Go to listing page

DarkSide: A Deep Dive Into The Threat Actor That Took Colonial Pipeline Down

DarkSide: A Deep Dive Into The Threat Actor That Took Colonial Pipeline Down

Share Blog Post

Origin: August 10, 2020

Alias: None

Infection Vectors: Phishing, Unauthorized access, Supply chain attack

Attack Sector: Utility, IT, Real Estate, Manufacturing, Oil and Gas, Banking, Enterprise Services, Retail Sector

Targeted Regions: North America, Canada, Eastern and Western Europe, East Asia

Motive: Financial gains

List of Tools: Cobalt Strike, Mimikatz, PSExec, SystemBC RAT, Powertools64, PCHunter, GMER, ADRecon, ADFind, NetScan, Advanced IP Sanner, \Windows\System32\net.exe, GPO, Scheduled Tasks, RDP, SSH, Mega.nzpCloud, puTTy, Rclone, 7zip, Plink, Anydesk, azure_update.exe, wwifi.exe

Introduction

Written in C programming language, the DarkSide ransomware kicked off its operations on August 10, 2020, in the form of targeted attacks against numerous companies. Gradually, it evolved to become a top contender for Ransomware-as-a-Service (RaaS) that offers its own brand of malware to customers on a subscription basis. In a press release issued by the threat actors, they claim to be former affiliates who had made millions of dollars working with other ransomware operations. After not finding a suitable “product” that fit their needs, these threat actors decided to launch their own operation.

With no affiliations to any country-backed groups, the group is believed to be operating from Eastern Europe, likely Russia. However, the law enforcement agencies suspect that the group has the support of the Kremlin as it never targeted Russian entities.

After carrying out one of the biggest attacks in the U.S. on Colonial Pipeline, DarkSide operators went offline from the dark web and no signs of return have been observed so far.

Attack Timeline

DarkSide’s attack journey began with Brookfield Residential, a real-estate firm in August 2020. In January 2021, a free decryptor for DarkSide malware for Windows machines was released by Bitdefender. The next month, Canada-based Discount Car and Truck Rentals lost about 120GB of data to the DarkSide ransomware gang. Two more victims, Companhia Paranaense de Energia and Centrais Eletricas Brasileiras (electric utility companies in Brazil) suffered attacks from the group. Meanwhile, two other firms, billion-dollar fashion brand Guess and Home Hardware Stores Ltd. were also targeted by the gang in February.

In March, managed service provider CompuCom expected losses of up to $20 million owing to a DarkSide ransomware attack. Later in March, experts warned about a new version of the DarkSide ransomware which boasted of faster encryption speeds, VoIP calling, and hypervisor targeting. The free decryptor was no more effective. The fall of April witnessed a new attack wherein the group compromised Banca di Credito Cooperativo, impacting operations at 188 branches of the Italian bank.

In the month of May, at least five firms disclosed being hit by DarkSide—Colonial Pipeline, chemical distribution firm Brenntag, Japanese Toshiba Tec Corp, German retail furniture firm Möbelhaus Sommerlad, and Doncaster-based insurance firm One Call. In just 24 hours, Colonial Pipeline and Brenntag paid over $4 million each to the gang in exchange for decryption keys. On May 12, DarkSide claimed to have stolen a total of 1.9 GB of data from three more victims: a technology services reseller in the U.S., a construction company based in Scotland, and a renewable energy product reseller in Brazil. The group announced its shut down the next day.

The Colonial Impact

Colonial Pipeline came under attack on May 7, 2021, owing to which it pulled its IT plug, shutting down the entirety of its gasoline pipeline system in its 57 years of history. The outage spurred fear of gas shortages, long lines at gas stations, and the highest fuel prices in over 6 years. The FBI and CISA issued a joint advisory on May 11 owing to the Colonial Pipeline incident conducted by five distinct activity clusters, associated with the DarkSide RaaS. The following day, Biden signed an executive order on cybersecurity underlining two major things: fortifying cybersecurity for federal networks and laying out new security standards for commercial software used by both businesses and the public.

On June 7, exactly a month after the attack, FBI Deputy Director Paul Abbate announced in live-streamed remarks, “Today we turned the tables on DarkSide.” The FBI reportedly clawed back approximately 63.7 of the 75 bitcoins (nearly $2.3 million) of the ransom paid to the DarkSide gang. Nonetheless, reports suggest the gang made off with $90 million in BTC before calling a quit.

Infection Methods

The DarkSide ransomware attack campaigns were popular for the use of sneaky techniques, especially in the early stages. The group performed careful reconnaissance and meticulously ensured that their attack tools and techniques evade detection on victims’ devices and endpoints.

When performing attacks, DarkSide creates a customized ransomware executable for the target company. When executed, the ransomware executes a PowerShell command that deletes Shadow Volume Copies on the system so that they cannot be used to restore files. It then proceeds to terminate various databases and office applications, eventually mailing clients to prepare the machine for encryption.

When encrypting a computer, DarkSide avoids terminating certain processes, including TeamViewer, which indicates that the threat actors abused it for remote access to compromised systems. The ransomware utilizes a SALSA20 key to encrypt files, which is further encrypted with a public RSA-1024 key included in the executable. Each victim is assigned a custom extension created using a custom checksum of the victim’s MAC address. Each executable is customized to encompass a personalized “Welcome to Dark” ransom note, which includes the amount of data that was stolen, its type, and a link to it on the data leak site.

