Day 23: DarkSide Ransomware

DarkSide ransomware gain initial access using brute force attacks and exploiting known vulnerabilities in the remote desktop protocol (RDP). The ransomware performs a validation on the machine to infect after gaining initial access and then collects information about the computer name and system language during the initial code execution phase. DarkSide ransomware checks to see if user has administrator privileges, if not, the ransomware will use the UAC bypass technique by exploiting the CMSTPLUA COM interface to gain administrator privileges. The ransomware locates the data backup applications, exfiltrates the data, and then encrypts local files.

Using PowerShell scripts, the ransomware deletes the volume shadow copies preventing victims from recovering the files. DarkSide implements the Impair Defense method to disable security protection services avoiding possible detection of their tools and activities. The Impair Defenses technique can include killing security software or event logging processes, deleting Registry keys so the tool will not start at run time, or interfering with security tools that scan or report information. DarkSide then deletes the security protection services. A custom 8 characters file extension is generated based on machine GUID and using API RtlComputeCRC32 and will be added to each encrypted file name. Darkside uses encrypted APIs, strings, and ransom notes to avoid ransomware detection. The ransomware uses Salsa20, a key randomly generated using RtlRandomEx API, and an RSA-1024 public key to encrypt the files.