W2 JAN | EN | Story of the week: Ransomware on the Darkweb

Friend or Foe? Bitdefender released a decryption tool of Darkside ransomware

S2W LAB publishes weekly reports of the Ransomware activities that took place at Dark Web. Report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operator, etc.

Executive Summary

The number of victimized firms uploaded on the darkweb ransomware site increased slightly (+3) compared to the past week, while the number of ransomware groups decreased (-1). Industrials sector still positioned at the highest proportion of the industries

Bitdefender released a decryption tool of darkside ransomware. The Darside ransomware operator announced that they admitted that there was a bug in the generation of keys and all problems are fixed. The products will be provided free of charge for 3 weeks.

Recently ransomware operators are adding features regarding encrypting/decrypting executables in memory for obfuscation. Please note that this content is mentioned repeatedly as in the Thanos ransomware builder feature (digital key encryption feature) last week and the Revil ransomware feature (key launch feature) this week.

In the recent appear of Babuk ransomware, they have annouced that they will not attack hospitals, schools, etc., denying themselves as criminals.

1. Weekly Status

A. Status of the victimized firms

• For a week, a total of 34 companies were mentioned and a change in the state of the data leaked from the victim company in the ransomware site was detected.
• Activity from 6 threat groups detected

B. TOP 5 targeted countries

1. United States — 58.8%
2. Canada — 14.7%
3. France — 5.9%
4. United Arab Emirates — 2.9%
5. Slovenia — 2.9%

C. TOP 5 targeted industrial sectors

1. Industrials — 26.5%
2. Financial — 8.8%
3. Construction — 8.8%
4. Materials — 5.9%
5. Government — 5.9%

2. Status of active Ransomware forum posts @ Dark Web

A. REvil

• Forums: Exploit[.]IN, XSS[.]IS
• User ID: UNKN
• Initial Date of Activity: 06/05/2020
• Leaked Site in Operation (Y/N): Y

Weekly Summary of Activity

• Posted Date: 01/09/2021
• Powershell DLL loader has been rewritten. The files run locally without using pastebins anymore. Powershell runs in administrator mode.
• Added a build in the form of a DLL, you can script or run it on its own using rundll, cobalt, or with a custom loader
• For the next updates:
• Key launch will be added in order to obfuscate the detection of static and dynamic protection systems by encrypting/decrypting executable file in memory
• Test of launching as a service and 64-bit version of the file execution
• C-code morphing technologies are in development for the purpose of implementation of the malware-factory technique.

B. Babuk

• Forums: Raidforums
• User ID: biba99
• Initial Date of Activity: 08/26/2020
• Leaked Site in Operation (Y/N): Y

Weekly Summary of Activity

• Posted Date: 01/05/2021
• Post written for a press asserting that their purpose of operating ransomware is to show the level of security issues inside the corporate networks
• Babuk uses its own implementation of SHA256 hashing, ChaCha8 encryption, and Elliptic-curve Diffie–Hellman (ECDH) key generation and exchange algorithm to protect its keys and encrypt files
• White lists by Babuk
• Hospitals (except private plastic surgery clinics, private dental clinics)
• Any non-profitable charitable foundation (except the foundations who help LGBT and BLM)
• Schools (except the major universities)
• Companies with annual revenue less than 4 min$ (info about revenue we take from zoominfo)

C. Darkside

• Forums: Exploit[.]IN, XSS[.]IS
• User ID: darksupp
• Initial Date of Activity: 11/04/2020
• Leaked Site in Operation (Y/N): Y

Weekly Summary of Activity

• Posted Date: 01/12/2021
• Darkside responded to the article by Bitdefender regarding Darkside ransomware decryption tool
• Bitdefender has released a utility that can decrypt some of our Windows lockers. Linux is not decrypted. This is not connected with breaking our encryption or another bug in the locker (RSA + Salsa20), but with the generation of keys. Due to the way the generator works under Linux, some private keys for targets could be generated the same, so BitDefender created its own decryptor based on one public key (previously purchased). According to our calculations, up to 40% of private keys are affected.
• At the moment, this problem has been solved, no new targets will be decrypted, there have been no bugs in the locker itself, and will not be.
• We perfectly understand the consequences of this situation for the reputation of our product, this fact can undermine your trust in us, therefore we are ready to answer for this in front of you with our time and finances:
• All users of our product will be provided with 100% rate for 3 weeks, regardless of whether whether or not you have targets that could potentially use the decryptor.
• All clients whose targets could potentially use the decryptor will be provided with compensation from our deposit (currently about $ ~ 600k).
• We very much hope that this situation will not undermine your trust in us, as we believe that trust is the foundation of our business. We are always ready to answer for any problems on our part and will never hide it.
• Special thanks to BitDefender for pointing out our shortcomings. This will make us even better. Now you will never decipher us;)
• Bitdefender article: https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/

• https://www.s2wlab.com
• Facebook https://www.facebook.com/S2WLAB/
• Twitter https://twitter.com/s2wlab