DarkSide Ransomware Analysis
Introduction
Ransomware, is a type of malware that prevents users from accessing their system or files and demands that a ransom be paid to regain access. Users are shown instructions on how to pay a ransom to obtain a decryption key to decrypt their files and get them back.
What’s DarkSide Ransomware
-
The threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the REvil RaaS [ransomware-as-a-service] group.
-
DarkSide ransomware appeared in August 2020
-
DarkSide ransomware operates as a service(RaaS)
Full Analysis
Here I did all aspects of Analysis so, I passed by Static, Dynamic, Advanced Static, and Advanced Dynamic analysis.
Supporting by Pictures from Analysis To help for reading easily. So, Let’s Start.
Static Analysis
MD5: 0202E80ABE75635256443CB5FD7C0283
SHA1 : A78851A9490DA007771DA340EC8F8C96745D8913
SHA256 : 9BD51F68587E0E49E8C0F8225BC8C3FEAC453EBD6B34B0ABA91C493CE75F4E80
Virustotal
Unpacked
This sample is unpacked. It was checked by DIE
Strings
While Looking for Strings, I didn’t Found many strings in this sample
Dynamic Analysis
- When you click on the sample to run it, it imediatly ctreates a process by it’s name as shown:
- Then It encrypes files sytem as showm:-
- The encrypted file extention is .f1f25696 as shown:-
- The Wallpaper of the disktop is changed as shown:-
Advanced Static Analysis
I faced many struggles while I was analyzing the assembly code by IDA Like:
- there are many loops in functions
- The third function in the main function is so long And I didn’t catch anything.
- There are no APIs That can help me in the analysis.
- There are many calls like “call dword-4208D0” so, it calls something from the data section and that is maybe resolving API functions and put addresses for these functions inside these addresses like “dword-4208D0”
- Make an import address table for itself for making the analysis difficult for analysts.
Advanced Dynamic Analysis
- First of all this malware checks the installed language of the victim’s device as shonw:
- Then it loads Dlls and resolves Functions
-
From Kernal32.dll it loads two functions “LoadLibraryA” and “GetProcAddress” for resolving needed functions as shown:-
- All dlls and resolved functions from them.
This Function For Resolving Functions From DLL The Resolved Function is : <ntdll.ZwClose> (77E92AA0) The Resolved Function is : <kernel32.SetEvent> (77C53080) DLL Loaded: 77610000 C:\Windows\SysWOW64\advapi32.dll DLL Loaded: 77710000 C:\Windows\SysWOW64\msvcrt.dll Thread 240 created, Entry: ntdll.77E55900, Parameter: 00724540 DLL Loaded: 77690000 C:\Windows\SysWOW64\sechost.dll DLL Loaded: 766F0000 C:\Windows\SysWOW64\rpcrt4.dll Thread 80 created, Entry: ntdll.77E55900, Parameter: 00724540 The Resolved Function is : <advapi32.ConvertSidToStringSidW> (7762E4C0) DLL Loaded: 76850000 C:\Windows\SysWOW64\user32.dll DLL Loaded: 77A60000 C:\Windows\SysWOW64\win32u.dll DLL Loaded: 75DD0000 C:\Windows\SysWOW64\gdi32.dll DLL Loaded: 77440000 C:\Windows\SysWOW64\gdi32full.dll DLL Loaded: 75D50000 C:\Windows\SysWOW64\msvcp_win.dll DLL Loaded: 777E0000 C:\Windows\SysWOW64\ucrtbase.dll Thread 1348 created, Entry: ntdll.77E55900, Parameter: 00724540 DLL Loaded: 76F70000 C:\Windows\SysWOW64\imm32.dll The Resolved Function is : <user32.CloseDesktop> (76891730) The Resolved Function is : <gdi32.GetTextExtentPoint32W> (75DD6BF0) DLL Loaded: 77520000 C:\Windows\SysWOW64\ole32.dll DLL Loaded: 76AE0000 C:\Windows\SysWOW64\combase.dll The Resolved Function is : <combase.CoSetProxyBlanket> (76C176E0) DLL Loaded: 767B0000 C:\Windows\SysWOW64\oleaut32.dll The Resolved Function is : <oleaut32.VariantClear> (767CE610) DLL Loaded: 75E00000 C:\Windows\SysWOW64\shell32.dll The Resolved Function is : <shell32.ShellExecuteW> (75F555A0) DLL Loaded: 77990000 C:\Windows\SysWOW64\shlwapi.dll The Resolved Function is : <shlwapi.PathRemoveFileSpecW> (779A4FB0) DLL Loaded: 72F50000 C:\Windows\SysWOW64\wininet.dll The Resolved Function is : <wininet.HttpSendRequestW> (73225720) DLL Loaded: 75CD0000 C:\Windows\SysWOW64\netapi32.dll DLL Loaded: 75CB0000 C:\Windows\SysWOW64\wkscli.dll DLL Loaded: 75C90000 C:\Windows\SysWOW64\srvcli.dll DLL Loaded: 75B80000 C:\Windows\SysWOW64\logoncli.dll The Resolved Function is : <logoncli.DsGetDcCloseW> (75B9F870) DLL Loaded: 75C60000 C:\Windows\SysWOW64\wtsapi32.dll The Resolved Function is : <wtsapi32.QueryUserToken> (75C61930) DLL Loaded: 75AF0000 C:\Windows\SysWOW64\activeds.dll DLL Loaded: 75AB0000 C:\Windows\SysWOW64\adsldpc.dll DLL Loaded: 76D60000 C:\Windows\SysWOW64\Wldap32.dll The Resolved Function is : <activeds.ADsFreeEnumerator> (75B10670) DLL Loaded: 75B50000 C:\Windows\SysWOW64\userenv.dll The Resolved Function is : <userenv.DestroyEnvironmentBlock> (75B57F30) DLL Loaded: 736D0000 C:\Windows\SysWOW64\mpr.dll The Resolved Function is : <mpr.WNetGetUniversalNameW> (736E1100) DLL Loaded: 75A40000 C:\Windows\SysWOW64\RstrtMgr.dll DLL Loaded: 75A10000 C:\Windows\SysWOW64\ncrypt.dll DLL Loaded: 779E0000 C:\Windows\SysWOW64\bcrypt.dll DLL Loaded: 759E0000 C:\Windows\SysWOW64\ntasn1.dll The Resolved Function is : <rstrtmgr.RmEndSession> (75A477E0) - After checking devices language and resolving APIs Functions that it needs, it looks for a mutex called “Global” if it exists, it shutdown and exit, and If it doesn’t exit, it creates a mutex with this name “Global” and keeps going for runnig. As shown :-
