How does Darkside Ransomware work?
Many of us are unaware of some very important cybersecurity technology or topics that have a great impact on our day to day lives. Knowing these technologies help us to be safe from all the new threats going on as having sufficient information can make us know about how these threats work and of course how can someone come out from a worst situation like this. Now coming to Darkside which is a new group relatively which has come up with whole new ransomware. This ransomware strain was firstly introduced in August 2020 but as per the recent news made available on various trusted resources on the internet, it is even coming with a whole new version which is known to be Darkside 2.0. the new version claims to be much faster than the previous one in term of encrypting various types of files. The speed is much more as compare to any ransomware currently present in the market.
This very information is been confirmed by some experienced cybersecurity experts. As per them, these are new but then are going to be more organized and efficient than before. Thus, Darkside ransomware can be described as a new ransomware strain recently launched in the market and this threat is highly used to target large multinational corporations, high revenue firms. In terms of result, there would be encryption as well as stealing of sensitive data that can afterwards be used to threaten the owner. When such sensitive data is stolen then to give it back these groups demand huge revenue if not paid then would leak the data publicly that can be highly dangerous for any organization or person. As the impact of this threat is potentially dangerous it’s important to have some knowledge about this so that the security firms can prepare some methods to solve this.
The Darkside ransomware was first seen last year in August and since that time its new version is also in the process of getting launched in few months. This Darkside group is often managed or I can say operated by ransom-as-a-service (Raas). This group even has a history of double extortion of its victims over the past few years. This thing is been made clear through various reports been studied recently about the company. In this double extortion if payment is been asked to unlock the affected computers and with this, there is also to retrieve the exfiltrated data. The techniques that are used by the attackers in Darkside ransomware can be termed as sophisticated. As a part, the initial access is provided by exploiting public-facing applications and impair defences.
The Darkside ransomware makes use of the vulnerabilities such as CVE-2019-5544 and CVE-2020-3992. Both of these vulnerabilities have had used a widely available patch but the attackers mainly target the organizations using the unpatched or I can say the older version of the very software. Apart from this during the encryption Darkside ransomware make use of the customized ransom note as well the file extension for most of its victims held together. Coming to the technical details about the Darkside ransomware than first thing we are discussing here is all about the initial access. The Darkside ransomware mostly performs the brute force attack and then through this exploits the initial vulnerabilities present in the remote desktop protocol (RDP) This is done to get initial access.
After this Darkside ransomware validates the machines to infect. The ransomware then collects all the information about the name of the computer and also the system language for its initial code execution. The Darkside main target English-speaking countries. The ransomware then checks the default system. The next thing is all about privilege escalation and lateral movement. The privilege escalation consists of various types of techniques that are mainly used to gain many high-level permissions on the system or the network mainly. This thing is mainly performed if a malicious user exploits a bug or else configure an error in an application or even in an operating system.
This is even used to gain elevated access to all kind of resources that are not normally available to most of its users. The Darkside ransomware even checks that the user can get all kind of administrator privileges. If that’s not possible then by using the UAC bypass techniques and in there implying the CMSTPLUA COM interface. Now coming to the next part which is the data exfiltration. The Darkside ransomware mainly identifies the data backup applications, exfiltrates’ data and then in there encrypt the local files and all this is part of the ransomware deployment. Now the other important thing is to delete volume shadow copies. The campaigns of ransomware often attempt to delete the volume shadow copies of the important files from the computer so that the victims will mostly not able to restore any important data just by reverting the shadow copies. This deletion is mainly done using the PowerShell scripts.