MVISION Insights: CISA-FBI Joint Cybersecurity Advisory On DarkSide Ransomware

Technical Articles ID: KB94770
Last Modified: 8/11/2021

Environment

{INSIGHTS.EN_US}

Summary

Description of Campaign
The United States Federal Bureau of Investigation (FBI) released a Flash Alert for the DarkSide ransomware family. The ransomware-as-a-service (RaaS) has targeted multiple sectors including manufacturing, legal, insurance, healthcare, and energy. The malicious software exfiltrates sensitive information before encryption and threatens to publish the data if the ransom is not paid. DarkSide uses Salsa20 encryption and can encrypt files on Microsoft Windows and Linux systems.

The McAfee Enterprise ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports.

This campaign was researched by CISA and shared publicly.

{APOLLOHOW.EN_US}
This Knowledge Base article discusses a specific threat that is being tracked. The list of IOCs will change over time; check MVISION Insights for the latest IOCs.

Campaign IOC

Type	Value
SHA256	7D57E0BA8B36EC221B16807CE4E13A1125D53922FA50C3827A5EBD6811736FFD
SHA256	6184E4C8915A3924A9A12E26C42CFFEF35A1D1380A8C0A236EF65DF71B20C217
SHA256	B43BDE75780244AEEE719AE926C1F901291574C9400B5E6D0C2FDC135D0C6FE5
SHA256	36BC32BECF287402BF0E9C918DE22D886A74C501A33AA08DCB9BE2F222FA6E24
SHA256	0A0C225F0E5EE941A79F2B7701F1285E4975A2859EB4D025D96D9E366E81ABB9
SHA256	68872CC22FBDF0C2F69C32AC878BA9A7B7CF61FE5DD0E3DA200131B8B23438E7
SHA256	BAFA2EFFF234303166D663F967037DAE43701E7D63D914EFC8C894B3E5BE9408
SHA256	48A848BC9E0F126B41E5CA196707412C7C40087404C0C8ED70E5CEE4A418203A
SHA256	9CEE5522A7CA2BFCA7CD3D9DABA23E9A30DEB6205F56C12045839075F7627297
SHA256	CA77F63A08F4E01E7E7294695EB300610E65F22333256D547D0125075BED2CC8
SHA256	F7EDA7111AC0F95DFBD817BD0962DEFE35412DE12964F178421122E96C72495B
SHA256	B1C7872598053EB2FD07B0EABE223CBCCEF2EDD2E403255B5AB8646E32124862
IP-DST	176.123.2.216
IP-DST	51.210.138.71
IP-DST	185.105.109.19
IP-DST	192.3.141.157
IP-DST	213.252.247.18
IP-DST	23.95.85.176
IP-DST	159.65.225.72
IP-DST	80.209.241.4
IP-DST	46.166.128.144
IP-DST	108.62.118.232
IP-DST	185.203.116.7
IP-DST	185.203.117.159
IP-DST	104.21.69.79
IP-DST	172.67.206.76
IP-DST	185.203.116.28
IP-DST	198.54.117.197
IP-DST	198.54.117.199
IP-DST	185.243.214.107
IP-DST	45.61.138.171
IP-DST	45.84.0.127
IP-DST	212.109.221.205
DOMAIN	catsdegree.com
DOMAIN	7cats.ch
DOMAIN	securebestapp20.com
DOMAIN	gosleepaddict.com
DOMAIN	kgtwiakkdooplnihvali.com
DOMAIN	ironnetworks.xyz
DOMAIN	lagrom.com
DOMAIN	openmsdn.xyz
DOMAIN	ctxinit.azureedge.net
DOMAIN	de2pv25fb37xbq32qqfjooyegaucbnaupfu3aoti56c2i744hjxuwpqd.onion
DOMAIN	darksidfqzcuhtk2.onion
URL	yeeterracing.com/gate

Minimum Content Versions:

Content Type	Version
V2 DAT (VirusScan Enterprise)	9988
V3 DAT (Endpoint Security)	4442

Detection Summary

IOC	Scanner	Detection
7D57E0BA8B36EC221B16807CE4E13A1125D53922FA50C3827A5EBD6811736FFD	AVEngine V2	Trojan FFGrabber
	AVEngine V3	Trojan FFGrabber
	JTI (ATP Rules)	JTI/Suspect.196612!4d3d3919dda0
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
6184E4C8915A3924A9A12E26C42CFFEF35A1D1380A8C0A236EF65DF71B20C217	AVEngine V2	RDN/Generic.com
	AVEngine V3	RDN/Generic.com
	JTI (ATP Rules)	JTI/Suspect.196612!6af99fd0c053
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
B43BDE75780244AEEE719AE926C1F901291574C9400B5E6D0C2FDC135D0C6FE5	AVEngine V2	Remoteadmin.q
	AVEngine V3	Remoteadmin.q
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
36BC32BECF287402BF0E9C918DE22D886A74C501A33AA08DCB9BE2F222FA6E24	AVEngine V2	MLFNG
	AVEngine V3	MLFNG
	JTI (ATP Rules)	JTI/Suspect.196612!91889658f1c8
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
0A0C225F0E5EE941A79F2B7701F1285E4975A2859EB4D025D96D9E366E81ABB9	AVEngine V2	GenericRXOM-JN!979692CD7FC6
	AVEngine V3	GenericRXOM-JN!979692CD7FC6
	JTI (ATP Rules)	JTI/Suspect.196612!979692cd7fc6
	RP Static	Real Protect-PEE!979692CD7FC6
	RP Dynamic	-

