Pierluigi Paganini May 13, 2021

FBI and DHS’s CISA have published a joint alert on DarkSide ransomware activity after the disruptive attack on Colonial Pipeline.

FBI and DHS’s CISA have published a joint alert to warn of ransomware attacks conducted by the DarkSide group. The alert comes after the disruptive attack that hit Colonial Pipeline that caused chaos and disruption.

The Darkside ransomware gang first emerged in the threat landscape in August 2020, in recent months the group was very active and targeted organizations worldwide.

Early this year the group announced that it will no longer attack organizations in the healthcare industry, companies involved in the development and distribution of COVID-19 vaccines, and funeral service organizations.

The alert provides technical details and mitigations related to the activity of Darkside ransomware gang. The group provides Ransomware-as-a-Service (RaaS) to a network of affiliates.

“DarkSide is ransomware-as-a-service (RaaS)—the developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.” According to open-source reporting, since August 2020, DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data. The DarkSide group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.[3],[4]” reads the joint alert.

“According to open-source reporting, DarkSide actors have previously been observed gaining initial access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI) (Phishing [T1566], Exploit Public-Facing Application [T1190], External Remote Services [T1133]).[5],[6] DarkSide actors have also been observed using Remote Desktop Protocol (RDP) to maintain Persistence [TA0003].[7].”

The alert confirmed that crooks use DarkSide to gain access to a victim’s network to encrypt files on internal systems and exfiltrate data, then threaten to expose data if the victim refuses to pay the ransom.

US agencies warn that groups employed DarkSide ransomware in attacks aimed at organizations across various Critical Infrastructure sectors, including manufacturing, legal, insurance, healthcare, and energy.

Immediately after the attack on Colonial Pipeline, the DarkSide group pointed out that it is financially motivated and that there is no political motivation behind its intrusion.

“Our goal is to make money, and not creating problems for society,” reads a statement from the group.

The FBI/CISA joint alert includes mitigations for ransomware attacks: 

• Require multi-factor authentication for remote access to OT and IT networks.
• Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
• Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails.
• Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.
• Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
• Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
• Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
• Implement unauthorized execution prevention by: 
  • Disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
  • Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
  • Monitor and/or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports). For more guidance, refer to Joint Cybersecurity Advisory AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor.
  • Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post exploitation tools.

CISA and FBI urge CI owners and operators to apply the following mitigations now to reduce the risk of severe business or functional degradation should their CI entity fall victim to a ransomware attack in the future.

• Implement and ensure robust network segmentation between IT and OT networks.
• Organize OT assets into logical zones.
• Identify OT and IT network inter-dependencies and develop workarounds or manual controls. 
• Regularly test manual controls.
• Implement regular data backup procedures 

“CISA and the FBI do not encourage paying a ransom to criminal actors,” concludes the alert. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, DarkSide)

[adrotate banner=”5″]

[adrotate banner=”13″]