With so much misinformation and bad information floating around related to the Darkside hack of Colonial pipeline I feel obligated to set the record straight. To my friends on the right: It was NOT an inside job by the Biden govt.
They have failed to secure vital national infrastructure because they spent the money on transgender Palestinian critical race theory pet projects. So, lets get it straight. Biden govt isn’t off the hook, they’re the morons that have failed to secure infrastructure.
But they aren’t involved beyond that. Matter of fact, they don’t much appear to be involved in governing much at all. They seem content with just watching the country fall apart. With that finished, Darkside:
It’s a new ransomware strain that first showed up in August 2020. It follows the Raas (ransomware-as-a-service) model, and recently 2.0 was released.
The team is very active on hack forums and keeps its customers updated with news related to the ransomware. The group has expanded by now offering an affiliates program for potential users.
That’s right – a simple example “Blackbeard” the Pirate. He is the original that offers affiliate programs for other pirates who would raid on his behalf, pay him for his program to conduct the raid, abide by some of his rules, etc.
It uses the double extortion trend. So, they exfiltrate the users data, encrypt it, and then threaten to make it public if ransom isn’t paid. This is smart because backing up data no longer matters. They just extract it, encrypt it and you’re on the hook if you want it back.
DarkSide appears to have a code of conduct that prohibits attacks against hospitals, hospices, schools, universities, non-profit organizations, and government agencies:
Its pretty crazy how professional the program is. The group has a phone number and even a help desk to facilitate negotiations with victims and are meticulous in collecting information about their victims -
not just technical information about their environment, but more general information about the company itself, like the organization’s size and estimated revenue. This can help the group gauge the appropriate ransom amount.
If not on the prohibited list, the attackers continue to carry out the operation. Its that simple. Rules for pirates.
The attackers begin to collect files, credentials, and other sensitive information, and exfilitrate it. The attackers use PowerShell to download the DarkSide binary as “update.exe” using the “DownloadFile” command, abusing Certutil.exe and Bitsadmin.exe in the process. Here:
In addition to downloading the DarkSide binary into the C:\Windows and temporary directories, the attacker also creates a shared folder on the infected machine & uses PowerShell to download a copy of the malware there.
They then move laterally with the goal of dominating the Domain Controller. At this point having gotten to the DC, they collect more sensitive info and files, including dumping the SAM hive that stores the targets’ passwords. Here:
In addition to collecting data from the DC, the pirates use PowerShell to download the DarkSide binary from the shared folder created on the previously infected host. Here:
The attackers also create a shared folder using the company’s name on the DC itself and copies the DarkSide binary.
Later after all data has been exfiltrated, the attackers use bitsadmin.exe to distribute the ransomware binary from the shared folder to other assets in the environment to maximize the damage. Here:
In order to execute the ransomware on the DC, the attackers create a scheduled task called “Test1” that is configured to execute the ransomware. Here:
Now this is interesting! When the DarkSide ransomware first acts on the infected host, it checks the language on the system, using GetSystemDefaultUILanguage() and GetUserDefaultLangID() functions to avoid systems located in the former Soviet Bloc countries from being encrypted.
Crazy, right!? It purposefully won’t encrypt files on systems with the following languages installed: Russian-419, Ukrainian–422, Belarusian–423, Tajik-428, Armenian-42B, Azerbaijani(Latin)-42C, Georgian-437, Kazakh-43F, Kyrgyz(Cyrillic)-440, Turkmen-442, Uzbek(Latin)-443,
Tatar-444, Romanian(Moldova)-818, Russian(Moldova)-819, Azerbaijani(Cyrillic)-82C, Uzbek(Cyrillic)-843, Arabic(Syria)-2801.
This could make you think, AH HA! This is Russian Government. But no. Its not. But it may a reason the Russian government may occasionally play ball with DarkSide.
DarkSide then proceeds to stop the following services related to security and backup solutions: vss, sql, svc, memtas, mepocs, Sophos, veeam, backup. Here we see it stopping services, and creating connection to the hardcoded C2:
It then creates a connection to its C2 (command and control) server, and in different samples analyzed, the attackers use the following domains and IPs: 198.54.117[.]200, 198.54.117[.]198, 198.54.117[.]199, 198.54.117[.]197, temisleyes[.]com, catsdegree[.]com
Then, after uninstalling the Volume Shadow Copy Service (VSS), DarkSide then deletes the shadow copies by launching an obfuscated PowerShell script that uses WMI to delete them. Seen Here:
And Here:
The de-obfuscated PowerShell script:
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
The malware then enumerates the running processes and terminates different processes to unlock their files so it can both steal related info stored in the files and encrypt them.
DarkSide creates a unique User_ID string for the victim, and adds it to the encrypted files extension as follows: <File_name>.{userid}.
In addition, the malware also changes the icons for the encrypted files and changes the background of the desktop. Seen Here:
And then finally, as is required by a group expecting ransom, it leaves a ransom note. Seen here:
This is a Russian criminal enterprise. PERIOD. Now I have no doubt the Russian government keeps tabs on DarkSide or even some of the individual hackers. Like I said, maybe they playball with DarkSide on occassion or maybe they dont.
What this has done is place them fully on the radar and within the cross hairs of the NSA and all US Cyber Security elements. Perhaps even all the cyber security elements of 5 Eyes. Not good for a group of criminals that only manages to extort 200,000 to 2,000,000 per attack.
This is what happens though when you’re a pirate and you offer an affiliates program. Sometimes your affiliates can make really big, really dumb mistakes.
Pirates love money and sometimes you attack what you think is a small ship, but it turns out to be a naval armada ready to destroy you. American infrastructure is a horrible target if you want to make money and stay off the radar.
Some may say, well if they were criminals and wanted to stay off the radar they would have extorted another business and not an national infrastructure related one. This proves the Russian government is behind this. Only a government would have the balls to do this. Maybe.
More likely than not thought a DarkSide affiliate made a targeting error. This happens. Its why our best JSOC strike teams sometimes hit empty target building and other times hit a hornets nest they weren't expecting. I suspect this is the case.
This thread is more info than the Govt or Colonial pipeline will admit. Hopefully it stops the spread of SOME misinformation. Maybe it creates more. I don't know. But this should offer more information than most had prior to. Use your best judgement.

