Darkside Ransomware Threat Intelligence Advisory

Summary

CloudSEK threat intelligence advisory on Darkside ransomware, the operators of which launched a more sophisticated variant of the ransomware, Darkside 2.0.
 
Advisory Type
Adversary Intelligence
Adversary 
Darkside Ransomware
Affected Industry
Every industry except Healthcare, Education, and Non-profit
TLP
GREEN
 

Executive Summary 

The Darkside ransomware, initially discovered in August 2020, has resurfaced on the dark web and its operators are now active on underground forums. Through their posts, they have launched a new campaign that involves the latest variant of the ransomware, namely Darkside 2.0. This version sports updated software infrastructure and better capabilities.  The group responsible for the ransomware has explicitly stated that they will not target hospitals, schools, universities, and non profit organizations. However, they attack English speaking countries and avoid countries that were a part of the Soviet Union. The ransomware even deletes services such as vss, sql, svc, memtas, mepocs, sophos, veeam, and backup, that are responsible for security and backup.  
Darkside 1.0 Campaign in Brief
  • The campaign used custom Salsa20 matrix and RSA-1024 encryption algorithms.
  • It used the COM interface to bypass UAC so as to elevate privileges.
  • The ransomware even deleted services such as vss, sql, svc, memtas, mepocs, sophos, veeam, and backup, that are responsible for security and backup.
  • The operators demanded ransoms between $200,000 and $2,000,000.
  • The decryption key was leaked and victims denied to pay ransom. The locked data was decrypted using security tools.
 

Indicators of Compromise

  • F87a2e1c3d148a67eaeb696b1ab69133
  • 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297[sha256]
  • LOG.{userid}.txt
  • README.{userid}.txt
 
Darkside 2.0 Campaign
In March 2020, Darkside launched a new affiliate program to further a second ransomware campaign with updated code features both for Windows and Linux platforms. The call for affiliates indicates that the encryption is now faster and secure, with Active Directory integration. CIS countries including Georgia and Ukraine have been deliberately excluded.
Screenshot of affiliate programs, ransomware features and updates
Screenshot of affiliate programs, ransomware features, and updates
 

Mitigations

  • Secure RDP endpoints with complex passwords that are difficult to bruteforce.
  • Patch vulnerabilities in internet-facing assets, on time.
  • Strict segmentation and isolation of networks using firewalls and IDPS.
  • Educate users/ employees on cyber hygiene 
  • Proper endpoint monitoring to detect anomalies in ingress and egress traffic.
 

Table of Contents

Request an easy and customized demo for free