On May 7, 2021, a cybercriminal group forced Colonial Pipeline, the largest pipeline system for refined oil products in the United States, to shut down their operations. The group locked down Colonial Pipeline’s computer systems and stole over 100 GB of corporate data.
The FBI have identified the group as the DarkSide ransomware group, according to a recent post by the New York Times. There is evidence that the group is based in Russia, although the group claims to be “apolitical”, and not a part of any state-sponsored operation.
The DarkSide ransomware group released their RaaS (Ransomware-as-a-Service) in August of 2020, which includes an affiliate program that offers 10-25% of the proceeds. While Colonial Pipeline have resumed operations, the group have since targeted other companies, including construction companies and various other product resellers in the US.
Given that DarkSide provides RaaS, they may have a potentially large affiliate network, which makes it difficult to know exactly how much direct involvement the group has in these attacks.
What Makes DarkSide Ransomware Attacks Different?
What sets DarkSide apart from other cybercriminal groups is that they use very sophisticated and stealthy tactics to infect and extort their victims. Examples of such tactics include:
- The use of sophisticated obfuscation techniques to evade signature-based detection mechanisms
- The use of TOR to send Command & Control messages to a remote server without detection
- The use of distributed storage systems in Iran to store and leak data stolen from victims
- Avoiding nodes where Endpoint Detection and Response (EDR) technologies are installed
- Using customized payloads for each victim
- Deleting log files to cover their tracks
- Harvesting credentials from files, memory and domain controllers
- Deleting backups, including shadow copies
The DarkSide ransomware group appear to be patient, well organized and have a deep knowledge of their victims, including any weaknesses in their infrastructure and security technologies. For example, they won’t actually deploy the ransomware program until they have established an in-depth knowledge of the environment, exfiltrated the relevant data, gained control of privileged accounts, established backdoors and identified all systems, servers, applications and backups. They also provide support to victims via web chat and carry out a financial analysis of the victims prior to initiating the attack.
How to Prevent DarkSide Ransomware Attacks
Now, obviously, a small caveat needs to be made here that completely preventing ransomware attacks is an impossible task. Especially when the attacking organization is as sophisticated as DarkSide. However, there are a few things that you can to do lower the threat and mitigate any potential damages.
Use multi-factor authentication
Given that the group will use a variety of techniques to gain access to privileged accounts prior to initiating an attack, a good place to start would be to use multi-factor authentication (MFA) on all privileged accounts, as doing so will prevent brute-force attacks on these accounts. If you are unable to use MFA for whatever reason, at least make sure that you have a strong password policy in place.
Enforce “least privilege” access
Employees often have far more access to sensitive data than what they need, which will obviously make life easier for the group, were they to gain access to an employee’s account. It is crucially important that employees and third-parties only have access to the data they need to perform their role, and you will need policies in place that stipulate how and when access should be granted and revoked.
Automated patch management
Ensuring that all software is patched in a timely manner is (or at least should be) a standard cybersecurity procedure. It’s fair to say that the DarkSide group won’t hesitate to exploit each and every software vulnerability they can find. At the very least, you should have a patch management policy in place. Better still would be to adopt a solution that will source the latest patches for all software you use and install them automatically.
Use the latest and greatest threat detection technologies
Even-though the DarkSide group uses techniques to evade most threat detection technologies, that doesn’t render these technologies obsolete. You still need to ensure that you are using the latest threat detection technologies available, including UBA, AV, IPS, DLP, SIEM, NGFW, and more.
Monitor privileged account access for suspicious activity
Use a real-time auditing solution to monitor access to all privileged accounts. Most real-time auditing solutions use machine learning techniques to learn typical usage patterns. When usage patterns deviate from what would be considered “normal”, such as an employee accessing their account during the early hours of the morning, an alert will be send to the administrator, who will investigate the incident.
Use threshold alerting to respond to anomalous events
Most sophisticated real-time auditing solutions are able to detect and respond to events that match a pre-defined threshold condition, which can be valuable for a number of reasons. Firstly, it can be used to identify anomalous logon failure, which might be a sign of a brute-force attack. Alternatively, were the group successful in deploying and executing their ransomware code, threshold alerting could be used to prevent the attack from spreading. For example, if x number of file have been encrypted within a given time-frame, a custom script could be executed which might disable a user account, stop a specific process, change the firewall settings or simply shut down the affected server.
Security awareness training
Given that the DarkSide group sometimes use phishing techniques to gain access to credentials and deploy their malware, you must ensure that your employees have been sufficiently trained to identify and report on any suspicious emails, text messages and phone calls.
Store backups offline or in a separate storage location
As mentioned, the DarkSide group will try to delete your backups before initiating an attack. You should keep a copy of all backups on either a removable disk, or in a location that is not directly connected to your network. Likewise, it would also be a good idea to backup your log files, as the group may try to delete your log files in order to cover their tracks.