Log in
E-mail
Password
Remember
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Settings
Settings
Dynamic quotes 
OFFON
  1. Homepage
  2. Equities
  3. Canada
  4. Toronto Stock Exchange
  5. BlackBerry Limited
  6. News
  7. Summary
    BB   CA09228F1036

BLACKBERRY LIMITED

(BB)
  Report
Delayed Quote. Delayed Toronto Stock Exchange - 05/20 03:11:08 pm
10.54 CAD   +1.84%
03:13pTHREAT THURSDAY : Delving Into the DarkSide
PU
03:13pTHREAT THURSDAY : This RAT Keeps a ToxicEye on Your Data
PU
06:45aSOCIAL BUZZ : Gamestop Shares Flat, Along With Most Other Wallstreetbets Reddit Stocks
MT
SummaryQuotesChartsNewsRatingsCalendarCompanyFinancialsConsensusRevisions 
SummaryMost relevantAll NewsAnalyst Reco.Other languagesPress ReleasesOfficial PublicationsSector newsMarketScreener Strategies

Threat Thursday: Delving Into the DarkSide

05/20/2021 | 03:13pm EDT
share with twitter
share with LinkedIn
share with facebook
Threat Thursday: Delving Into the DarkSide
Summary

The DarkSide ransomware variant first appeared in mid-2020. It is distributed as a Ransomware as a Service (RaaS) that is used to conduct targeted attacks. DarkSide targets machines running both Windows® and Linux, and made headlines recently due to its attack on the U.S. fuel pipeline system, the Colonial Pipeline.

DarkSide uses a double extortion scheme where data is both encrypted locally and exfiltrated before the ransom demand is made. If the victim refuses to pay, their data is published to a site located on the dark web:

hxxp[:]//darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id[dot]onion

Upon execution, this ransomware deletes volume shadow copies and system backups to hamper recovery efforts. It then encrypts files, changes the file icons, and appends an extension to the affected files. Finally, it drops a README file to the affected directories and changes the desktop wallpaper, in a similar way to other ransomware families.

In the aftermath of the Colonial Pipeline attack, the DarkSide Group has stated publicly that it was not their intent to affect hospitals or medical facilities, education, not-for-profit, or Government systems.

It's important to note that current indications point towards the DarkSide group shuttering operations, possibly with the hopes of restarting and rebranding once the bad publicity quietens down. While the threat of the current iteration of this ransomware may be winding down, it's important to be aware of their tactics, techniques, and procedures (TTPs), as these may clue us in to the group's future endeavors.

Operating System
Risk and Impact
Technical Analysis Upon encryption, DarkSide utilizes the Machine's GUID value to generate a ransom extension for affected files; for example, '5364a99b'. This value is then used to create .bmp and .ico files under 'C:ProgramData'. This value is also used when malware creates registry keys, as seen in the images below:
Figure 1: HKLMSoftwareClasses.5364a99b registry key creation.
Figure 2: HKLMSoftwareClasses5364a99bDefaultIcon registry key creation.

Figure 3: Registry key creation.

This threat performs checks to find specific processes running, and if found they are terminated:

Figure 4: Terminated processes.

The malware also carries out checks to find specified services, which are also terminated if present:

Figure 5: Stopped services.

Certain folders and locations are exempt from encryption:

Figure 6: Excluded folders.

As well as certain file types as seen in the screenshot below:

Figure 7: Excluded extensions.

During the encryption process, custom .bmp and .ico files are dropped in 'C:ProgramData' directory. The .bmp is used to change the wallpaper on the Desktop to inform the affected user that their files are encrypted:

Figure 8: Desktop wallpaper change.

The .ico is used to change icons of every file that is targeted by DarkSide:

Figure 9: Encrypted file icon change.

A ransom note is dropped in the affected directories, which follows the 'README..TXT' naming convention:

Figure 10: DarkSide ransom note creation.

DarkSide utilizes a double extortion scheme similar to REvil, to further compel victims to pay the ransom. Within the ransom note is a URL that allows the victim to view the contents of the data that was downloaded and stolen by DarkSide. However, this information is housed on a .onion domain, allowing the threat actors a further level of anonymity. In order to access this domain, the victim must use a TOR browser that directs Internet traffic through multiple nodes, thereby enabling anonymous communication.

Figure 11: DarkSide ransom note.

The ransom note also contains instructions on how to pay the ransom. In order to pay up, the victim needs to visit the provided URL and input the key which is contained within the ransom note:

Figure 12: DarkSide URL for key input.

