In order to evade analysis and sandbox detection, DarkSide ransomware only operates when the loader and data file are both present. The loader with the name “msupdate64.exe” reads the “config.ini” data file within the same path that contains the encoded ransomware and runs the ransomware on the memory area of a normal process. The ransomware is structured to only operate when a specific argument matches. It will then register itself to the task scheduler and run itself periodically.
The following are the features of DarkSide ransomware.
1) Ransomware Encryption Target Exception List
After being injected into a normal process, the ransomware encrypts all files aside from those with certain folder and file names. Table 1 and 2 contains the folder paths and filenames excluded from the encryption.
| Folder Paths Excluded From Encryption |
| “AppData” “Boot” “Windows” “WINDOWS” “Windows.old” “Ahnlab” “Tor Browser” “Internet Explorer” “Google” “Opera” “Opera Software” “Mozilla” “Mozilla Firefox” “$Recycle.Bin” “ProgramData” “All Users” “Program Files” “Program Files (x86)” “#recycle” “..” “.” “SYSVOL” “bootmgr” “ntldr” |
| Filenames Excluded From Encryption |
| “autorun.inf” “boot.ini” “bootfont.bin” “bootsect.bak” “bootmgr.efi” “bootmgfw.efi” “desktop.ini” “iconcache.db” “ntuser.dat” “ntuser.dat.log” “ntuser.ini” “thumbs.db” “AUTOEXEC.BAT” “autoexec.bat” “bootfont.bin” “bootfont.bin” “ntldr” “config.ini” “begin.txt” “finish.txt” |
2) Force Terminate Running Processes
The ransomware terminates running processes in order to prevent file-handling conflicts during the encryption process. The following is a list of those targets.
| Force Terminated Processes |
| “sql.exe” “oracle.exe” “ocssd.exe” “dbsnmp.exe” “synctime.exe” “agntsvc.exe” “isqlplussvc.exe” “xfssvccon.exe” “mydesktopservice.exe” “ocautoupds.exe” “encsvc.exe” “firefox.exe” “tbirdconfig.exe” “mydesktopqos.exe” “ocomm.exe” “dbeng50.exe” “sqbcoreservice.exe” “excel.exe” “infopath.exe” “msaccess.exe” “mspub.exe” “onenote.exe” “outlook.exe” “powerpnt.exe” “steam.exe” “thebat.exe” “thunderbird.exe” “visio.exe” “winword.exe” “wordpad.exe” “wrapper.exe” “dbsrv12.exe” “WinSAT.exe” |
3) Service Termination Targets
The ransomware closes backups and services related to AV products. Table 4 is a list of such targets.
| Terminated Services |
| vss sql svc$ memtas mepocs sophos backup GxCIMgr DefWatch ccEvtMgr ccSetMgr SavRoam RTVscan QBFCService QBIDPService Intuit.QuickBooks.FCS QBCFMonitorService YooBackup zhudongfangyu stc_raw_agent VSNAPVSS VeeamTransportSvc VeeamDeploymentService VeeamNFSSvc PDVFSService BackupExecVSSProvider BackupExecAgentAccelerator BackupExecAgentBrowser BackupExecDiveciMediaService BackupExecJobEngine BackupExecManagementService BackupExecRPCService AcrSch2Svc AcronisAgent CASAD2DWebSvc CAARCUpdateSvc |
4) Delete Volume Shadows, Suspend Windows Event Logging, and Deactivate Windows Recovery
The threat actor uses tools such as vssadmin.exe to perform acts like deleting volume shadow copies, but they manage to bypass command line-based behavior detection by using the following method.
Each process is run in SUSPEND mode, but garbage values like “11111111” are given as command line arguments. Afterward, the address of the command line is obtained by reading the PEB from the corresponding process memory and finding the RTL_USER_PROCESS_PARAMETERS struct.