- Then it decodes a string “SOFTWARE\Microsoft\Cryptography” and this is a key in registry as shown :-
- Then it gets machine GUID for this device to generate the extention for this malware as shown :-
- Then it generates the extention for the malware from GUID machine “.f1f25696”:-
- Then It checks if you’re a 220 membership (group admin) or not
- Then It gets more info about token member ship
- Then it creates a COM objecet to run
- Then it decodes two strings “Elevation:Administrator!new:”, “{3E5FC7F9-9A51-4367-9063-A120244FBEC7}” and this is a UUID for Privilege Escalation
- Then it decodes a path for system32 and dllhost.exe for using COM and run the malware
- Then it creates a process
- Then it checks if you have AT ATHUROTY or not
- Then it looks for a service with “.f1f25696” extention if it finds it, it detetes this service and creates it
- Then a service with “.f1f25696” extension will be created
- It creates the readme file “README.f1f25696.txt” this file will be left in each encrypted path
- The file content is
----------- [ Welcome to DarkSide ] ------------->
What happend?
----------------------------------------------
Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data.
But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network.
Follow our instructions below and you will recover all your data.
Data leak
----------------------------------------------
First of all we have downloaded more then 500GB data from your network.
Included:
-Accounting data
-Finance data
-HR
-Employees confidential data(photos, benefits, taxes, etc)
-Marketing
-Budgets
-Taxes(sales tax compliance, property, income and franchise taxes, etc)
-Payrolls
-Banking data
-Arbitration
-Scans
-Insurance
-Reconciliations
-Reports(monthly bank inventory, monthly financial, claims reports, etc)
-Audits(DHG, insurance audits, etc)
-B2B clients config data
-Confidentiality 2020
-2020, 2021 Business plans
-2019, 2020, 2021 years Closing (full dumps)
-and a lot of other sensitive data
Your personal leak page: http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q
On the page you will find examples of files that have been downloaded.
The data is preloaded and will be automatically published if you do not pay.
After publication, your data will be available for at least 6 months on our tor cdn servers.
We are ready:
- To provide you the evidence of stolen data
- To delete all the stolen data.
What guarantees?
----------------------------------------------
We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.
All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.
We guarantee to decrypt one file for free. Go to the site and contact us.
How to get access on website?
----------------------------------------------
Using a TOR browser:
1) Download and install TOR browser from this site: https://torproject.org/
2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM
When you open our website, put the following data in the input form:
Key:
ug8lgpX3WrFzlEJ6HBWlwJnf7jemhfnlxBw9porj1uuYFTgKbxJQJLYiteQS7DwgZn7dH0fs7qPPWmZ6inPv5GTmSJZNAjGLVIjd4SoiyTdGyophf0zPBxx6uEAOJxM0Woo4ZGeKVoUDHtZsqZNnhMF7aPh54VnKpIJXiZDbZZw4P06xTuw1UMeiTE7wdg7HWZMepAVTzEI2W04RbkPFQHfUgEDcslDxbr83BvopYTYGKFRmtNUMH8OsOZQrOtv50xWDaOfbqxbzfHMJm30QGaGpgylJHQZsscz3XBnwIdvlwBJ9KN4DVgFgziRdvwJrfCP6YN1CYTOQgw1rzqmIU4G1xGYv7rE3jiBY1s4D3Y26SbppTceAVMu1mKx5CFIE3EbtcAsNtEqLHDbPnMCvU6Apwp17TXGob8xXJpEDBZhIzdTaCuybcprwcFNTOzccjbIH81W39MrcJi9mNO3kHRe5fxmIFKvc9v8aQDihGyC65DtdabyBjidXI1NyNONT4PTyrxYqgffPsNDFuzz2yMrXiTAwtAQPqny5BBJQsfVhpLXTtnLvWg1
!!! DANGER !!!
DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.
!!! DANGER !!!
- Then it starts to read paths on the computer and encrypt them
How to Prevent DarkSide Ransomware Attacks
- Use updated malware detection techniques.
- Backup your files
- Using more than access authentication (complexed passwords, fingerprint, …)
- Monitoring privileged account access
Summarization
In this article, we analyzed the DarkSide ransomware that encrypts your file system and demands a ransom to decrypt these files.
Then we gave a few steps to protect yourself and prevent the ransomware attack.
So if you liked my analyzed technique you can give me feedback about my analysis.
Thanks ☺♥