Infusion and Stealth Tactics

DarkSide’s initial entry vectors vary. It may either perform brute force attacks or exploit vulnerabilities in RDPs to gain initial access. Once inside a network, the group’s techniques include a slew of its covert tactics such as:
  • Abusing Tor anonymity browser to create C&C
  • Writing customized code and segregating connection hosts for each victim
  • Avoiding modern EDR products, encoding sensitive strings, and loading DLLs for obfuscation
  • Saving major actions for later stages of attacks
  • Using file-sharing services to distribute attack tools and store file archives
  • Wiping off backups, including shadow copies

Tools in Use

Initial access: Phishing of credentials, External remote Access (VPN, RDP)
Execution: Cobalt Strike, PSExec, SystemBC RAT
Defense Evasion: Powertools64, PCHunter, GMER
Discovery: ADRecon, ADFind, NetScan, Advanced IP Scanner
Persistence: PowerShell, \Windows\System32\net.exe, GPO, Scheduled Tasks
Lateral movement: PSExec, RDP, SSH
Exfiltration: Mega.nzpCloud, puTTy, Rclone, 7zip
Command-and-Control: Plink, Anydesk, Cobalt Strike, TOR
Impact: azure_update.exe, wwifi.exe

Operational and Extortion Techniques

Like other human-operated ransomware attacks, when the DarkSide operators breach a network, they spread laterally throughout a network until they gain access to an administrator account and the Windows domain controller. The lateral movement allows attackers to harvest unencrypted data from the victim’s servers and upload it to their own devices. This stolen data is then posted to a data leak site under their control and used as part of the extortion attempt. The group was engaged in a double-extortion technique whose ransom demands ranged from $200,000 to $2,000,000.

The financially motivated DarkSide group had clarified from the beginning that it only targets companies that can pay the specified ransom. Previously, the threat actor stated that it does not target healthcare, education, government, and non-profit organizations. 

In April 2021, DarkSide adopted a new technique for victim firms listed on NASDAQ or other stock markets that deny a ransom. The tactics included collaborating with crooked market traders in advance so they can short a company’s stock price and hackers can earn from losses, before victims’ names land on their leak site.

According to a report from Kaspersky, the gang also leveraged the media and engaged with journalists to give updates on upcoming leaks.

Affiliates

In addition to making money from ransomware demands, the group shows a keen interest in partnering with competitors or investors. It allegedly launched its affiliate program—as part of its bid to maximize revenue—in November 2020. 

In May 2021, Mandiant identified five Russian-speaking actors linked to DarkSide. It described the activities of three of them tracked as UNC2628, UNC2659, and UNC2465, who had then, or earlier worked with the group. Its RaaS affiliates were required to go through an interview process following which they gained access to an administration panel. Using this panel, affiliates could perform various actions such as creating a ransomware build, managing blog content for the group, supervising victims, and contacting support. 

There were other ransomware groups that claimed to use DarkSide’s RaaS affiliate programs, including Babuk and Sodinokibi (aka REvil). 

Ransomware Dropout

On May 13, DarkSide decided to bid adieu to the extortion-based business. In a message possibly meant for affiliates, DarkSide actors claimed their servers were confiscated by an unnamed country. They allegedly lost access to the public part of their infrastructure, barring the group from performing extortion activities. Further, their payment server experienced a glitch and funds were diverted to an unknown address.The group also declared to issue data decryptors to all their affiliates for every victim they have targeted.

Conclusion

With the double-extortion technique, RaaS model of business, and affiliate programs as its powerful tools, DarkSide actors kept security teams across various organizations running from pillar to post for about a year. Even though the group announced ceasing its operations, some of the supporting infrastructures are still active. For now, it will be wise to consider these affiliates—who are still at large—as a real threat to businesses.

Indicators of Compromise

MD5
f587adbd83ff3f4d2985453cd45c7ab1
db99af79840cc24e4a2bc8920af97c4d
6738c20d4ea897835026864651841fca
4e6ca671cfd10e3aa0e2dcd99bc287b6
C0265513cd36f1d659cc71bd70bfef58
3853bbcd5344aff518bb2f1ccbd05bdd
4d2b117a0087a34a0cb8575f34413c47
2e5dee7e7d8aa32b5a638cd619eb67b3
135d0337c142e73417030daf30d835ac

SHA1
2715340f82426f840cf7e460f53a36fc3aad52aa
1cbb4aa1dd284d62f4eb1833b6fe1290c122ccf7
4d03e3db39adaf57df53181429706aa854878026

SHA256
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673
3ba456cafcb31e0710626170c3565aae305bc7c32a948a54f0331d0939e0fe8a
f6fba207c71d1f53f82d96a87c25c4fa3c020dca58d9b8a266137f33597a0b0e

SHA512
37acf3c7a0b52421b4b33b14e5707497cfc52e57322ad9ffac87d0551220afc202d4c0987460d295077b9ee681fac2021bbfdebdc52c829b5f998ce7ac2d1efe
7f731e2fa892082a5f2c3e4865eaeab9b3f03ae26ce4fe545a46de5002130b1374b941fc3cb3bf0204d036b2233023658869bf22b626bf947627e03031b89276
b07fefbceeba5eddac04ecf011f347fd3879b77330d4db6178dd1daa54dbed956f90e28ecf93404e8c98f9683aac0fd238133d6188f2926475204556fc6a1403

ssdeep
768:u2v9Ij6f3J8OT1PMK30DbQDH2doyomHRL83M4/NShWxEs0l29SFd2Xyj09rLd:fmET1PMK3qbpHY3M4wWmXgSFTSrLd
12:RLp5BJxhfVfPNpNhdhhxvn9RBxJRRPHJvPZBJxhf55vPpZ5B1ZJZxNBJv5B15Bpx:R
48:L7EZWCOqZGgQx8N3NbS/3TXWAxdHyJWtbXi5RLNRVtRGHE:LAMCMxq3NbS/rrn9d2RL/VH7

 Tags

raas
ransomware
colonial pipeline
darkside

Posted on: July 23, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.