{"id":6477,"date":"2021-07-12T08:55:03","date_gmt":"2021-07-12T15:55:03","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6477"},"modified":"2024-04-26T13:20:34","modified_gmt":"2024-04-26T20:20:34","slug":"cyber-threat-advisory-darkside-ransomware-variant","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/cyber-threat-advisory-darkside-ransomware-variant\/","title":{"rendered":"Cyber Threat Advisory: DarkSide Ransomware Variant"},"content":{"rendered":"

Author: Avinash Shende<\/h3>\n

TLP: WHITE<\/h3>\n

 <\/p>\n

1.\u00a0 Executive Summary<\/h3>\n

On 8 July, the Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report (AR21-189A) on a variant of DarkSide ransomware.1<\/sup> To date, there is no evidence that the variant has any association with the Colonial Pipeline security breach, which happened on 7 May, and about which Infoblox released a Cyber Threat Advisory on 13 May.2<\/sup><\/p>\n

This Cyber Threat Advisory will summarize the information from CISA on DarkSide\u2019s new variant: a 32-bit dynamic-link library (DLL) named encryptor2[.]dll<\/em>. This variant can delete Microsoft Volume Shadow copies,3<\/sup> collect and encrypt files, and exfiltrate system information to its command and control (C&C) server. After encrypting the files, the program creates a bitmap image and sets it as the user’s wallpaper. In the wallpaper, the program stores the details that the victim would need to recover data.<\/p>\n

The DarkSide group announced the existence of their ransomware-as-a-service (RaaS) in August 2020. Since then, the group has become known for their professional operations and large ransoms. They provide web chat support to victims, build intricate redundant systems for storing leaked data, and perform financial analysis of targets prior to attacking them. The group has a history of double-extorting their victims by demanding ransom in exchange for 1) deleting their victims\u2019 exfiltrated data, and 2) for providing the decryption keys that victims need to unlock their infected computers.<\/p>\n

2.\u00a0 Analysis<\/h3>\n

To gain initial access to target organizations, DarkSide performs brute-force attacks and exploits vulnerabilities in Remote Desktop Protocol (RDP). After compromising a target network, DarkSide collects system information (operating system, usernames, hostnames, default language, and more) and sends it to their C&C server.<\/p>\n

When encryptor2[.]dll<\/em> is executed, it invokes the Volume Shadow service (vssvc.exe<\/em>) to delete any Volume Shadow copies available in the system. Encryptor2[.]dll<\/em> then collects system information and sends it to the C&C domains baroquetees[.]com<\/em> and rumahsia[.]com<\/em>.<\/p>\n

This DarkSide variant uses the system GUID to generate a unique eight-character hexadecimal extension, which it then uses to append encrypted files. It contains the hard-coded key _M8607761bf3212d6<\/em> that it uses to decrypt an embedded base64 encoded configuration that runs the ransomware program.<\/p>\n

Before launching the encryption module, DarkSide checks for and terminates non-essential processes and services that might be running on the target system. Also, while running, it avoids encrypting certain file directories (for example, Program Files, Windows, and Appdata) and file extensions, which deal with binaries, icons, installer packages and scripts.<\/p>\n

After encrypting the files, DarkSide creates a bitmap image in C:\\ProgramData<\/em> and gives it the same name as that of the extension it used to append encrypted files. The image shows the instructions the victims should use to recover their files. To display the image as the desktop wallpaper, DarkSide modifies system registry keys. Also, to ensure that the ransom note is automatically displayed after every system reboot, DarkSide drops it in encrypted locations and in the Startup folder.<\/p>\n

3.\u00a0 Prevention and Mitigation<\/h3>\n

The CISA recommends the following:<\/p>\n