Darkside: Analysis of a Large-Scale Data Theft Campaign
About Darkside, inc.
The Darkside ransomware group announced their RaaS (Ransomware-as-a-Service) in a “press release.” Since then, they have become known for their professional operations and large ransoms. They provide web chat support to victims, build intricate data leak storage systems with redundancy, and perform financial analysis of victims prior to attacking.
The group’s name, Darkside, evokes the image of a good guy (or gal) that has turned from the light. While we can’t conclude that the group is comprised of former IT security professionals, their attacks reveal a deep knowledge of their victims’ infrastructure, security technologies, and weaknesses
They have publicly stated that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can afford to pay large ransoms.
Darkside’s malware will check device language settings to ensure they don’t attack Russia-based organizations. They have also answered questions on Q&A forums in Russian and are actively recruiting Russian-speaking partners.
The group has both Windows and Linux toolsets. Much like NetWalker and REvil, Darkside has an affiliate program that offers anyone who helps spread their malware 10-25% of the payout.
After gaining initial access to the pipeline company’s network, Darkside actors deployed Darkside ransomware against the company’s IT network. In response to the cyberattack, the company proactively disconnected certain OT systems to ensure the safety of the OT systems. At this time, there are no indications that the threat actor moved laterally to OT systems.
Darkside is ransomware-as-a-service (RaaS). The Darkside group develops ransomware used by cybercriminal actors and receives a share of the proceeds. According to open-source reporting, since August 2020, Darkside actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data. The Darkside group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments. The SonicWall Capture Labs threat research team has observed a new family of ransomware called Darkside. The operators of this ransomware primarily target large corporations. Recently, a Canadian land developer and home builder, Brookfield Residential has been hit with Darkside ransomware. In this case, the operators have not just encrypted data, but have stolen it and threatened to publish the company’s data online if it does not pay up. Darkside has been around since early August and its operators have been launching multiple customized attacks towards known high revenue companies. The operators charge between $200,000 and $2M for file decryption. It has been reported that the operators have already obtained over $1M since the start of their campaign.
Anatomy of an Attack
The Darkside ransomware attack campaigns stood out for their use of stealthy techniques, especially in the early stages. The group performed careful reconnaissance and took steps to ensure that their attack tools and techniques would evade detection on monitored devices and endpoints.
While their initial entry vectors vary, their techniques are more standardized once inside, and their endgame is coldly efficient.
Stealth tactics include:
- Command and control over TOR
- Avoiding nodes where EDR is running
- Waiting periods and saving noisier actions for later stages
- Customized code and connection hosts for each victim
- Obfuscation techniques like encoding and dynamic library loading
- Anti-forensics techniques like deleting log files
During the later stages of their attack sequence, they:
- Harvest credentials stored in files, in memory, and on domain controllers
- Utilize file shares to distribute attack tools and store file archives
- Relax permissions on file shares for easy harvesting
- Delete backups, including shadow copies
- Deploy customized ransomware
Initial Access: Finding the Weak Link
Darkside ransomware gained initial entry through weak links – remotely exploitable accounts and systems.
We observed Darkside use compromised contractor accounts to access Virtual Desktop Infrastructure (VDI) that had been put in place to facilitate remote access during the pandemic. Though, contractor accounts did not.
We also observed them exploit servers, and then quickly deploy an additional RDP that would preserve access should the vulnerable server be patched.
While neither of these vectors is novel, they should serve as a warning that sophisticated threat actors are easily bypassing perimeter defenses. They illustrate the need for multi-factor authentication on all internet-facing accounts and rapid patching of internet-facing systems.
Command and Control
The Darkside ransomware attackers established command and control primarily with an RDP client running over port 443, routed through TOR. After installing a Tor browser, they modified its configuration to run as a persistent service, redirecting traffic sent to a local (dynamic) port through TOR via HTTPS over port 443, so it would be indistinguishable from normal web traffic. These connections were persistent, so the attackers could establish RDP sessions to and through the compromised hosts, facilitating lateral movement.
We found traces of TOR clients across many servers and observed dozens of active TOR connections.
The attackers used Cobalt Strike as a secondary command and control mechanism. We observed dozens of customized stagers that downloaded customized beacons that connected to specific servers. The stagers (named file.exe) were deployed remotely on specific targeted devices using WinRM, each one configured differently. Cobalt-Strike stagers established connections to a dedicated C2 server to download the Cobalt Strike Beacon.
Threat actors commonly use only a few C2 servers per victim, but Darkside configured each beacon to connect to a different C2 server with a different user agent. This would indicate that Darkside operates a large, well-established attack infrastructure.