Yara Rule

The following Yara rule was authored by the BlackBerry Threat Research Team to catch the threat described in this document:

rule darkside_ransomware {

meta:

author = 'Blackberry Threat Research team'
created = '11 May 2021'
comment = 'Opcodes unique to DarkSide ransomware executable'

strings:
$md5_1 = { C7 03 01 23 45 67 }
$md5_2 = { C7 43 04 89 AB CD EF }
$md5_3 = { C7 43 08 FE DC BA 98 }
$md5_4 = { C7 43 0C 76 54 32 10 }

$hex_1 = { 68 A4 04 2B 1E }
$hex_2 = { 68 5E 04 98 3B }
$hex_3 = { 68 88 05 8B 28 }

condition:
all of ($md5*) and
all of ($hex*)
}

Indicators of Compromise (IoCs)

File System Actions Created:

  • C:ProgramData.bmp (A '.bmp' file for wallpaper)
  • C:ProgramData.ico (A '.ico' file for encrypted file icon)
  • README..TXT (A ransom note, which is dropped in each affected directory)

Deleted:

  • Shadow Volume Copies

Modified:

  • All targeted files post-encryption

Registries Created:

Key

Value

HKLMSoftwareClasses\DefaultIcon C:ProgramData.ico
HKLMSoftwareClasses.

HKCUControl PanelDesktopWallPaper

C:ProgramData.BMP

HKCUControl PanelDesktopWallPaperStyle

10

NOTE: The name '5364a99b' () depends on Machine GUID of the victim's machine and varies per each victim's environment.

Processes Terminated:

sql, oracle, ocssd, dbsnmp, synctime, agntsvc, isqlplussvc, xfssvccon, mydesktopservice, ocautoupds, encsvc, firefox, tbirdconfig, mydesktopqos, ocomm, dbeng50, sqbcoreservice, excel, infopath, msaccess, mspub, onenote, outlook, powerpnt, steam, thebat, thunderbird, visio, winword, wordpad, notepad

Services Created:

  • ServiceName: .
  • Binary path: The full path to the DarkSide's executable file

Terminated:

vss, sql, svc$, memtas, mepocs, sophos, veeam, backup, GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr

Network URL:

  • hxxps://baroquetees[dot]com
  • hxxps://rumahsia[dot]com

IP:

IP Traffic

Port

Protocol

176[.]103[.]62[.]217

443

HTTP

99[.]83[.]154[.]118

443

HTTP



BlackBerry Assistance

If you're battling DarkSide ransomware or a similar threat, you've come to the right place, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global consulting team standing by to assist you providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment.

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.

Back

Disclaimer

BlackBerry Ltd. published this content on 20 May 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 20 May 2021 19:12:08 UTC.


© Publicnow 2021
All news about BLACKBERRY LIMITED
03:13pTHREAT THURSDAY : Delving Into the DarkSide
PU
03:13pTHREAT THURSDAY : This RAT Keeps a ToxicEye on Your Data
PU
06:45aSOCIAL BUZZ : Gamestop Shares Flat, Along With Most Other Wallstreetbets Reddit ..
MT
05/19BLACKBERRY  : Prevents Conti Ransomware
PU
05/19Microsoft Plans to Pull the Plug on Internet Explorer
DJ
05/19BLACKBERRY  : Why Should You Invest in Critical Event Management?
PU
05/19SOCIAL BUZZ : Gamestop Shares Flat, Other Wallstreetbets Stocks See Some Gains
MT
05/18STRONG ARMING WITH MACOS : Adventures in Cross-Platform Emulation
PU
05/18SOCIAL BUZZ : Gamestop Shares Edge Lower, Most Other Wallstreetbets Stocks in Po..
MT
05/17BLACKBERRY  : A Better Approach to Cybersecurity
PU
More news
Financials (USD)
Sales 2022 796 M - -
Net income 2022 -232 M - -
Net Debt 2022 32,7 M - -
P/E ratio 2022 -20,8x
Yield 2022 -
Capitalization 4 824 M 4 852 M -
EV / Sales 2022 6,10x
EV / Sales 2023 4,94x
Nbr of Employees 3 497
Free-Float 98,5%
Chart BLACKBERRY LIMITED
Duration : Period :
BlackBerry Limited Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends BLACKBERRY LIMITED
Short TermMid-TermLong Term
TrendsNeutralNeutralBullish
Income Statement Evolution
Consensus
Sell
Buy
Mean consensus UNDERPERFORM
Number of Analysts 9
Average target price 5,94 $
Last Close Price 8,53 $
Spread / Highest target -16,0%
Spread / Average Target -30,3%
Spread / Lowest Target -58,7%
EPS Revisions
Managers and Directors
NameTitle
John S. Chen Executive Chairman & Chief Executive Officer
Thomas Eacobacci President & Chief Operating Officer
Steve Rai Chief Financial Officer
Charles Eagan Chief Technology Officer
Christopher Hummel Chief Information Officer
Sector and Competitors
1st jan.Capitalization (M$)
BLACKBERRY LIMITED22.63%4 834
MICROSOFT CORPORATION9.29%1 831 076
SEA LIMITED13.87%118 868
ZOOM VIDEO COMMUNICATIONS, INC.-7.96%91 418
DASSAULT SYSTÈMES SE9.87%58 347
ATLASSIAN CORPORATION PLC-7.56%54 301