DarkSide Ransomware Variant Compromises Disk Partitions

A new DarkSide ransomware variant interrogates the disk drive on an infected system to locate all partitions present, mount additional partitions, and encrypt the files on them.

This variant was used in an attack in April 2021. Researchers at found this capability is unique to all currently available ransomware. This example of ransomware-as-a-service (RaaS) shows attackers are adapting and making it easier for less skilled criminals to gain access to novel malware techniques.

What Is It?

Now infamous, due to the Colonial Pipeline attack, DarkSide ransomware was first seen on Russian underground forums in August of 2020; and operates on the ransomware-as-a-service (RaaS) model. RaaS allows other cyber criminals, likely less technically skilled individuals, to subscribe and gain access to ransomware for a fixed percentage of the ransoms paid by victims (usually around 30%). Configuration of the ransomware itself and monitoring of attacks is typically performed through a centralized GUI portal, lowering the technical skill required of subscribers. RaaS operators have borrowed terminology from legitimate Software as a Service and refer to their subscribers as “affiliates.”

Elliptic, a British blockchain analytics company, have reported that since October 2020, DarkSide received a little over $90 Million in bitcoin payments from 47 unique wallets. It appears that owing to the sliding scale of commission the DarkSide developers take, depending on the size of the ransom, that they received $15.5 million, while the affiliates kept a total of $74.7 million.

One of the advantages for affiliates, is access to updated variants of ransomware developed by the RaaS operator. One such new DarkSide variant is described in research recently released by Fortinet. Fortinet found a variant of DarkSide which utilizes a capability they believe to be unique to all currently available ransomware. That being, the ability to read disk partition information and potentially encrypt files, on additional disk partitions, within infected systems. We would like to highlight that this variant was not used in the Colonial Pipeline attack.

This new DarkSide variant interrogates the disk drive on an infected system to locate all the disk partitions present. It skips certain types of reserved system partitions and attempt to mount additional partitions and encrypt files on them; potentially leading to increased impact on multi-boot systems and those containing data partitions. We can assume, the authors believe the effort invested in researching, and coding this feature will, quite literally, pay-off for them.

The sample described by Fortinet was used in a known DarkSide attack against a victim in April 2021. When we executed the sample for analysis in a virtual machine, it was apparent the ransom note was not generic but unique to this specific attack. The ransom note lists how much data the attackers claim to have downloaded from the victim’s network and details the specifics data downloaded. The attackers offer to provide evidence of exfiltrated data and claim that upon payment of the ransom, all stolen data will be deleted. Exfiltration of sensitive data prior to executing the ransomware is now a common tactic, used by attackers as additional incentive for victims to pay the ransom, or risk having their sensitive data publicly released. The attackers also guarantee to their victim, their decryption capabilities will decrypt all files –  going as far as offering support in the event there are issues on the back-end of the ransom payment being made. DarkSide’s intent is to make the entire process of paying the ransom, and decrypting files, as easy as possible. It can be assumed the criminals also want to reduce a victim’s motivation to recover files via backups. The filename for the ransom notes we analyzed contains an eight-character hexadecimal string, “c177efc0”, which is also used as the file extension for encrypted files. In the case of RaaS malware, this string is either the affiliate’s ID or a unique ID to identify the campaign or specific target.

How Does DarkSide Propagate?

The malware does not contain the necessary code to self-propagate. However, this DarkSide ransomware variant is capable of encrypting files on alternate disk partitions and network shares. As with most ransomware, initial attack vectors utilized by DarkSide ransomware attacks are often poorly secured internet facing servers, exploitation of unpatched software vulnerabilities and spear phishing emails.

When/How Did BluVector Detect It?

One sample of DarkSide partition encrypting ransomware is publicly available and BluVector’s patented Machine Learning Engine (MLE) detected it. Regression testing has shown the sample would have been detected 88 months prior to its release.

Additionally, 27 other recent DarkSide ransomware samples, 24 Windows executables and 3 Linux executables, were also regression tested. All 27 were detected by BluVector’s patented Machine Learning Engine (MLE) and would have been detected an average of 75 months prior to their release.

All Threat Reports