Be kind to your neighbors.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with CulturalHusbandry

CulturalHusbandry Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @APhilosophae

10 May
Let it be understood that the customs and practices of our American forefathers produced excellent men, and prominent men practiced and retained the institutions of our founders.
However, now as the care of the Republic has come to us we see what was once a beautiful garden neglected and unkempt. We have not even taken the slightest care to add new soil, or water that which was already planted and once vibrant.
What is now left of our Institutions which Washington, Jefferson, and Adams labored such to create? These institutions have been left to rot, buried and when encountered molested by the hands of lesser men.
Read 5 tweets
10 May
Todays Fraud Recap:
Biden win ‘suspicious,’ 289,000 election-changing ‘excess’ votes…
An analysis of the 2020 presidential vote suggests that there were 289,000 “excess” votes for Joe Biden in states his victory over President Trump was small, and that differences in votes by neighbors were “suspicious.”
The precinct level estimates for Georgia and Pennsylvania indicate that vote fraud may account for Biden’s win in both states. The voter turnout rate data also indicates that there are significant excess votes in Arizona, Michigan, Nevada, and Wisconsin as well.
Read 14 tweets
10 May
Biden and Harris will lie and say they had no knowledge of election fraud. See Psaki's 'to our knowledge' tweet.

MSM will point to their fake polls and propaganda that claims Biden is extremely popular and the entire country thinks he's doing a good job.
MSM will remind people of the 6th Jan and how every single Trump supporter is an enemy and a white supremacist.

A case will be made that just because Trump got more votes it is not an excuse to allow fascism back. Plus, the election got certified even if they were false results.
Comparisons to Hitler and the Nazis, Confederates, insurrectionists and tiki torch carrying, neck vein bulging white supremacists will be made and people will be forced through potential social humiliation into accepting Trump as president is a bad idea. Govt wont budge.
Read 4 tweets
5 May
Strap in champ, this is going to take a while.

1. Witnesses in past contested elections

FL Presidential 2000: 2
MO 78th District 2016: 16
NC 9th District 2018: 6
NY 22nd District 2020: 2
GA Presidential 2020: 100
MI Presidential 2020: 131
PA Presidential 2020: 300
2. The Court or Election Board's response:

FL Presidential 2000: Evid. Hearing

MO 78th District 2016: Evid. Hearing

NC 9th District 2018:Evid. Hearing

NY 22nd District 2020: Evid. Hearing
GA Presidential 2020: No Evid. Hearing

MI Presidential 2020: No Evid. Hearing

PA Presidential 2020: No Evid. Hearing
Read 32 tweets
4 May
Short thread:

Scientists noticed that the spike on the outside of the virus is responsible for some nasty long term effects of covid. It's the spike that all the mRNA therapies use to make them "vaccines".…
Your cells now produce these spike proteins, they say for about a day, because your DNA has now been programed. This is supposed to cause your immune system to attack the spike protein at the point of attachment, thus giving you immunity to the virus. Makes sense, but...
what I havent seen discussed in the 3 months or so of vaccination related data are that these things have caused 33% of all the vaccine deaths reported on VAERS since they started collecting data in 1990.
Read 8 tweets
4 May
This is what Jacques Attali wrote in 1981, who was then an advisor to François Mitterrand as recorded in interviews with Michel Salomon, Les Visages de l’avenir collection, éditions Seghers:
“The future will be about finding a way to reduce the population. We start with the old, because as soon as they exceed 60-65 years, people live longer than they produce and that costs society dearly.
Then the weak, then the useless that do not help society because there will always be more of them, and above all, ultimately, the stupid. Euthanasia targeting these groups;
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!