Darkside Ransomware

THE THREAT

On May 7, 2021 Colonial Pipeline was the victim of a ransomware attack. According to official statements from Colonial[1], this attack negatively impacted operations, initially halting pipeline operations as certain systems were taken offline to contain the threat. Colonial is actively working with law enforcement and government partners to investigate the threat as they restore pipeline operations.

On May 10th, the FBI released a statement[2] attributing the attack to the Darkside ransomware threat group. Darkside operates using a Ransomware-as-a-Service (Raas) model and utilizes the double extortion technique (data encryption, data theft and leak). eSentire is closely monitoring this event for actionable information to protect our customers.

What we’re doing about it

• eSentire services identify common ransomware techniques, including those associated with the Darkside ransomware threat
• eSentire security teams are continuing to monitor this event for any additional actionable information

What you should do about it

• Harden remote access services and edge devices against attacks
  • Require MFA on network ingress points such as VPN or RDP
  • Prioritize systems exposed to untrusted networks for patching
  • Restrict administrator access to network appliances using VPN
• Check for monitoring blind spots
  • Domain Controllers are a key target for ransomware actors, ensure eSentire has adequate visibility through deployment of EDR agents and centralized logging on Domain Controllers’ (DCs) and other servers.

• Reduce lateral movement opportunities for attackers
  • Employ the principle of least privilege
  • Implement network segmentation
  • Disable RDP if not used
  • Disable SMBv1
  • Regularly patch systems
• Maintain offline backups of key data and applications

Additional information

According to research from security services firm CyberReason [3], Darkside first emerged in August 2020 following the Ransomware-as-a-Service (RaaS) model. This model outsources the intrusion and deployment of Darkside ransomware by other threat actors in return for a share of the ransom payment. Darkside operates a leak site, where stolen data is posted to further increase pressure on victims. Darkside primarily targets organizations in English speaking countries and various industries. Notably, affiliates are instructed to avoid targets such as hospitals, NPOs and companies responsible for COVID-19 vaccine development and distribution.

As Darkside operates with the RaaS model, intrusion actions leading to Darkside ransomware deployment vary. According to public sources [3] [4], operators have gained entry through insecure remote access services using compromised credentials. Once inside the network, attackers used known techniques for increasing access and compromising the network, including Living-off-the-Land Binaries (LOLbins) and offensive security tools such as Cobalt Strike, Mimikatz and others. Similar to ransomware attacks observed by eSentire, Darkside operators reportedly target Domain Controllers from which additional actions can be taken in pursuit of their objectives.

eSentire security teams are tracking the Colonial incident and will take action as necessary to update detection measures.

References:

[1] https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption
[2] https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-network-disruption-at-colonial-pipeline
[3] https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware
[4] https://www.varonis.com/blog/darkside-ransomware/