Darkside: Analysis of Large-Scale Data Theft Campaign

About Darkside, Inc.
The Darkside ransomware group announced their RaaS (Ransomware-as-a-Service) in a “press release.” Since then, they have become known for their professional operations and large ransoms. They offer victims support via web chat, create complex data leak storage systems with redundancy and do financial analysis of victims before attacking.
Darkside is the name of the group. It evokes the image that a good person (or gal) has turned from the light. Although we cannot conclude that the group is made up of ex-IT security professionals, their attacks show a deep understanding of their victims’ security technologies and weaknesses.
They have made it clear that they don’t want to attack schools, hospitals, non-profits, governments, or non-profits. Instead, they prefer to attack large organizations that can afford large ransoms.
Darkside’s malware will scan devices for Russian language settings in order to make sure they don’t attack Russia’s-based organizations. They also responded to questions in Russian on Q&A forums and actively recruit Russian-speaking partners.
The group offers both Linux and Windows toolsets. Darkside, much like REvil and NetWalker, offers an affiliate program that pays between 10-25% to anyone who spreads their malware.

Darkside actors gained access to the network of the pipeline company and used Darkside ransomware to inflict damage on the company’s IT network. To protect its OT systems, the company took proactive steps to disconnect certain OT systems in response to the cyberattack. [2] At the moment, there is no evidence that the threat actor has moved laterally to OT system.
Darkside is ransomware-as-a-service (RaaS). Darkside is ransomware-as-a-service (RaaS) and the Darkside group creates ransomware that cybercriminals use. They also receive 1% of the proceeds. Open-source reporting shows that Darkside actors have been targeting large, high-revenue companies since August 2020. This has resulted in the theft and encryption of sensitive data. Darkside has stated publicly that they prefer to target large organizations than schools, hospitals, non-profits, governments, and non-profits. SonicWall Capture Labs threat researchers have discovered a new ransomware family called Darkside. This ransomware targets large corporations. Brookfield Residential, a Canadian home builder and land developer, was recently hit by Darkside ransomware. The operators have not only encrypted the data but also stole it and threatened to publish the data online if the company doesn’t pay up. Darkside has been around since August, and its operators have launched multiple targeted attacks against high-revenue companies. File decryption is charged at a cost of between $200,000 to $2M. The operators have reported having already received over $1M since the beginning of their campaign.

Anatomy of an Attac
Darkside ransomware attacks campaigns stood out because of their use stealthy techniques, particularly in the early stages. They conducted careful reconnaissance and took steps in order to ensure their attack tools and techniques were not detected by monitored devices or endpoints.
Although their entry vectors are different, their methods once inside are more consistent and their endgame is more coldly efficient.
Stealth tactics include:
Command and control over TORAvoiding nodes where EDR is runningWaiting periods and saving noisier actions for later stagesCustomized code and connection hosts for each victimObfuscation techniques like encoding and dynamic library loadingAnti-forensics techniques like deleting log filesDuring the later stages of their attack sequence, they:
Use file shares to distribute attack tools, store archives, and delete backups.
Darkside ransomware was first introduced through weak links – accounts and systems that are remotely exploitable.
Darkside used compromised contractor accounts to gain access to Virtual Desktop Infrastructure (VDI), which was set up to allow remote access during the pandemic. Contractor accounts didn’t.
We also saw them exploit servers and then quickly deploy an extra RDP to preserve access in the event that the vulnerable server was patched.
Although neither vector is new, they should be used as warnings that sophisticated threat actors can easily bypass perimeter defenses. These examples highlight the need for multifactor authentication on all internet accounts and rapid patching to internet-facing systems.
Command and Control
The Darkside ransomwareattackers established command control primarily with an RDP client running on port 443, routed through TOR. After installing Tor browser, they changed its configuration to run as persistent service. This redirects traffic to a local port throughTOR via HTTPS. These connections were persistent,sotheattackers could establish RDP sessions to and through the compromised hosts, facilitating lateral movement.
We discovered traces of TOR clients on many servers and discovered dozens of active TOR connection.
The attackers used Cobalt Strike as a secondary command and control mechanism.We observed dozens of customized stagers that downloaded customized beacons that connected to specific servers.The stagers (named file.exe) were deployed remotely on specific targeted devices usingWinRM, each one configured differently.Cobalt-Strike stagers establishedconnectionstoadedicated C2 servertodownload the Cobalt Strike Beacon.
Threat actors use only a few C2 servers per victim. However, Darkside configured each beacon to be used by threat actors.

Author: Victoria