Recently, a Linux version of the DarkSide ransomware was analyzed and a detailed report was published by AT&T Alien Labs. DarkSide ransomware group has been one of the most active ransomware groups in the last quarter. In May, the group had targeted Colonial Pipeline and announced the closing of their operations soon after.
Researchers noted that Linux ransomware mostly zip files with a password, however, DarkSide encrypts files using crypto libraries. It makes the recovery of data impossible without the encryption key.
The group developed and used the Linux version when it was targeting ESXi servers hosting VMware virtual machines. The authors announced the DarkSide 2.0 Linux version on March 9.
The ransomware’s default configuration has the root path of ESX server machines and targets vmdk, log, vmem, and vmsn extensions that are used in ESX servers for saving virtual machines’ information, logs, and data.
DarkSide 2.0 is very informative and prints to the screen almost all of the actions it does, which is not common behavior for malware. It means that the malware is possibly being deployed manually.
The malware is written in C++ and uses various open-source libraries that were compiled and imported with the malware code into one binary. Some of these libraries are crypto++, boost, and curl.
The malware includes support for shutting down virtual machines by execution of esxcli commands. It is a special console on ESX servers that enables them to work with virtual machines from the command line.
After execution, the malware prints its configuration to the terminal. This includes the root path to encrypt, targeted file extensions to encrypt, C2 addresses, and RSA key information, among others.
The C2 addresses are encrypted with a rotated XOR key, which will be decrypted after the malware is executed. It then counts the files to be encrypted, collects information, and sends it to the C2 server after encryption.
Ransomware is one of the biggest threats especially when they target Linux-based virtual machine servers that are used to host multiple critical services. Therefore, even though DarkSide has reportedly shut down its operations, organizations are recommended to apply adequate security measures to stay protected against ransomware infections.