Industry researchers recently studied a Linux version of the DarkSide malware and published a detailed analysis. In the recent quarter, the DarkSide ransomware group has been one of the most active ransomware groups. Colonial Pipeline was targeted by the group in May, and the company announced its closure shortly after.
What is new?
Researchers discovered that whereas most Linux ransomware encrypts files with a password, DarkSide uses crypto libraries to encrypt files. It is impossible to recover data without the encryption key.
- When it came to ESXi servers serving VMware virtual machines, the group created and used the Linux version. On March 9, the authors announced the release of DarkSide 2.0 for Linux.
- The ransomware’s default setup includes the root path of ESX server machines and targets the vmdk, log, vmem, and vmsn extensions, which are used in ESX servers to save information, logs, and data for virtual machines.
- DarkSide 2.0 is quite informative, printing practically all of the tasks it performs to the screen, which is unusual for malware. It’s possible that the malware is being installed manually.
- The virus is written in C++ and makes use of a number of open-source libraries that were generated and imported into a single binary along with the malware code. Crypto++, boost, and curl are a few of these libraries.
The malware provides functionality for using esxcli commands to shut down virtual machines. It’s a command-line interface for ESX servers that allows them to work with virtual machines.
- The malware prints its configuration to the terminal after it has been executed. This comprises, among other things, the root path to encrypt, the file extensions to encrypt, C2 addresses, and RSA key information.
- The C2 addresses are encrypted using a rotating XOR key that will be decoded once the virus has been run. It then counts the encrypted files, gathers data, and delivers it to the C2 server after encryption.
Ransomware is one of the most dangerous dangers, particularly when it comes to Linux-based virtual machine servers that run many vital services. Consequently, even though DarkSide is said to have ceased activities, enterprises should implement proper security measures to avoid being infected with ransomware.
To read more, please check eScan Blog
