Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/12/2021
04:54 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Putting the Spotlight on DarkSide

Incident responders share insight on the DarkSide ransomware group connected to the recent Colonial Pipeline ransomware attack.

Details continue to emerge about the ransomware attack that hit Colonial Pipeline late last week, forcing the major US pipeline operator to take some systems offline and temporarily halt pipeline operations. The FBI has linked ransomware-as-a-service (RaaS) group DarkSide to the attack.

Related Content:

Colonial Pipeline Cyberattack: What Security Pros Need to Know

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Cybersecurity: What Is Truly Essential?

Colonial Pipeline runs a system spanning 5,500 miles between Houston, Texas, and northern New Jersey, delivering about 45% of the fuel for the East Coast, the company says. In an update published May 12, officials reported they had initiated the restart of pipeline operations and note it will take several days for the product delivery supply chain to return to normal. 

Since its system was taken offline, Colonial has delivered about 967,000 barrels, or 41 million gallons, to delivery points along the pipeline, the company said in a May 11 update. It prepared for the system reboot with delivery of 2 million more barrels from refineries for deployment upon restarting. It has also boosted aerial patrol of its pipeline and deployed personnel to walk or drive some 5,000 miles of the pipeline daily.

On May 12, the company confirmed to The Washington Post it would not be paying the ransom. Rather, it is working to restore data from backups where possible and rebuild systems for which backups are not available.

Additional updates include an advisory from the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), which warn of the DarkSide ransomware group and provide guidance on strengthening security practices.

A ransomware attack on a utility company is not unusual for DarkSide or the industrial sector. Earlier this year, DarkSide was connected to attacks on Brazilian electric utilities Eletrobras and Copel, which were forced to temporarily stop some operations. But this attack seems to have more reach than the DarkSide operators expected, and shortly after the attack they released a statement to state that "our goal is to make money, and not creating problems for society."

The group went further to say they planned to "introduce moderation and check each company that our partners want to encrypt" to avoid potential social repercussions from future attacks.

"This appears to be a reaction to the spotlight that has now been put on them," says Peter Mackenzie, incident response manager at Sophos, which had been hired to respond to, or intervene in, earlier attacks from the ransomware group. "DarkSide [is] a sophisticated group of attackers responsible for some of the most devastating attacks we see at the moment."

The RaaS group emerged in August 2020. Its operators and partners have targeted organizations across more than 15 countries and several industries, including financial services, legal, manufacturing, professional services, retail, and tech. It doesn't target hospitals, schools, universities, nonprofits, or the public sector, according to a technical writeup from Mandiant, which was reportedly called to help respond to the Colonial Pipeline attack.

DarkSide's owners share profits with affiliates who conduct the attacks, provide access to target organizations, and deploy the ransomware. It's believed the operators are mainly responsible for maintaining the platform their partners use to customize ransomware files, deciding which leaked information goes on their leak site, and handling negotiations, Mackenzie explains. The group's affiliates likely have experience playing the same role for other ransomware syndicates.

"The first attack we investigated we believe was the original threat actor behind DarkSide, as they didn't have much interest in getting paid. They were happy for data to be leaked instead to help make a name for themselves," he says. "The following incidents were likely affiliates, but it is difficult to be sure."

Because of the way DarkSide operates, it's unclear how much control the group's owners have over affiliates who break into networks and launch ransomware, Sophos researchers explain.

This is a big question following the Colonial Pipeline attack: Was this the work of the DarkSide group itself or the work of one of its many partners? Mandiant has identified at least five Russian-speaking attackers who may currently be, or have previously been, DarkSide affiliates. Some attackers who claim to use DarkSide's services have also allegedly partnered with other RaaS affiliate programs, including Babuk and Sodinokibi, or REvil, Mandiant researchers report.

Standing Out from The Pack
DarkSide is one of many advanced groups targeting organizations today. It has many similarities to Ryuk, REvil, DoppelPaymer, and others, Mackenzie says. Most of these groups employ the same general approach of gaining network access, compromising domain admin credentials, creating lists of target servers and infrastructure, and identifying backups and sensitive data.

"Then when they are ready, often days or weeks after first gaining access, they will deploy the ransomware like a normal application that an admin might deploy," he notes. Like many others, DarkSide uses the "double extortion" technique of first exfiltrating large amounts of data and then encrypting the network before threatening to publish the data if the ransom demand isn't met.

In some ways, DarkSide is different. The group not only attacks Windows machines; it deploys Executable and Link Format (ELF) binaries to target data on Linux devices as well. The Linux version of its ransomware specifically targets VMDK files, Sophos reports, noting these are virtual hard disk drives to be used in virtual machines, including VMware and VirtualBox.

What Organizations Can Do
Are these attacks happening more often, or are we simply hearing about them more often? Marty Edwards, vice president of OT security at Tenable, says "it is a little bit of both."

Data supports his point: New research from Check Point reveals a 102% increase in ransomware attacks this year compared with early 2020, with healthcare and utilities topping the most targeted sectors since the beginning of April 2021. Last year, it is estimated ransomware cost global businesses some $20 billion – nearly 75% more than the cost in 2019.

"Organizations are to be applauded for their increased transparency during incidents such as these and, as a result, we are hearing about them more often," Edwards says. "Most experts tend to agree that the tempo is also increasing, meaning that there are more and more of these attacks happening every single day."

While this attack affected Colonial's enterprise network, it underscores how businesses must consider the interconnected nature of OT operations. While many organizations feel they have highly segmented OT networks to include industrial control systems, ICS security firm Dragos notes this is often not the case.

"It is common to hear about pending IT-OT convergence, but in reality much of that convergence took place a decade ago, and the preventative controls, such as segmentation, that the organizations had in place have atrophied over time through misconfigurations, additional devices, or just the nature of needing increased connectivity for the business," Dragos experts wrote in a blog post.

Monitoring the crown jewels of an organization should be a top priority, they said. Security teams should also know what the most relevant logs are, where they are kept, and how long they are available – a must-have when responding to an attack like this one. Experts also advise installing network monitoring across internal OT networks for visibility into IT/OT connections.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18442
PUBLISHED: 2021-06-18
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file".
CVE-2021-3604
PUBLISHED: 2021-06-18
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.
CVE-2005-2795
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2021-32954
PUBLISHED: 2021-06-18
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may allow an attacker to remotely read arbitrary files on the file system.
CVE-2021-32956
PUBLISHED: 2021-06-18
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to redirection, which may allow an attacker to send a maliciously crafted URL that could result in redirecting a user to a malicious webpage.