The stagers and TOR executables were stored in network shares for easy distribution. The actors avoided installing backdoors on systems monitored by EDR solutions.
Detection of the beacon being downloaded into a compromised server
The threat actors log into the Virtual Desktop environment with many accounts, sometimes concurrently. Each time the threat actor logged on, .lnk files were created in the compromised user’s home folders. The .lnk file activity helped determine which accounts and VDI environments had been compromised and when each account was used in the attack.
Recon and Credential Harvesting
Darkside ransomware is known for living off the land (LOtL), but we observed them to scan networks, run commands, dump processes, and steal credentials. Like the command and control code, the attack tools were also executed on hosts that had minimal detection and blocking capabilities. Well-known tools included advanced_ip_scanner.exe, psexec, Mimikatz, and more.
From the initial set of compromised hosts, ticket requests, and NTLM connections to gain access to additional systems and accounts. After a waiting period, the actor used an Active Directory reconnaissance tool (ADRecon.ps1) to gather additional information about users, groups, and privileges, storing results in a file called, DC.txt. Each of their attack tools was deleted after use. The attacker temporarily stored the recon results and credential information on a very active windows server. Interesting file names written and deleted on the server included: Typed_history.zip, Appdata.zip, IE_Passwords.zip, AD_intel, and ProcessExplorer.zip.
In addition to credential harvesting, the attacker mined credentials from User profile folders, including:
- Users\<user name>\Appdata\[Roaming\Local]\Microsoft [Credentials\Vault]
- Users\<user name>\Appdata\Roaming\Mozilla\Firefox\Profiles
- Users\<user name>\\Appdata\Local\Google\Chrome
The threat actor used Invoke-mimikatXz.ps1 to extract credentials from unmonitored servers and stored them in a file called “dump.txt.” This operation was performed on a high-value target with minimal detective capabilities. Using a Powershell script to bypass the execution Policy and change admin credentials inside the registry.
Once the attacker obtained domain admin credentials, accessed domain controllers. In later stages they performed the well-known DCSync attack, where the attacker pretends to be a legitimate domain controller and utilizes the Directory Replication Service to replicate AD information, gaining access to password data for the entire domain, including the KRBTGT HASH.
Data Collection and Staging
The active Windows server also served as a hub to store data before exfiltration. Data was mined from hundreds of servers with a batch routine (dump.bat) located in \Desktop\Dump, writing files to the same location, compressing them into 7zip archives with a simple naming convention, *.7z.-.
Though they had accumulated elevated privileges, we observed the attacker relax the permissions on file systems, opening them up so that they could access the files with any domain user account. The batch file, target data, and the archives were deleted by the attackers within hours of collection
Darkside doesn’t deploy ransomware until they’ve mapped the environment, exfiltrated interesting data, gained control of privileged accounts, and identified all backup systems, servers, and applications. We observed several connections to primary backup repositories using compromised services accounts shortly before encryption. By holding off on the encryption phase of the attack, they put themselves in a position to maximize damage and profit.
The ransomware code is delivered through established backdoors (TOR-RDP or Cobalt Strike) and is customized for each victim. The payload includes the executable, a unique extension, and a unique victim ID that allows the victim to access Darkside’s website and make payment.
By using unique executables and extensions, the ransomware easily evades signature-based detection mechanisms. Darkside also provides customized ransomware to other threat actors (Ransomware as a Service) and takes a part of the profit in successful attacks.
One version of the customized code was named, “Homie.exe.” In addition to being customized, we found it also uses anti-forensics and anti-debugging techniques, such as self-injection, virtual machine detection, and dynamic library loading. It also deletes shadow copies on victim devices.
Darkside Ransomware Stage 1 – Self Injection
On execution, the malware copies itself to the path “C:\Users\admin\AppData\Local\Temp\” and injects its code into the existing process with a CMD command:
If the malware finds indications that it is being debugged or run in a VM, it immediately stops.
To avoid detection by AV and EDR solutions, the ransomware dynamically loads its libraries, without registering them in its imports section.
Only 3 libraries are imported, which indicates that other libraries’ names resolved dynamically during the malware’s run instead of being explicitly imported.
Ransomware Stage 2 – Deletion of Shadow Copies
Using an obfuscated PowerShell command, the malware attempts to delete the shadow copies on the victim device. The obfuscated command with the de-obfuscated command.
Ransomware Stage 3 – Encryption of Files
After the deletion of the shadow copies, the malware first closes specific processes to avoid locked files that can delay encryption, and then begins its encryption routine.
List of processes:
During encryption, the malware appends an 8-character string to the end of the encrypted file names.
- Dark side ransomware avoids encrypting files with the following extensions:
- It creates the ransom instructions (“README…txt”) to contact the ransomware creator for decryption.
