Welcome to the VB2021 conference!

arrow left Back

A detailed analysis of a new version of Darkside ransomware (v. 2.1.2.3)

Vlad Pasca (LIFARS)
Darkside ransomware is the malware family responsible for the Colonial Pipeline attack that occurred on 7 May 2021. The binary dissected in this research contains an encrypted configuration that will be decrypted using a custom algorithm, which reveals a 22-byte buffer that describes different actions performed by the malware. These actions include: checking the system language and avoiding encryption of Russian-language machines, deleting Shadow copies, wiping the Recycle Bin, ignoring specific files, directories and file extensions, killing specific processes, deleting specific services, etc.

The ransomware can perform privilege escalation using the CMSTPLUA COM interface and achieves persistence by installing itself as a service. The files are encrypted using the custom Salsa20 implementation, with the Salsa20 matrix being encrypted by the public RSA key hard coded in the binary. Darkside uses multi-threading with I/O completion ports to communicate between the main thread and the worker threads responsible for file encryptions. The process generates a random Salsa20 matrix using the RDRAND and RDSEED instructions, as opposed to earlier versions that use the RtlRandomEx function.
Vlad Pasca
LIFARS

Vlad Pasca is a senior malware and threat analyst at LIFARS LLC with over four years of blue teaming experience. He has taken multiple industry-recognized certifications such as OSCE, OSCP, GREM, eCPTX and he's looking forward to starting to present his research at cybersecurity conferences. Vlad started a malware analysis blog, where he posts relevant research of new malware samples related to groups such as Darkside, Conti, Chinese and Russian APTs.