Finally, by using WriteProcessMemory() to rewrite the actual command line argument in the obtained address, tools like vssadmin.exe can perform normally by using the newly transmitted argument.
| Process Execution Log | Actual Command Line |
| vssadmin.exe 11111111111111111111111111 | vssadmin.exe Delete Shadows /All /Quiet |
| bcdedit.exe 111111111111111111111111111111111 | bcdedit.exe /set {default} recoveryenabled No |
| bcdedit.exe 1111111111111111111111111111111111111111111111111 | bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
| wbadmin.exe 111111111111111111111111 | wbadmin.exe DELETE SYSTEMSTATEBACKUP |
| wbadmin.exe 11111111111111111111111111111111111111 | wbadmin.exe DELETE SYSTEMSTATEBACKUP -deleteOldest |
| wbadmin.exe 111111111111111111111 | wbadmin.exe delete catalog -quiet |
| wbadmin.exe 1111111111111 | wbadmin.exe delete backup |
| wbadmin.exe 1111111111111111111111111111111111111111 | wbadmin.exe delete systemstatebackup -keepversions:0 |
| wevtutil.exe 111111111111111111111 | wevtutil.exe clear-log Application |
| wevtutil.exe 111111111111111111 | wevtutil.exe clear-log Security |
| wevtutil.exe 1111111111111111 | wevtutil.exe clear-log System |
| wevtutil.exe 111111111111111111111111111111 | wevtutil.exe clear-log “windows powershell” |
| wmic.exe 1111111111111111111111111 | wmic.exe SHADOWCOPY /nointeractive |
| net.exe 1111111111 | net.exe stop MSDTC |
| net.exe 1111111111111111111 | net.exe stop SQLSERVERAGENT |
| net.exe 1111111111111111 | net.exe stop MSSQLSERVER |
| net.exe 11111111 | net.exe stop stop vds |
| net.exe 11111111111111 | net.exe stop SQLWriter |
| net.exe 111111111111111 | net.exe stop SQLBrowser |
| net.exe 1111111111111111 | net.exe stop MSSQLSERVER |
| net.exe 1111111111111111111 | net.exe stop MSSQL$CONTOSO1 |
| netsh.exe 1111111111111111111111111111111111111111 | netsh.exe advfirewall set currentprofile state off |
| netsh.exe 11111111111111111111111111111111 | netsh.exe firewall set opmode mode=disable |
The AhnLab EDR/MDS line of products considers executions like the ones above as abnormal executions. MDS products can also check the data that’s written on target process memories.
| Written data |
| 76 00 73 00 73 00 61 00 64 00 6d 00 69 00 6e 00 2e 00 65 00 78 00 65 00 20 00 44 00 65 00 6c 00 65 00 74 00 65 00 20 00 53 00 68 00 61 00 64 00 6f 00 77 00 73 00 20 00 2f 00 41 00 6c 00 6c 00 20 00 2f 00 51 00 75 00 69 00 65 00 74 00 |
| What command the above data means |
| vssadmin.exe Delete Shadows /All /Quiet |
5) Ransom Note and File Encryption Extension
The ransomware generates a ransom note file called “_r_e_a_d_m_e.txt”, like the one shown in Figure 7, in each encrypted folder.
Additionally, the ransomware changes the extension format of encrypted files to “.s1s2s3[number of encrypted files]”.
6) Self-deleting Ransomware
After the ransomware finishes its actions, it attempts to delete itself through the following command.
| Self-deletion Command |
| “C:\Windows\System32\cmd.exe” /c ping 127.0.0.1 -n 3 && del /f/q “C:\Users\Default\Desktop\msupdate64.exe” |
Internal Propagation (Ransomware Distribution Method Through Domain Controller)
When this ransomware becomes active on the domain controller of an AD server, it creates a group policy as shown in Figure 9 to distribute the ransomware to other PCs linked to the current domain.
Table 8 shows a file-related group policy which gives the command to copy the executable file within the ransomware’s domain controller to the desktops of infected PCs with the name format “[Distribution Date]_[Ransomware Filename].exe”.
| {D6C45CD3-BCB9-4D6C-A16C-FD416DAA1C47}\User\Preferences\Files\Files.xml |
| <?xml version=”1.0″ encoding=”utf-8″?> <Files clsid=”{215B2E53-57CE-475c-80FE-9EEC14635851}”><File clsid=”{50BE44C8-567A-4ed1-B1D0-9234FE1F38AF}” name=”[Distributed Date][Ransomware Filename].exe” status=”[Distribution Date][Ransomware Filename].exe” image=”2″ changed=”[Distribution Date]” uid=”{1F86D6A8-6640-47D8-A26B-E263CAECE394}” bypassErrors=”1″> |
DarkSide will not operate if a certain argument to prevent replication and analysis does not match. However, as shown in Figure 10, AhnLab EDR detects ransomware strains generated through group policies in AD environments. It is also possible to check the arguments at the point of execution.
