DarkSide ransomware is a new and dangerous malware that threatens its victims not only with its data encryption functionality, but also with leaking the stolen information on the dark web. So far it has been reported by BleepingComputer that the threat actor has received a ransom of 1 million dollar. The most recent victim is North American real estate developer.

Like most malware, DarkSide is using a mutex object in order to avoid runing multiple instances simultaneously. Unlike the majority of other malware that use static mutex names, this new ransomware decides dynamically on a mutex name, which is derived from the malicious binary itself, and produced with a custom algorithm. The ransomware calculates the CRC checksum of its own binary, using the constant 0xdeadbeef as an initialization. It then repeats this process 4 times while changing the initialization parameter to the CRC value outputted from the previous calculation:

Utilizing our Vaccination module that simulates static and dynamic mutex names, Minerva Labs product defends your endpoints using the malware’s tools against itself, thus preventing the DarkSide malware:

Another feature used by DarkSide is an embedded UAC bypass, this feature enables the malware to encrypt a computer even when running as a low integrity user.

User Account Control is the mechanism that requires user interaction when asking for administrative privileges. Because most malware needs admin privileges, a workaround for this feature is needed, hence malware developers usually include a bypass for this feature embedded in their code.

This ransomware uses a well-known UAC bypass in ICMLuaUtil COM interface to elevate its integrity level. This technique is commonly used because a C implementation is publicly available on github.

Minerva’s active endpoint ransomware protection platform prevents this type of attacks before any damage or encryption has been done and many others novel threats using known and unknown zero-days and vulnerabilities.


Get it done with Minerva – book a demo now

Written by Tom Roter, Minerva Research Team