IOC	Scanner	Detection
68872CC22FBDF0C2F69C32AC878BA9A7B7CF61FE5DD0E3DA200131B8B23438E7	AVEngine V2	GenericRXNK-MC!9E779DA82D86
	AVEngine V3	GenericRXNK-MC!9E779DA82D86
	JTI (ATP Rules)	JTI/Suspect.196612!9e779da82d86
	RP Static	Real Protect-PEE!9E779DA82D86
	RP Dynamic	-

IOC	Scanner	Detection
BAFA2EFFF234303166D663F967037DAE43701E7D63D914EFC8C894B3E5BE9408	AVEngine V2	Ransomware-HED!B278D7EC3681
	AVEngine V3	Ransomware-HED!B278D7EC3681
	JTI (ATP Rules)	JTI/Suspect.196612!b278d7ec3681
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
48A848BC9E0F126B41E5CA196707412C7C40087404C0C8ED70E5CEE4A418203A	AVEngine V2	Generic-FAWW!C81DAE5C67FB
	AVEngine V3	Generic-FAWW!C81DAE5C67FB
	JTI (ATP Rules)	JTI/Suspect.196612!c81dae5c67fb
	RP Static	Real Protect-PEE!C81DAE5C67FB
	RP Dynamic	-

IOC	Scanner	Detection
9CEE5522A7CA2BFCA7CD3D9DABA23E9A30DEB6205F56C12045839075F7627297	AVEngine V2	Ransomware-HBC!10ED48796107
	AVEngine V3	Ransomware-HBC!10ED48796107
	JTI (ATP Rules)	JTI/Suspect.196612!f87a2e1c3d14
	RP Static	Real Protect-PEE!F87A2E1C3D14
	RP Dynamic	-

IOC	Scanner	Detection
CA77F63A08F4E01E7E7294695EB300610E65F22333256D547D0125075BED2CC8	AVEngine V2	Trojan-ransom.j
	AVEngine V3	Trojan-ransom.j
	JTI (ATP Rules)	JTI/Suspect.196612!1716c6a315ce
	RP Static	Real Protect-PEE!1716C6A315CE
	RP Dynamic	-

IOC	Scanner	Detection
F7EDA7111AC0F95DFBD817BD0962DEFE35412DE12964F178421122E96C72495B	AVEngine V2	Generic dropper.avh
	AVEngine V3	Generic dropper.avh
	JTI (ATP Rules)	JTI/Suspect.196612!8079676dd625
	RP Static	Real Protect-SS!8079676DD625
	RP Dynamic	-

IOC	Scanner	Detection
B1C7872598053EB2FD07B0EABE223CBCCEF2EDD2E403255B5AB8646E32124862	AVEngine V2	HTool-SysInfo
	AVEngine V3	HTool-SysInfo
	JTI (ATP Rules)	JTI/Suspect.196612!ea3999af92a5
	RP Static	-
	RP Dynamic	-

Minimum set of Manual Rules to improve protection to block this campaign
{INSIGHTSWARNING.EN_US}

Endpoint Security - Advanced Threat Protection:

Rule ID: 4 Use GTI file reputation to identify trusted or malicious files
Rule ID: 334 Identify registry modifications to suspect locations

Endpoint Security - Exploit Prevention:

Rule ID: 6086 Powershell Command Restriction - Command
Rule ID: 6135 Unmanaged Powershell Detected
Rule ID: 344 T1060 - New Startup Program Creation

Host Intrusion Prevention:

Rule ID: 6135 Unmanaged Powershell Detected

Aggressive set of Manual Rules to improve protection to block this campaign
{INSIGHTSWARNING.EN_US}

Virusscan Enterprise - Access Protection Rules:

Prevent programs registering to autorun
Prevent creation of new executable files in the Windows folder

Host Intrusion Prevention:

Rule ID: 6010 Generic Application Hooking Protection
Rule ID: 344 T1060 - New Startup Program Creation
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 1148 CMD Tool Access by a Network Aware Application
Rule ID: 1020 Windows Agent Shielding - File Access
Rule ID: 412 Double File Extension Execution
Rule ID: 2806 Attempt to create a hardlink to a file

Endpoint Security - Access Protection Rules:

Registering of programs to autorun

Endpoint Security - Dynamic Application Containment:

Modifying the Services registry location
Modifying startup registry locations

Affected Products

MVISION Insights

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

MVISION Insights: CISA-FBI Joint Cybersecurity Advisory On DarkSide Ransomware

Environment

Summary

Affected Products

Glossary of Technical Terms

Title

Title

Knowledge Center

MVISION Insights: CISA-FBI Joint Cybersecurity Advisory On DarkSide Ransomware

Environment

Summary

Affected Products

Glossary of Technical Terms

Choose your region

Title

Title