Note* DarkSide investigation is pending. CyanLine will update as we learn more.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently became aware of a ransomware attack affecting a critical infrastructure (CI) entity, a pipeline company in the United States. Malicious cyber actors deployed malware dubbed “DarkSide ransomware” against the pipeline company’s information technology (IT) network.
What Technical Details We Know So Far
Note* DarkSide investigation is pending. CyanLine will update as we learn more.
On May 7, 2021, Colonial Pipeline Company learned it has become a victim of a serious cybersecurity attack involving malware. Colonial Pipeline and assisting agencies revealed later in the day that the cyberattack involved ransomware, a type of malware that is dedicated to encrypting system files and holding them for ransom until a victim organization pays to restore access to the encrypted files.
Technical Details
DarkSide ransomware is a ransomware for service (RaaS). Ransomware as a service is just what it sounds like. Individuals or teams with limited malware coding experience hire those who do have the capability to develop such malware. The developers of the ransomware receive a share of the proceeds from the cybercriminals who deploy it, also known as “affiliates”. According to open source reporting and alert platforms, DarkSide cybercriminals have been reported to be actively engaging multiple large high-revenue generating organizations and resulted in similar attacks than on Colonial Pipeline.
DarkSide cybercriminals have been observed gaining initial access through phishing and exploiting remotely accessible accounts and systems that use Virtual Desktop Infrastructure (VDI). DarkSide has also been reported to use Remote Desktop Protocol (RDP) to maintain persistence. After gaining access, the DarkSide crew deploy ransomware to encrypt and steal sensitive data. Then, the cybercriminals threaten to publicaly release the ransomed data if the ransom is not paid. DarkSide has requested $5 million.
DarkSide primarily uses The Onion Router (TOR) for command and control (C2). The actors have also been observed using Cobalt Strike for C2
If A Critical Infrastructure Organization Has Fallen Victim to Ransomware
CyanLine suggests removing the infected system and isolate it. The system must be isolated from any and all networks. This includes disabling wireless use if your organization uses it. Some organizations use drive mapping. Ensure all map drives are no longer connected to the system regardless of using a wired or wireless connection. Any system that shared the same network as the infected system, must be disconnected from the network. This is to ensure the malware does not spread, if it has not already done so. If so, try and secure all infected systems, or systems that were on the same network in a centralized location and label them “infected” or “possible infected” until you know for certain. If the system has been encrypted, label it “encrypted”.
We at CyanLine also suggest securing backups. We not only suggest securing them in an offline manner, but testing them as well. Ask yourself. “How do I know this backup that we just created works?” If you have the capability to restore backup in a test environment, do it. When possible, scan your backups with antimalware software that your organization has chosen to use.
CyanLine suggests not paying a ransom if your organization is asked to pay one. Paying a ransom encourages adversaries to target organizations who have a history of “paying up” in the future and encourage other cybercriminal actors to engage in the distribution of malware. Paying the ransom is never a guarantee that the organization will obtain their data once the ransom is paid.
