Introduction

In this blog post I’ll go through a Darkside ransomware sample and try to explain the main functionalities based on my research.

About the ransomware operation:

A new ransomware operation named DarkSide began attacking organizations earlier this month with customized attacks that have already earned them million-dollar payouts.

Starting around August 10th, 2020, the new ransomware operation began performing targeted attacks against numerous companies.

In a “press release” issued by the threat actors, they claim to be former affiliates who had made millions of dollars working with other ransomware operations.

By: Bleeping Computer

This ransomware group claims that they will not attack Medicine, Education, Non-profit organizations and the Gov sector.

Also the group claims that they are creating a sustainable distributed storage infrastructure based in Iran to leak their victims data.

image-20201207141817129

Let’s take a look at the ransomware sample.

Building the imports

To make the analysis a bit harder Darkside resolves the needed apis dynamically. If we check the imports of the sample we find only a few referenced apis:

image-20201206182515829

The strings/data are encrypted and after reversing the decryption algorithm and fixing my IDB file with all the decrypted strings the analysis got much easier. The following strings refer to the dlls and apis that Darkside loads and resolves during execution:

ntdll
_wcsicmp
wcscpy
wcscat
wcsstr
wcsrchr
wcslen
_wcslwr
swprintf
RtlInitUnicodeString
LdrEnumerateLoadedModules
RtlRandomEx
RtlComputeCrc32
_allshr
_alldiv
_allmul
NtQuerySystemInformation
NtQueryInformationFile
NtQueryInformationProcess
strlen
RtlGetVersion
RtlWow64EnableFsRedirectionEx
kernel32
LoadLibraryA
FreeLibrary
CreateFileW
CreateProcessW
CreateThread
ReadFile
WriteFile
GetFileSize
CloseHandle
OpenMutexW
CreateMutexW
GetUserDefaultLangID
GetSystemDefaultUILanguage
GetCommandLineW
GetModuleFileNameW
GetShortPathNameW
GetEnvironmentVariableW
GetWindowsDirectoryW
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
OpenProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileAttributesW
GetLogicalDriveStringsW
GetDriveTypeW
WaitForSingleObject
GetSystemDirectoryW
IsWow64Process
TerminateProcess
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
SetThreadExecutionState
GetNativeSystemInfo
HeapAlloc
HeapReAlloc
HeapFree
GetProcessHeap
FindFirstFileExW
FindNextFileW
FindClose
Sleep
MoveFileExW
WaitForMultipleObjects
SetFilePointerEx
InterlockedIncrement
GetCurrentProcessId
DuplicateHandle
TerminateThread
GetExitCodeThread
RemoveDirectoryW
DeleteFileW
WideCharToMultiByte
GetCurrentDirectoryW
SetCurrentDirectoryW
advapi32
OpenProcessToken
DuplicateTokenEx
ImpersonateLoggedOnUser
GetTokenInformation
LookupAccountSidW
AdjustTokenPrivileges
OpenSCManagerW
EnumServicesStatusExW
OpenServiceW
ControlService
DeleteService
CloseServiceHandle
GetNamedSecurityInfoW
SetNamedSecurityInfoW
SetEntriesInAclW
RegOpenKeyExW
RegCreateKeyExW
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegFlushKey
shell32
CommandLineToArgvW
ShellExecuteW
IsUserAnAdmin
ShellExecuteExW
ole32
CoInitialize
CoUninitialize
CoGetObject
CoInitializeSecurity
CoCreateInstance
CoSetProxyBlanket
oleaut32
VariantClear
mpr
WNetOpenEnumW
WNetEnumResourceW
WNetCloseEnum
iphlpapi
GetAdaptersInfo
shlwapi
PathIsDirectoryW
PathIsDirectoryEmptyW

After resolving the necessary apis, the ransomware parses its own config and prepares to start the encryption routines.

Messing with the process access token

Darkside tries to adjust it’s own process access token privileges and to impersonate the logged on user.

Adjusting it’s own token privileges:

image-20201206185218611

Impersonating the logged on user:

image-20201206185456059

Mutex

To ensure that only one instance of the ransomware is running the following mutex is created:

  • GLOBAL\\<FILENAME>

The mutex name is based on the filename of the executable and if the mutex already exists the execution is aborted.

image-20201206190311350

Darkside actions

The following list refers to the main actions performed by Darkside on the system:

System Language Check
Emptying Recycle Bin
Uninstalling Services
Deleting Shadow Copies
Terminating Processes
Encrypting Local Disks
Encrypting Network Shares

System Language Check

Darkside checks the system language using the GetSystemDefaultUILanguage() and GetUserDefaultLangID() apis:

image-20201206191911990

Based on the following decrypted string This is a Russian-Speaking System, Exit we can already guess that this ransomware whitelisted Russian speaking users. CIS countries are whitelisted by this ransomware.

