In the wake of the Colonial Pipeline ransomware attack – which continues to disrupt supplies of fuel across the eastern and southern US – threat researchers from across the cyber community have been swapping information on the DarkSide ransomware gang, the up-and-coming cyber criminal group that has suddenly found itself elevated to global infamy.
First bursting onto the scene in August 2020 when it gained a certain measure of note by donating some of its ransom profits to charities, DarkSide is a (likely Russia-based) media-savvy group that understands how the cyber security “game” is played, and makes a virtue out of having an “honourable” reputation, as far as such a thing is possible in the cyber criminal underworld.
Clearly, say researchers, its operators like to see themselves as swashbuckling highwaymen, Robin Hood types who rob from the rich and give to the poor, although of course this is self-aggrandising nonsense, and borderline delusional narcissism.
But interestingly, in a departure from the more usual attention-seeking behaviour exhibited by other ransomware syndicates, the DarkSide group has been trying to distance itself from the attack, conducting an apparent damage limitation PR exercise, releasing a statement in broken English to the effect that its goal is “to make money, and not creating problems for society”. It is unclear from this line precisely what they thought they were doing up to now.
DarkSide also claimed that the attack on Colonial Pipeline was by an affiliate, and that it would police its partners’ selection of targets more assiduously in future to “avoid social consequences”. Again, it is unclear precisely what the group thought the consequences of its other attacks actually were.
Sophos’ Sean Gallagher, Mark Loman and Peter Mackenzie – who have dealt with several DarkSide victims via the firm’s incident response service – said this backpedalling was probably the result of the potentially greater real-world impact of their affiliate’s attack on the Colonial Pipeline.
“It has apparently made DarkSide’s operators more notorious than they are comfortable with,” they said in a newly published report.
“The gang previously promised to spare healthcare organisations, as well as others involved in vaccine distribution, because of the negative attention such attacks could potentially bring from within the gang’s home country. But because of the way DarkSide operates, it’s not clear how much control the keepers of the DarkSide brand have over the affiliates who do the actual work of breaking into networks and launching their ransomware.”
FireEye Mandiant’s researchers, Jordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Brendan McKeague and Jared Wilson added: “A recent update to their underground forum advertisement also indicates that actors may attempt to DDoS [distributed denial of service] victim organisations.
“The actor ‘darksupp’ has stated that affiliates are prohibited from targeting hospitals, schools, universities, non-profit organisations and public sector entities.
“This may be an effort by the actor(s) to deter law enforcement action, since targeting of these sectors may invite additional scrutiny. Affiliates are also prohibited from targeting organisations in Commonwealth of Independent States (CIS) nations.”
Despite its sudden reticence, DarkSide has up to now followed in the footsteps of the other famous double extortion ransomware gangs, such as REvil/Sodinokibi, Maze and LockBit, exfiltrating data and threatening to release it if the victim does not pay. This is done via a Tor accessible blog. It is, however, known for making fairly hefty demands – one Sophos engagement was with a victim who was being extorted for $4m (they did not pay).
FireEye Mandiant’s team added that the gang’s affiliates receive a 25% cut of the ransom fees for hits that result in payments of under $500,000, and decrease to 10% for payments of over $5m.
Multifaceted extortion operation
The Mandiant team said it was clear that the DarkSide gang was becoming very proficient at “multifaceted extortion operations”. It noted the recent release of information suggesting that DarkSide would target NASDAQ and other listed companies by leaking their attacks to friendly traders in advance so they could short the victims and profit from any impact on the stock price.
“In another notable example,” they said, “an attacker was able to obtain the victim’s cyber insurance policy and leveraged this information during the ransom negotiation process, refusing to lower the ransom amount given their knowledge of the policy limits.
“This reinforces that during the post-exploitation phase of ransomware incidents, threat actors can engage in internal reconnaissance and obtain data to increase their negotiating power. We expect that the extortion tactics that threat actors use to pressure victims will continue to evolve throughout 2021.”
Tactics, techniques and procedures
They may be innovators in some regards, but for defenders concerned with stopping a DarkSide attack before it happens, researchers seem to agree that the DarkSide gang’s technological tactics, techniques and procedures (TTPs) also reflect other ransomwares, incorporating a mix of native Windows features, commodity malware and off-the-shelf red team tools such as Cobalt Strike.
The gang outsources compromise and deployment to network penetration specialists, who then refer the customer service operation back to the core operators. Sophos’ team believes these affiliates are likely hired guns who provide the same service to DarkSide’s peers. FireEye Mandiant confirmed this, saying it believes affiliates have also been associated with Babuk and REvil.
“In Sophos’ experience in data forensics and incident response to DarkSide attacks, the initial access to the target’s network came primarily as a result of phished credentials,” said the Sophos team. “This is not the only way ransomware attackers can gain a foothold, but it seems to be prevalent in cases involving this type of ransomware, possibly as a result of the affiliates’ preferences.”
Mandiant said it had also seen exploitation of CVE-2021-20016, a SQL injection vulnerability in the SonicWall SSLVPN SMA100 product that lets an unauthenticated attacker perform SQL queries to access usernames, passwords and other session-related information (if you are a SonicWall user, you should have patched this by now).
Mandiant tracks DarkSide activity in three different clusters of different groups – it defines these as UNC2628, UNC2659 and UNC2465 – that use differing methods of establishing persistence. Among other tools, UNC2628 favours the Cobalt Strike framework and BEACON payloads, sometimes uses Mimikatz for credential theft and exfiltration, and has even deployed F-Secure’s custom command and control framework. Meanwhile, UNC2659 uses TeamViewer to establish persistence, and UNC2465, the oldest cluster of activity linked to DarkSide, delivers the PowerShell-based .NET backdoor known as SMOKEDHAM.
Once established, Sophos’ intelligence has the gang’s dwell time at a median of 45 days, but it has been known to kick back for up to 88 days, during which time it steals as much data as possible, often targeting multiple departments inside the victim organisation – accounting and research and development (R&D) are particularly favoured here.
The gang moves around inside the victim network using PSExec and remote desktop connections – SSH if on a Linux server – and uploads its treasure trove to the cloud storage providers Mega or pCloud. Victims are extorted in bitcoin or monero – Sophos notes the gang does not accept Elon Musk’s favoured dogecoin.
“While some recent targeted ransomware operations from other gangs have sprung quickly, launching their attack within days, the actors behind DarkSide campaigns may spend weeks to months poking around inside an organisation’s network before activating their ransomware payload,” said the Sophos team.