Guest post from Tetra Defense
With the recent headlines of the ransomware attack on Colonial Pipeline, Tetra Defense offers a breakdown of how this attack unfolded and what it means for you.
What Happened?
On May 7th, 2021, it was reported that Colonial Pipeline, the transporter of petroleum products and provider of 45% of all fuel consumed on the East Coast, suffered a ransomware attack that temporarily halted their operations. Colonial Pipeline responded in a statement that upon learning of their attack, they had “a leading, third-party cybersecurity firm… engaged, and they… launched an investigation into the nature and scope of this incident.”
Since this incident began, several factors have come to light. The FBI confirmed that the attackers responsible for this incident were known as Darkside Ransomware, Colonial Pipeline opted to pay a ransom amount for their data, and as of May 12th, 2021, Colonial Pipeline has “initiated in the restart of pipeline operations… at approximately 5pm ET,” as mentioned in a media statement.
Just one week after the initial attack was reported, on May 14th, 2021, the Darkside ransomware group announced that their “servers were seized (country not named), money of advertisers and founders was transferred to an unknown account.” Being left without their servers and their method of “invoicing” their victims led them to close up shop as reported by a cybercrime forum.
Who was Darkside?
Both Tetra Defense and the industry at large report the emergence of the Darkside ransomware variant in August of 2020. This threat actor group followed many of the same “business” models we’ve seen from other ransomware operators — the main plays being multi-faceted extortion, Ransomware as a Service (RaaS), and casting a wide net of potential targets / victims.
Darkside’s multi-faceted extortion usually involved both data encryption (rendering data inaccessible) and data exfiltration (data theft), requiring a victim to both de-crypt their data and incentivizing a payment to keep their data from being released on a dark web blog or forum.
Darkside’s dark web presence included a “shaming” blog that publicly named victims of their ransomware, as well as being mentioned on separate forums to outline new features of their malware and recruit partners to distribute it. “Based on forum advertisements,” as reported by FireEye, “the [individual] RaaS operators take 25% for ransom fees less than $500,000, but this decreases to 10 percent for ransom fees greater than $5 million.” The double extortion tactic, the dark web forums, and the RaaS business model are not unique to Darkside ransomware.
As if to further demonstrate the booming “economy” of ransomware operations, in the short nine months that Darkside was active, they reportedly extorted at least $90 million in ransoms paid by their victims.
Prior to closing up shop, a press release from the attackers themselves mentioned how victims would be vetted to make sure they don’t come across as a “political” organization. As reported by Brian Krebs, Darkside claimed to “forbid affiliates from dropping ransomware on organizations in several industries including healthcare, funeral services, education, public sector and non-profits.” Claiming a moral line in the sand is not uncommon for threat actors, and other ransomware strains like Conti and Sodinokibi have tried managing their reputation through similar tactics. Despite their noble claims, these ransomware operators have proven to be capable of large interruptions and not keeping their word.
What does this mean for me?
As we wait for the market to return to normalcy when it comes to gas prices, there are a few other factors to consider. Darkside ransomware was not a monolith, and similar strains (SunCrypt, Sodinokibi, and Babuk to name a few) are still active and still just as disruptive. While major business interruptions draw attention, smaller organizations face the majority of successful ransomware attacks, yet make the minority of headlines. No matter what industry you operate within, ransomware is a risk that applies to you as well.
With regards to the ransomware cases we investigate daily, no matter the variant, our most impactful security tip is to limit external exposure. A very common attack vector still used by threat actors to deploy ransomware is publicly exposed Remote Desktop Protocol (RDP), which allows an attacker to operate a workstation from anywhere in the world as if they were sitting in front of it themselves. This vector is so common that on every incident response case, one of the first questions asked is “Do you have RDP exposed?” Every service and system an organization leaves exposed to the public internet is at risk of being compromised, so limiting this exposure is the highest priority.
In light of this attack, another security priority should be enabling Multi-Factor Authentication (MFA) to protect accounts within your network. MFA is not only highly recommended, but also a convenient security feature that may already be built into common tools and applications. Lawrence Abrams of Bleeping Computer recently reported this tip in response to the Colonial Pipeline attack, and how “…almost all ransomware gangs, are buying access to your networks.” “Buying access” in this case refers to how credentials to accounts are scraped, stolen, and become available on the dark web for purchase as a potential entry method into a new network. When attackers are equipped with stolen credentials on such a large scale, MFA is a great safeguard to protect individual accounts.
What is being done about this attack?
While Darkside ransomware may no longer be in operation, there is reason to believe that “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants,” according to Intel 471. To combat this imminent resurfacing, and to stay ahead of the already active ransomware variants, cybersecurity must be kept front-of-mind.
What steps should I take?
The first step in securing your network comes with addressing that exact challenge: Knowing what you need. Oftentimes decisions makers within an organization are on one end of a spectrum, with IT teams and their insight, resources, and needs being on the opposite end. Because attacks like these take place on an all too regular basis, keeping your cybersecurity front of mind is a must. Connecting with trusted security professionals, cyber insurance resources, and keeping up with the latest solutions to support IT teams can help protect your organization from the next major headline.
Cybersecurity is an industry that has opposite, and often stronger forces constantly fighting against the latest defenses, and this pattern is not expected to change anytime soon. As private businesses and government entities react to this attack (alongside Microsoft Exchange and SolarWinds supply chain attacks) it highlights the importance of staying proactive when it comes to security.
To start being proactive with your security today, Tetra Defense offers a free assessment to test your defenses against ransomware. By answering our in-depth questions, you’ll learn how your cyber environment measures up against the latest tactics used by ransomware operators. Try our Ransomware Stress Test.
NOTE: Post republished with permission of the author.
Tetra Defense began with one goal in mind: To go beyond what’s been done before. We launched the Digital Forensics and Incident Response (DFIR) division to guide businesses through complex challenges such as ransomware attack response, business email compromise, IP theft investigations, and so on. We provide valuable, straightforward guidance for businesses to proactively address and improve their cybersecurity posture in accordance with the latest threats, and our latest solutions.