Uninstalling Services

Darkside takes a list of services from its own configuration and uninstalls them using the DeleteService() api:

image-20201206192511100

List of services to uninstall:

vss
sql
svc$
memtas
mepocs
sophos
veeam
backup

Deleting Shadow Copies

Darkside uses two different approaches to delete the shadow copies of windows. If it’s a Wow64 process (meaning 32 bit application running on a 64 bit machine) it uses powershell. If it’s a 32 bit machine it uses COM + WMI to delete them.

image-20201206193244693

64 bit machine

For 64 bit machines Darkside simply calls CreateProcessW() to run a decrypted powershell command.

image-20201206193621423

Powershell command:

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

Decoded powershell command:

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

32 bit machine

For 32 bit machines Darkside uses COM interface to execute a WQL query to delete the shadow copies.

image-20201207101905825

Terminating Processes

Darkside takes a list of processes from its own configuration and terminates them using the TerminateProcess() api:

image-20201207104323828

List of processes to terminate:

sql
oracle
ocssd
dbsnmp
synctime
agntsvc
isqlplussvc
xfssvccon
mydesktopservice
ocautoupds
encsvc
firefox
tbirdconfig
mydesktopqos
ocomm
dbeng50
sqbcoreservice
excel
infopath
msaccess
mspub
onenote
outlook
powerpnt
steam
thebat
thunderbird
visio
winword
wordpad
notepad

Darkside also parses from its own config the following list of processes to avoid terminating them:

vmcompute.exe
vmms.exe
vmwp.exe
svchost.exe
TeamViewer.exe
explorer.exe

Encryption

For encryption this ransomware uses SALSA20 to encrypt the files and a RSA to encrypt the salsa key. The file extension of the encrypted files is a checksum of the victims MAC address.

Darkside also parses a list of files, extensions and directories from its own configuration and skips them in the encryption routines.

List of whitelisted files:

autorun.inf
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db

List of whitelisted directories:

$recycle.bin
config.msi
$windows.~bt
$windows.~ws
windows
appdata
application data
boot
google
mozilla
program files
program files (x86)
programdata
system volume information
tor browser
windows.old
intel
msocache
perflogs
x64dbg
public
all users
default

List of whitelisted extensions:

386
adv
ani
bat
bin
cab
cmd
com
cpl
cur
deskthemepack
diagcab
diagcfg
diagpkg
dll
drv
exe
hlp
icl
icns
ico
ics
idx
ldf
lnk
mod
mpa
msc
msp
msstyles
msu
nls
nomedia
ocx
prf
ps1
rom
rtp
scr
shs
spl
sys
theme
themepack
wpx
lock
key
hta
msi
pdb

Ransomnote

The following ransomnote is also part of the ransomware configuration and it’s written to a file named README.<CHECKSUM MAC ADDRESS>.TXT:

----------- [ Welcome to Dark ] ------------->

What happend?
----------------------------------------------
Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data.
But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network.
Follow our instructions below and you will recover all your data.

Data leak
----------------------------------------------
First of all we have uploaded more then 100 GB data.

Example of data:
 - Accounting data
 - Executive data
 - Sales data
 - Customer Support data
 - Marketing data
 - Quality data
 - And more other...

Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
The data is preloaded and will be automatically published if you do not pay.
After publication, your data will be available for at least 6 months on our tor cdn servers.

We are ready:
- To provide you the evidence of stolen data
- To give you universal decrypting tool for all encrypted files.
- To delete all the stolen data.

What guarantees?
----------------------------------------------
We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.
All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.
We guarantee to decrypt one file for free. Go to the site and contact us.

How to get access on website? 
----------------------------------------------
Using a TOR browser:
1) Download and install TOR browser from this site: 
http://torproject.org/
2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68

When you open our website, put the following data in the input form:
Key:
pr9gzRnMz6qEwr6ovMT0cbjd9yT56NctfQZGIiVVLgo0ME2EQpAUyZucG9BLrOJjno5XLPvCN11TFfnlFHa42u5mJxoeR5k5RUgQAC1MC6LBUj4YOOAUyiBrR
HQSUM3pzGoEPRVOzXSZ8YqkJyFL0TDFBbWaBKQDOSo9GzKKoVRQ0Eb02F5geTPkTAqZZSfSQ6PBBlTGPSgGe2kCyuwwp7lDmRSJlNnHssMMZHVhXzyZ6fxiBY
gNiuusFK8JNI5nrtRPp3bMAc6OEddxfJWj6o2GT1Xg9j87Jp4Oyv43E1J61jLJAWBkmoBB3Gqv07mtyDW5PnmxBlNzABbLFEvJMQL23sR8nnw4svzcZHxrqD1
xRcxqyeKtsaQ5yqLvyQgMdnrI2QoCqkHYYUfBIzjO8BXyBZdmjHanXE57jdDAhjaDUUqfL917cCyJr1uwVR0Xj5lJXe8BIKHd3dFrz70CsIXFAhicOsBlFzIn
daNcAXXyL8Fg1avIXOcuEkGRDXt8Cs8b3TAB6n4DrbLJdiFjECo8yCA9pxvzqjXatumUloblWFZaUoLVYzP

!!! DANGER !!!
DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. 
!!! DANGER !!!

Debugging logs

For some reason the authors left the capability of writing debug logs as the sample creates a log file named LOG.<CHECKSUM MAC ADDRESS>.TXT with the following contents:

[INF] Start Encrypting All Files 
[INF] Emptying Recycle Bin 
[INF] Uninstalling Services 
[INF] Deleting Shadow Copies 
[INF] Terminating Processes 
[INF] Encrypt Mode - FAST 
[INF] Encrypting Local Disks 
[INF] Started 2 I/O Workers 
[INF] Encrypted 0 file(s) 
[INF] Encrypting Network Shares 
[INF] Started 2 I/O Workers 
[INF] Encrypted 0 file(s) 
[INF] Started 2 I/O Workers 
[INF] Encrypted 0 file(s) 

IOCs

File:

SHA256: 1667e1635736f2b2ba9727457f995a67201ddcd818496c9296713ffa18e17a43

References