Darkside ransomware is the malware family responsible for the Colonial Pipeline attack that occurred on 7 May 2021. The binary dissected in this research contains an encrypted configuration that will be decrypted using a custom algorithm, which reveals a 22-byte buffer that describes different actions performed by the malware. These actions include: checking the system language and avoiding encryption of Russian-language machines, deleting Shadow copies, wiping the Recycle Bin, ignoring specific files, directories and file extensions, killing specific processes, deleting specific services, etc.

The ransomware can perform privilege escalation using the CMSTPLUA COM interface and achieves persistence by installing itself as a service. The files are encrypted using the custom Salsa20 implementation, with the Salsa20 matrix being encrypted by the public RSA key hard coded in the binary. Darkside uses multi-threading with I/O completion ports to communicate between the main thread and the worker threads responsible for file encryptions. The process generates a random Salsa20 matrix using the RDRAND and RDSEED instructions, as opposed to earlier versions that use the RtlRandomEx function.

Got a question about this presentation? To get in touch with the speaker, contact Vlad on Twitter at @GeeksCyber.