Ensign Threat Advisory: DarkSide Ransomware
A cyber attack on Friday has crippled critical infrastructure in the US. It caused Colonial Pipeline, the source of nearly half the US East Coast’s fuel supply to shut down 5,550 miles of pipe, stranding countless barrels of gasoline, diesel and jet fuel on the Gulf Coast. The relatively new ransomware group known as DarkSide targeted attacks against their information technology (IT) network. Currently, there is no indication that their operational technology (OT) networks have been directly affected by the ransomware.
Like other ransomware platforms, DarkSide adheres to the current best practice of double extortion, demanding separate sums to unlock any files and servers, and promise to destroy any data stolen from the victim.
After gaining an initial foothold in the network, the attackers collect files and credentials, and exfiltrate them. They then use PowerShell to download the ransomware binary and proceed to move laterally with the main goal of conquering the Domain Controller (DC). After exfiltrating all sensitive information, they then distribute the binary to other assets in the environment, encrypting sensitive data such as finance, private information and partners documents for maximum damage.
First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. DarkSide says it targets only big companies, and forbids affiliates from attacking certain industries, including healthcare, funeral services, education, public sector and non-profits.
DarkSide has shown itself to be ruthless with victim companies that have deep pockets. In January 2021, a negotiation was observed between the DarkSide crew and a $15 billion U.S. victim company that was hit with a $30 million ransom demand.
A cyber threat intel vendor had assessed (finding at “moderate” confidence) that some of the criminals behind DarkSide hail from another ransomware outfit called “REvil,” a.k.a. “Sodinokibi”. REvil is widely considered to be the newer name for GandCrab, a ransomware-as-a-service offering that closed shop in 2019 after bragging that it had extorted more than $2 billion.
Ensign Posture & Monitoring
Ensign provides advanced cybersecurity services which can detect and prevent the execution of ransomware such as this incident. Ensign has stepped up monitoring operations, and will advise clients of any anomalies detected from the monitored event logs. We have performed rounds of checks to verify security configurations are up-to-date.
- CII asset owners and operators to adopt a heightened state of awareness
- Keep systems fully patched
- Regularly backup files remotely
- Implement security solutions to segregate and protect your environment (e.g. firewalls, proxies, web filtering, mail filtering, endpoint detection and response)
- Scan your endpoints for indicators of compromise (IOC) - https://otx.alienvault.com/pulse/60821a187be8d208269c103c
- Take reference from CISA recommendations to review your systems and apply mitigating measures to reduce the risk of compromise by ransomware – https://us-cert.cisa.gov/sites/default/files/2021-05/AA21-131A_DarkSide_Ransomware.pdf.
Ensign will continue to provide updates on the incident and inform you of additional recommendations. If you suspect that you have been compromised, you can contact us for digital forensic and incident response services. You can also take preemptive measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence programme. Contact us at firstname.lastname@example.org for more information.