Security Experts:

DarkSide: Newly Found Variant and Implications for the Ransomware Gang's Future

DarkSide Ransomware

DarkSide ‒ the name given to both the gang and the ransomware it operated ‒ announced on May 13, 2021 that it would immediately cease operation of the DarkSide Ransomware-as-a-Service (RaaS) program. Three days later, researchers published an analysis of a newly found DarkSide variant containing a new function. It was found before the program closure -- raising two questions: is the new variant a threat; and what should we make of the DarkSide shutdown?

The answers to these questions are liberally strewn with possibly, probably and maybe.

The DarkSide RaaS operation

DarkSide operated a complex RaaS program. Matt Lock, the UK technical director at Varonis, explains that sometimes their affiliates would take the ransomware and control the entire attack; sometimes the affiliate would provide the access and DarkSide would effect the attack; sometimes it would be the reverse; and for really ‘juicy’ targets, DarkSide might do everything itself. The proceeds from any successful extortion would be divided between DarkSide and the affiliate concerned.

For this reason, even though it is easy to recognize a DarkSide attack, it is often difficult to know exactly who is conducting the attack. FireEye believes it has identified at least five affiliate groups.

Through the course of its operations, DarkSide and its affiliates have raked in an estimated $90 million (calculated at the time of analysis) in Bitcoin, according to blockchain analytics firm Elliptic.

Each use of the malware would be tailored for each individual attack, even down to having different C2s. They weren’t new versions, just different variants. Although anti-malware products could easily recognize the basic malware, the new variants would often mean that initial signature-based detection was easily defeated.

On May 13, 2021, DarkSide announced that the affiliate program had ceased. It had lost access to its blog, its payment server, and its CDN servers ‒ and funds from the payment server had been withdrawn to an unknown account. The note implied that an unspecified law enforcement agency was responsible, and added (translated from the Russian courtesy of intel471), “In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck.”

It is generally thought that in taking down the Colonial Pipeline, DarkSide had overstepped the mark and had drawn the serious ire of the U.S. three-letter agencies.

Fortinet's new variant

On May 17, 2021, Fortinet’s FortiGuard Labs published a report on a newly discovered function in a DarkSide variant that targets disk partitions. The discovery was made before the DarkSide operational closure, but is a function that has not been seen before. The new variant has the ability to detect and compromise partitioned hard drives, and is thought to enable greater file encryption to make the extortion effort more effective. It would also, of course, locate any backup files hidden by administrators in hidden partitions.

The researchers stress the professionalism of the malware coders. It was, they say, “programmed efficiently with very little wasted space, and compiler bloat has been kept to a minimum, which is unusual for most malware.” The two most interesting areas of this variant of DarkSide are its use of Active Directory, and its action against partitions.

First it looks for domain controllers, and then tries to use them to connect to Active Directory anonymously via LDAP with a null password and a null username. If it succeeds, it attempts to encrypt files in any network shares that it can find (after checking that they are writable), but avoids any shares named C$ and ADMIN$. These are default admin shares supposed to be accessible only to admins and backup operators.

“It seems likely,” say the researchers, “that DarkSide avoids these shares on the chance that it may not be running in the context of an Administrator and attempts to access them could potentially trigger an alert.”

It also scans the hard drive to see if it is a multi-boot system to find additional volumes/partitions to try and encrypt their files as well. If a found partition has a GUID that matches the results from a call to the DeviceloControl API, it skips the partition and moves on to the next. It needs to leave the infected machines in at least a semi-recoverable condition. For partitions that pass its tests, DarkSide attempts to mount them using the SetVolumeMountPointW API. Once mounted, it attempts to encrypt all the files contained.

“As far as we have been able to determine,” say the researchers, “these actions are new to the ransomware scene. As a result, the global cyber security community may not be properly protected against this attack strategy.”

The shutdown and the future of 'DarkSide'

The remaining questions are, is this new function anything more than an academic discovery after the DarkSide shutdown; and have we really seen the last of DarkSide?

The answer to the first is, ‘probably’. Malware gangs are known to share or copy techniques among themselves. Now that other gangs have seen DarkSide using the function, they will likely incorporate similar in their own ransomware, even if DarkSide itself doesn’t come back.

Which just leaves the question on the nature of the DarkSide shutdown. It will possibly not be permanent. The only way to stop a gang is to lock up the core members. Matt Lock believes this may provide the first clue to the shutdown. “It’s not as if we don’t know who they are,” he told SecurityWeek. “they’ve been quite open about their identity.”

This means they are effectively confined to Russia. If they step outside, they are in danger of arrest and extradition (or rendition) to the U.S. “It may be,” he continued, “they have decided to lay low until the heat dies down.”

But he also adds that it may be a moral decision. DarkSide has been quite clear that it would not attack anything that could lead to a danger of loss of life. The Colonial Pipeline is on the cusp of this, but probably violates DarkSide’s own moral code. It would also upset the Russian government, which is not yet engaged in direct damaging attacks against U.S. infrastructure. Lock suggests that the Colonial Pipeline attack may have been a mistake, either by DarkSide itself or by one of its affiliates.

There is nothing in this that indicates the permanent end of DarkSide. Both the gang members and the ransomware code still exist. “In the long term,” Val Saengphaibul, senior threat researcher at FortiGuard Labs, told SecurityWeek, “I don’t believe the shutdown will have an impact to the ransomware activities for one unfortunate reason: it is too profitable.” In the short term, however, it may scare off low level attackers using the ransomware as a service because they are afraid of getting caught. “But for the professionals who have been in the game for a long time, I’d think that they conduct good OpSec practices to avoid getting caught. Also, the usual international nature of bad actors adds another layer of complexity when it comes to law enforcement jurisdiction.”

It seems likely that DarkSide will return. It may be under a different name with amended software, or it may be a different gang using the DarkSide software ‒ but the model has proven too effective and too profitable to be permanently abandoned.

Related: DarkSide Ransomware Hits Toshiba Tec Group

Related: Colonial Pipeline Paid $5 Million to Ransomware Gang: Reports

Related: Industry Reactions to Ransomware Attack on Colonial Pipeline

Related: Tech Audit of Colonial Pipeline Found ‘Glaring’ Problems

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.