Introduction
DarkSide is ransomware-as-a-service (RaaS)—the developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.” According to open-source reporting, since August 2020, DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data.
Pre-Execution
FortiEDR prevents the DarkSide ransomware payload from being executed in prevention mode as soon as it is accessed. FortiEDR detects this variant as W32/Filecoder.ODE!tr.ransom.
Post-Execution
Let's see how FortiEDR detects and blocks this ransomware by switching to simulation mode. In simulation mode, FortiEDR generates events but does not block them, allowing the Darkside ransomware to fully execute.
1. Network Access
The Darkside ransomware attempts to reach the IP address “99.83.154.118”. FortiEDR detects and blocks the network connection.
This IP has been active since 2021-04-29 with the most visits from India, Egypt and United States.
2. WMI Service Access
The Darkside ransomware is attempting to access the Windows Management Instrumentation (WMI) service in order to thwart the data recovery. The WMI service access operation is detected and blocked by FortiEDR.
The FortiEDR’s automated analysis captures the PowerShell command that is used to access the WMI service.
The de-obfuscated PowerShell command is shown below, that uses the PowerShell cmdlet Get-WmiObject to delete all the Volume Shadow copies.
3. File Write Access
The Darkside ransomware attempts to encrypt the user files. The File Encryptor rule under the FortiEDR’s Ransomware Prevention policy detects and blocks the file write operation.
4. File Creation
After encrypting the user files, ransomware note “README.2c73b54a.TXT” is dropped. FortiEDR’s exfiltration policy generates a block event for new file creation.
Ransomware Note
5. Sensitive Information Access
After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. The Darkside Ransomware attempts to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). This action is blocked by FortiEDR’s “Access to critical system information” rule under Exfiltration Prevention policy.
The source process i.e Darkside Ransomware process attempting to access lsass.exe is shown below.
6. Modify OS Settings
The Darkside ransomware attempting to modify the system registry has been blocked by FortiEDR. After successfully encrypting all user files, the Darkside ransomware modifies the registry key to change the Desktop wallpaper.
The registry key “\Control Panel\Desktop\WallPaper” has been updated to have the Darkside ransomware background i.e C:\ProgramData\2c73b54a.BMP.
FortiEDR effectively detects and defuses this threat in real time. These steps prevent data exfiltration, command and control (C&C) communications, file tampering, and ransomware encryption.
Threat Hunting
The threat actor uses Rclone to exfiltrate data via SFTP, an open-source command line utility for managing \ migrating content on cloud storage. Its capabilities include sync, transfer, crypt, cache, union, compress and mount.
FortiEDR’s (v5) Threat Hunting feature can be used to hunt for rclone usage. If rclone is not permitted in your environment, save and schedule the following threat hunting query to trigger an event when a suspicious rclone command line flag is found.
The Threat actor deploys the ransomware using PsExec, a sysinternals command-line tool. The hunting query should just not be based on the name of the instance as it's easily changed. In this case, the query makes use of the file metadata information i.e 'product name' rather than the process name. The metadata of the pre-compiled binaries cannot be easily changed, which helps in the detection of PsExec in your environment.
MITRE ATT&CK
T1003 OS Credential Dumping: LSASS Memory
T1486 Data Encrypted for Impact
T1112 Modify Registry
T1047 Windows Management Instrumentation
T1490 Inhibit System Recovery
T1059 Command and Scripting Execution
TA0010 Exfiltration over SFTP
IOC:
|
Ramsomware payload:
|
|||||
C2C:
|
The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts monitors, reviews and analyzes every alert, proactively hunts threats, and takes actions on behalf of customers to ensure they are protected according to their risk profile.
