Colonial Pipeline and Darkside Ransomware
By Stephan Schenk,
Ransomware Incident Briefing
On May 7, 2021, the Colonial Pipeline experienced a ransomware attack. The organization was afflicted by Darkside ransomware, which is a known ransomware as a service (RaaS), and was verified by the FBI on May 10, 2021. Originally, there were few concrete details on how the cyberattack took place, and only now has information been released by their third-party forensics firm, Mandiant (FireEye).
The ransomware attack on the pipeline network is significant as it provides up to 2.5 million barrels of refined gasoline to the United States daily and accounts for 45% of the East Coast’s fuel supplies.
It is widely accepted that the Darkside RaaS emerged in the second half of 2020 and has been on a tear ever since. Their malicious network has affected numerous countries and industries. In that short amount of time, they have impacted more than 65 organizations which places them in the top 10 as a ransomware gang since 2019 overtaking some of the more infamous actors such as REvil (Sodinokibi) and Ragnar.
Like other RaaS operators, Darkside established a blog within TOR and uses that to exert public pressure on their victims. They also published restrictions on their service as they claim to prohibit actors from targeting hospitals, schools, public sector entities, and non-profit organizations.
Threat actors have been seen bundling Darkside with some of the most popular malicious tool sets such as CobaltStrike, Mimikatz, and Ngrok, and TTPs such as utilizing Dropbox with malicious compressed files for payloads, taking advantage of RDP, PsExec, and WinRM.
Potential Mitigations of a Ransomware Attack
As this execution of ransomware is the primary goal for this attack and others that utilize Darkside RaaS, Deepwatch recommends implementing and adhering to published best practices for mitigating the attacks. We have included the Indicators of Compromise in the Appendix along with additional reading references.
Per CISA, the following precautions are highly recommended to protect users and organizations against the threat of ransomware:
- Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
- Never click on links or open attachments in unsolicited emails.
- Back up data on a regular basis. Keep it on a separate device and store it offline.
- Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
- Use application allow listing to allow only approved programs to run on a network.
- Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Implement unauthorized execution prevention by disabling macros in email.
- Configure firewalls to block access to known malicious IP addresses.
- Require multi-factor authentication for remote access to OT and IT networks.
- Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allow lists.
- Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
- Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
- Monitor and/or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports).
Deepwatch MDR & Ransomware
Since a ransomware attack can occur on many different fronts, a comprehensive defense-in-depth strategy is required. The attack vectors specifically target email, vulnerabilities, networks, and endpoints. As such, organizations need to invest in the technologies and programs needed to keep them secure. This is in addition to the traditional anti-virus software requirements.
Vectors to Monitor
As we discussed, the vast majority of ransomware attacks begin with email, either spam or targeted social engineering. Protective controls to support email security should be put in place to monitor email and identify spam, phishing, malware, and fraudulent content.
Vulnerability management (VM) is a key program for reducing risk within an organization’s security program. The VM scanners will identify known vulnerabilities in technologies and apply a criticality rating. For example, it can detect an unpatched application that has a remote code execution vulnerability that is residing on an internet facing server. Such a vulnerable application in our example would be a highly desired target for malicious actors. Being able to identify and mitigate vulnerabilities is critical to hardening your environment.
All devices that are online within the network should be monitored for suspicious or malicious activity. This can vary from changes that occur on the device itself, who authenticated on the device, or even what was accessed. Newer technologies, such as Endpoint Detection & Response (EDR), have been developed to explicitly monitor these devices and the activities that occur within them.
Network monitoring is a key component to having a healthy infrastructure. By performing this, an organization can see issues as they arise thereby allowing the appropriate teams to be engaged to stave off catastrophe. Additional benefits to this are identifying devices that are being impacted by resource constraints or segments of the network that are congested thereby causing latency.
Lastly, with all of the technology and security a wealth of data is generated. This data needs to be aggregated and consolidated into a single pane of glass. It is too difficult for an administrator or security associate to login to numerous applications to monitor and respond. This is where a Security Information & Event Management (SIEM) solution comes in. By aggregating all of the aforementioned data into a single source, this allows administrators and security professionals to monitor all applications and systems simultaneously as well as quickly identify and respond as they arise. An attack can be traced across multiple technologies quickly which enables the technology teams to mitigate exponentially faster.
Ransomware Preparedness with Deepwatch
Preparing to handle a ransomware event and responding to a ransomware incident are two different aspects of preparing for the unfortunate ransomware event. By working with Deepwatch as a trusted provider of managed security services, organizations can access a full spectrum of security services to help identify and resolve ransomware risks, and ways to harden their environment, enrich data with threat intelligence, and detect and respond to the threats quickly and decisively. As a leader in managed detection and response, vulnerability management, managed EDR and managed firewall solutions, Deepwatch is able to support customers with preventative measures, as well as 24/7 detection and response to ransomware.
Indicators of Compromise
Network Security Best Practices
How to Defend Against and Identify Phishing Emails
Three Reasons for Network Security Issues
How to talk about cybersecurity risk management