DarkSide Ransomware

CyberDefender 7 mins0

1. Executive Overview

  • Victim: Colonial Pipeline Company (largest refined fuel pipeline in the U.S.)
  • Date: Initial intrusion likely April 29–30, 2021, ransomware executed May 6–7, 2021
  • Ransomware family: DarkSide
  • Initial access: Compromised legacy VPN account without MFA
  • Impact: IT systems encrypted → proactive shutdown of OT pipeline operations
  • Ransom paid: ~75 BTC (~$4.4M) (partially recovered by FBI)

2. Initial Access Vector

2.1 VPN Compromise

  • Account: Legacy VPN account (likely Pulse Secure or similar)
  • Authentication: Username + password only (no MFA)
  • Credential source: Believed to be from previous credential leak / password reuse
  • Account status: Account was inactive but not disabled

Technical Failure- No MFA on remote access
- Stale accounts not deprovisioned
- Password reuse
- No conditional access or geo-fencing

3. Kill Chain (MITRE ATT&CK Mapping)

Phase Technique MITRE ID
Initial Access Valid Accounts (VPN) T1078
Persistence Scheduled Tasks / Services T1053
Privilege Escalation Credential Dumping T1003
Lateral Movement SMB / PsExec T1021
C2 HTTPS over Tor T1071
Exfiltration Data Compression + HTTPS T1560
Impact Data Encryption T1486

4. Internal Recon & Privilege Escalation

4.1 Reconnaissance Commands Observed

Typical DarkSide affiliate behavior:

  • whoami
  • net user
  • net localgroup administrators
  • nltest /dclist
  • net view /domain
  • ipconfig /all
  • tasklist

4.2 Credential Harvesting

Tools commonly used:

  • Mimikatz
  • LSASS memory dumping
  • SAM/SECURITY hive export

Example:

  • reg save HKLM\SAM sam.save
  • reg save HKLM\SYSTEM system.save
  • reg save HKLM\SECURITY security.save

5. Lateral Movement

  • SMB (445/TCP)
  • PsExec-like service execution
  • Domain Admin credentials obtained prior to ransomware deployment

Example pattern: psexec \\HOSTNAME -s cmd.exe

6. DarkSide Ransomware – Malware Internals

6.1 Language & Structure

  • Written in C/C++
  • Highly modular
  • Supports affiliate configuration
  • Compiled per victim (unique builds)

6.2 Execution Flow

  1. Process Injection / Execution
  2. Privilege Check
  3. Shadow Copy Deletion
  4. Backup & Service Termination
  5. File Encryption
  6. Ransom Note Deployment

6.3 Pre-Encryption Actions

Kill Processes & Services

Targets:

  • SQL
  • Exchange
  • Backup agents
  • AV services

Example: taskkill /IM sqlservr.exe /F
net stop VeeamBackupSvc

Shadow Copy Removal : vssadmin delete shadows /all /quiet
wmic shadowcopy delete

6.4 Encryption Details

Cryptography

  • File Encryption: AES-256 (per-file)
  • Key Protection: RSA-1024 / RSA-2048 (operator public key)
  • Key handling: AES key encrypted with RSA, appended to file

Encryption Mode

  • Partial encryption for large files
  • Full encryption for small files
  • Configurable file extensions list

File Marker

Encrypted files appended with:.darkside

6.5 Ransom Note

Filename:README.darkside.txt

Contents:

  • Victim ID
  • Tor payment site
  • Threat of data leak
  • Countdown timer

7. Data Exfiltration (Double Extortion)

Before encryption, DarkSide affiliates:

  • Compress sensitive data using 7zip / WinRAR
  • Upload via:
    • HTTPS
    • SFTP
    • Cloud storage (MEGA, etc.)
  • Purpose:
  • Leverage data leak threat even if backups exist

8. Command & Control (C2)

8.1 Network Characteristics

  • Tor-based infrastructure
  • Encrypted HTTPS traffic
  • Custom User-Agent strings

Example:

hxxps://<random>.onion/api/v1/status

9. Impact on OT Systems

  • OT systems NOT directly infected
  • Colonial shut down pipeline due to:
    • Loss of billing systems
    • Inability to safely track fuel delivery
  • This highlights IT/OT interdependency risk.

10. Incident Response Actions (Colonial)

10.1 Immediate Response

  1. Isolated IT network
  2. Shutdown pipeline operations
  3. Engaged:
    • Mandiant
    • FBI
    • CISA

10.2 Containment

  • Disabled compromised VPN account
  • Forced credential resets
  • Network segmentation
  • Blocked Tor traffic

10.3 Eradication

  • Reimaged infected systems
  • Removed persistence mechanisms
  • Verified domain controllers

10.4 Recovery

  • Paid ransom for decryptor (slow & unreliable)
  • Relied primarily on backups
  • Gradual pipeline restart

11. Indicators of Compromise (IOCs)

11.1 File IOCs

README.darkside.txt
*.darkside

11.2 Registry IOCs

HKCU\Software\DarkSide
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<random>

11.3 Process Names (Common)

darkside.exe
taskdl.exe
update.exe

11.4 Network IOCs

  • Outbound Tor connections
  • Unusual HTTPS traffic to random IPs
  • VPN logins from unusual geolocation

11.5 YARA (Simplified Example)

rule DarkSide_Ransomware
{
strings:
$note = "README.darkside.txt"
$ext = ".darkside"
$tor = ".onion"
condition:
2 of them
}

12. Key Defensive Lessons

12.1 What Failed

  • No MFA on VPN
  • Poor account lifecycle management
  • Flat network architecture
  • Insufficient monitoring of VPN logs

12.2 What Would Have Helped

  • MFA everywhere
  • Zero Trust access
  • EDR with credential dumping detection
  • OT/IT strict segmentation
  • Immutable backups

13. Strategic Takeaway

Colonial Pipeline was not an OT cyberattack — it was an IT ransomware incident with national infrastructure consequences.

This case fundamentally changed:

  • U.S. ransomware policy
  • CISA critical infrastructure guidance
  • Executive accountability for cyber risk

CyberDefender