Note that DarkSide makes a point to avoid shares named C$ and ADMIN$, and also first checks to see if a share is writeable before trying to encrypt files in it. Īfter issuing Active Directory queries, the ransomware then attempts to encrypt files in network shares found in this section of the code. If successful, the malware attempts to delete certain variables, such as defaultNamingContext and dnsHostName. This DarkSide ransomware variant may then use COM to interface with Active Directory itself. To accomplish this, it first attempts to look for domain controllers. In this campaign, the DarkSide group included an Active Directory attack in their ransomware software. Malicious actors know that Active Directory is basically a goldmine of network information. One deals with Active Directory and the other is concerned with partitions. The following section will look closer at two of the more unique functions that this DarkSide variant carries out. While the file size is relatively small for malware (57,856 bytes), it can deliver a much-larger-than-expected payload. This ransomware sample, unrelated to the Colonial Pipeline campaign, was programmed efficiently with very little wasted space, and compiler bloat has been kept to a minimum, which is unusual for most malware.
The DarkSide ransomware variant was obtained through our partnership with CTA. The use of a well-known (to threat researchers) bulletproof host that has been used by a wide variety of malicious actors for numerous nefarious activities over the years, including the 2016 DNC elections attack in the United States.Įxpanded Analysis of the DarkSide Ransomware Variant by FortiGuard LabsįortiGuard Labs encountered novel techniques in this DarkSide ransomware variant cybercriminal organization not seen before in ransomware.
DETECTING COBALT STRIKE BEACON TRAFFIC SOFTWARE
DarkSide ransomware code is efficient and well-constructed, indicating that their cybercriminal organization includes experienced software engineers.
The DarkSide Ransomware variant seeks out partitions on a multi-boot system to find additional files to encrypt, thereby causing greater damage and an increased incentive to pay a ransom to recover files. But further analysis confirmed an even more advanced technique. In this different DarkSide ransomware variant, FortiGuard Labs researchers uncovered an ability to seek out partition information and compromise multiple disk partitions.Īt the time of discovery, FortiGuard Labs researchers believed the ransomware was seeking out partitions to find possible hidden partitions setup by systems administrators to hide backup files. Introduction of DarkSide RansomwareįortiGuard Labs has uncovered additional tactics used by the threat actors that attacked Colonial Pipeline. This attack currently appears to be confined to targeted organizations and is not the result of widespread wormlike activity. This ransomware variant, written by the same criminals that targeted Colonial Pipeline, exhibits the ability to detect and compromise partitioned hard drives, a behavior not seen before.
0 kommentar(er)
