FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
gthirugnanasa
Article Id 190322

Introduction

 

DarkSide is ransomware-as-a-service (RaaS)—the developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.” According to open-source reporting, since August 2020, DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data.

 

 

Pre-Execution

 

FortiEDR prevents the DarkSide ransomware payload from being executed in prevention mode as soon as it is accessed. FortiEDR detects this variant as W32/Filecoder.ODE!tr.ransom.

 

 

Post-Execution

 

 

Let's see how FortiEDR detects and blocks this ransomware by switching to simulation mode. In simulation mode, FortiEDR generates events but does not block them, allowing the Darkside ransomware to fully execute.

 

 

1.     Network Access

 

 

The Darkside ransomware attempts to reach the IP address “99.83.154.118”. FortiEDR detects and blocks the network connection.

 

 

 

This IP has been active since 2021-04-29 with the most visits from India, Egypt and United States.

 

 

 

 

 

2.     WMI Service Access

 

 

The Darkside ransomware is attempting to access the Windows Management Instrumentation (WMI) service in order to thwart the data recovery. The WMI service access operation is detected and blocked by FortiEDR.

 

 

 

The FortiEDR’s automated analysis captures the PowerShell command that is used to access the WMI service.

 

 

 

The de-obfuscated PowerShell command is shown below, that uses the PowerShell cmdlet Get-WmiObject to delete all the Volume Shadow copies.

 

 

 

3.     File Write Access

 

 

The Darkside ransomware attempts to encrypt the user files. The File Encryptor rule under the FortiEDR’s Ransomware Prevention policy detects and blocks the file write operation.

 

 

 

 

4.     File Creation

 

 

After encrypting the user files, ransomware note “README.2c73b54a.TXT” is dropped. FortiEDR’s exfiltration policy generates a block event for new file creation.

 

 

 

 

Ransomware Note

 

 

 

5.     Sensitive Information Access

 

 

After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. The Darkside Ransomware attempts to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). This action is blocked by FortiEDR’s “Access to critical system information” rule under Exfiltration Prevention policy.

 

 

The source process i.e Darkside Ransomware process attempting to access lsass.exe is shown below.

 

 

 

 

 

6.     Modify OS Settings

 

 

The Darkside ransomware attempting to modify the system registry has been blocked by FortiEDR. After successfully encrypting all user files, the Darkside ransomware modifies the registry key to change the Desktop wallpaper.

 

 

 

 

The registry key “\Control Panel\Desktop\WallPaper” has been updated to have the Darkside ransomware background i.e C:\ProgramData\2c73b54a.BMP.

 

 

 

 

FortiEDR effectively detects and defuses this threat in real time. These steps prevent data exfiltration, command and control (C&C) communications, file tampering, and ransomware encryption.

 

Threat Hunting

 

 

The threat actor uses Rclone to exfiltrate data via SFTP, an open-source command line utility for managing \ migrating content on cloud storage. Its capabilities include sync, transfer, crypt, cache, union, compress and mount.

 

 

FortiEDR’s (v5) Threat Hunting feature can be used to hunt for rclone usage. If rclone is not permitted in your environment, save and schedule the following threat hunting query to trigger an event when a suspicious rclone command line flag is found.

 

 

 

The Threat actor deploys the ransomware using PsExec, a sysinternals command-line tool. The hunting query should just not be based on the name of the instance as it's easily changed. In this case, the query makes use of the file metadata information i.e 'product name' rather than the process name.  The metadata of the pre-compiled binaries cannot be easily changed, which helps in the detection of PsExec in your environment. 

 

 

 

 

MITRE ATT&CK

 

 

T1003 OS Credential Dumping: LSASS Memory

 

T1486 Data Encrypted for Impact

 

T1112 Modify Registry
T1047 Windows Management Instrumentation

 

T1490 Inhibit System Recovery

 

T1059 Command and Scripting Execution

 

TA0010 Exfiltration over SFTP

 

 

IOC:

 

 

Ramsomware payload:

 

0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9

 

48a848bc9e0f126b41e5ca196707412c7c40087404c0c8ed70e5cee4a418203a

 

9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297

 

68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7

 

bafa2efff234303166d663f967037dae43701e7d63d914efc8c894b3e5be9408

 

 

 

C2C:

99.83.154.118

72.246.151.27

72.246.151.32

176.103.62.217

 



The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts monitors, reviews and analyzes every alert, proactively hunts threats, and takes actions on behalf of customers to ensure they are protected according to their risk profile.