
| C&C server IP | 198.54.117[.]200 |
| C&C server IP | 198.54.117[.]198 |
| C&C server IP | 198.54.117[.]199 |
| C&C server IP | 198.54.117[.]197 |
| C&C server IP | temisleyes[.]com |
| C&C server IP | catsdegree[.]com |
MITRE ATT&CK: –
| Lateral Movement | Execution | Persistence | Defense Evasion | Credential Access | Discovery | Command and Control | Impact |
| Taint Shared Content | Command and Scripting Interpreter: PowerShell | Scheduled Task/Job | Deobfuscate/ Decode Files or Information | Credentials from Password Stores | Account Discovery | Command Used Port | Data Encrypted for Impact |
| Masquerading | System Information Discovery | Remote File Copy | Service Stop | ||||
| File and Directory Discovery | Standard Application Layer Protocol | ||||||
| Process Discovery | Ingress Tool Transfer |
About Cyble:
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