For continuous propagation, the ransomware distributes group policies with the following command.
| PowerShell command |
| powershell.exe -Command “Get-ADComputer -filter * -Searchbase ‘DC=ahnlabs,DC=com’ | foreach{ Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}” |
The threat actor that performs an ATP attack on the AD environments of companies for monetary gain distributes their malware after checking the detection of all AV products based on existing signatures.
As shown in the above Figure 13, there is a great chance that DarkSide ransomware can evade being detected by AV products based on existing signatures since it cannot be collected by even VirusTotal.
The importance of an APT detection solution like MDS and EDR, which records and reports all suspicious behaviors in endpoints, becomes clear when it comes to trying to detect this threat effectively.
DarkSide ransomware attacks correspond to the following techniques in the MITRE ATT&CK framework.
- T1486 Data Encrypted for Impact[1]
- T1484.001 Domain Policy Modification: Group Policy Modification[2]
- T1053.005 Scheduled Task/Job: Scheduled Task[3]
- T1562.001 Impair Defenses: Disable or Modify Tools or T1489 Service Stop[4]
- T1489 Service Stop[5]
- T1021.002 Remote Services: SMB/Windows Admin Shares[6]
- T1562.001 Impair Defenses: Disable or Modify Tools[7]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:AhnLab Detection
[…] policy, according to Check Point and South Korean cybersecurity company AhnLab, which erroneously attributed the infection chain to DarkSide earlier this […]
[…] policy, according to Check Point and South Korean cybersecurity company AhnLab, which erroneously attributed the infection chain to DarkSide earlier this […]
[…] dropped a note that more closely resembled DarkSide ransomware notes (causing some to mistakenly refer to it as DarkSide). Each person who examined the ransomware saw something a little bit different, prompting us to […]
[…] at a US-based company. Later they realized that researchers from South Korean security firm AhnLab had previously documented a variant in February, but attributed it to the known DarkSide ransomware operation. Check Point […]
[…] policy, according to Check Point and South Korean cybersecurity company AhnLab, which erroneously attributed the infection chain to DarkSide earlier this […]
[…] of Rorschach appear to be in circulation. Last month, South Korean cybersecurity company AhnLab published an analysis of ransomware that it described as being a DarkSide variant, in part because it uses a […]
[…] of Rorschach appear to be in circulation. Last month, South Korean cybersecurity company AhnLab published an analysis of ransomware that it described as being a DarkSide variant, in part because it uses a […]
[…] according to Check Point and South Korean cybersecurity company AhnLab, which erroneously attributed the infection chain to DarkSide earlier this […]
[…] analyzed by ASEC AhnLab’s researchers, the Rorschach ransomware has some typical and a few distinctive […]
[…] policy, according to Check Point and South Korean cybersecurity company AhnLab, which erroneously attributed the infection chain to DarkSide earlier this […]
[…] Previamente analisado pelos pesquisadores da ASEC AhnLab, o ransomware Rorschach tem algumas características típicas e algumas únicas: […]
[…] at a US-based company. Later they realized that researchers from South Korean security firm AhnLab had previously documented a variant in February, but attributed it to the known DarkSide ransomware operation. Check Point […]
[…] at a US-based company. Later they realized that researchers from South Korean security firm AhnLab had previously documented a variant in February, but attributed it to the known DarkSide ransomware operation. Check Point […]
[…] tarde se dieron cuenta de que investigadores de la firma de seguridad surcoreana AhnLab habían documentado previamente una variante en febrero, pero la atribuyeron a la conocida operación […]
[…] policy, according to Check Point and South Korean cybersecurity company AhnLab, which erroneously attributed the infection chain to DarkSide earlier this […]
[…] to now analyzed through ASEC AhnLab’s researchers, the Rorschach ransomware has some conventional and a few […]