DarkSide ransomware is creating a secure data leak service in Iran
The DarkSide Ransomware operation claims they are creating a distributed storage system in Iran to store and leak data stolen from victims. To show they mean business, the ransomware gang has deposited $320 thousand on a hacker forum.
DarkSide is run as a Ransomware-as-a-Service (RaaS) where developers are in charge of programming the ransomware software and payment site, and affiliates are recruited to hack businesses and encrypt their devices.
As part of this arrangement, the DarkSide ransomware developers receive a 10-25% cut, and an affiliate gets 75-90% of any ransom payments they generate. DarkSide is a private operation, hackers who want to distribute their ransomware must first apply for access.
Distributed storage system to leak data
A cybersecurity intelligence firm shared a new topic posted by the DarkSide Ransomware operators on a Russian-speaking hacker forum. DarkSide has stated that they are working on a distributed storage system to store and leak victims' stolen data. Since late 2019, ransomware operations have been actively performing a double-extortion strategy of stealing unencrypted data and then encrypting the victim's computers. The encrypted files and the threat to publicly release data on ransomware data leak sites are used to extort victims into paying the ransom.
To disrupt these extortion demands, law enforcement and cybersecurity firms actively try to take down these data leak sites. To prevent this, DarkSide states that they plan to create a distributed "sustainable storage system" to host the victim's stolen data for six months. Some targets think that if a lot of data has been downloaded from them, then after their publication, hackers and other people will download it for a long time through the TOR. DarkSide claims they are already working on a sustainable storage system for your data. All your data will be replicated between multiple servers, blocking one server won't delete data. Those companies that have already been published will be uploaded there, their data will be guaranteed to be stored for 6 months. So you can download their data much faster.
They specifically use servers in a country like IRAN or unrecognized republics so that you cannot block them, and an automatic system will determine the availability and give you a suitable download link, the DarkSide operators stated.
They state that all the stolen data will be replicated between the various servers, so if one server is taken down, the data could still be accessed from the others.
DarkSide deposits $320 thousand on a hacker forum
As part of this same forum topic, the DarkSide operation announced that they were looking for new Russian affiliates to join their program, who they claim to earn an average of $400k per victim. As part of this recruitment drive, affiliates must pass an interview and answer any questions the developers have about their level of experience. Pass an interview, show your work and payments, answer the necessary questions - DarkSide developers. Unlike other ransomware operations, such as Ryuk, Egregor, and others, DarkSide states that do not allow attacks on:
- Medicine (hospitals, hospices).
- Education (schools, universities).
- Non-profit organizations.
- Government sector.
It is too soon to tell if DarkSide will keep its promises about not targeting these organizations.
In addition to recruiting affiliates, DarkSide states that they are willing to spend 400K to hackers with access to large companies in the USA that can be encrypted. To back up their claims, the DarkSide gang deposited 20 bitcoins on the forum, which is worth approximately $320 thousand at today's values.
How to Prepare for Threat Actors in 2022
Find and fix the weak links before attackers do
Any internet-facing account that doesn’t require MFA is a brute-force attack away from a compromise. Any unpatched internet-facing server is an exploit away from script-kiddie payday.
Assume breach and fix weak links inside
Threat actors look for quick ways to obtain domain admin credentials. Service or admin accounts with SPNs that also have weak encryption, or worse still, privileged accounts with weak or no password requirements are too-easy targets.
In too many organizations, attackers don’t even need elevated credentials to harvest data – the average employee has access to far more data than they require. Lockdown sensitive data so that only the right accounts have access, and then monitor file systems for unusual access and change events.
More lights, please, especially on stuff that matters
Organizations with comprehensive monitoring solutions detect and investigate attacks like these more quickly. If you have blind spots on core data stores, in Active Directory, DNS, remote access systems, or in web connections, you’ll struggle to determine which systems were compromised and whether sensitive data was stolen.
If you detect a breach, let Active Directory triangulate the blast radius
Active Directory events can help you quickly identify compromised accounts and devices. Instead of focusing on one endpoint at a time, once one compromised account or system has been identified, query Active Directory for signs of lateral movement by that account or accounts used on that system.
If you have any reason to believe you’ve been targeted by Darkside or any other group, please don’t hesitate to reach out for incident response and forensics help.
Darkside Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
The Cybersecurity and Information Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entity—a pipeline company—in the United States. Malicious cyber actors deployed Darkside ransomware against the pipeline company’s information technology (IT) network. At this time, there is no indication that the entity’s operational technology (OT) networks have been directly affected by the ransomware.
CISA and FBI urge CI asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Joint Cybersecurity Advisory, including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.