Following the ransomware attack that impacted the pipeline operated by Georgia-based Colonial Pipeline, security firms are providing detailed information on the cybercriminal gang behind the attack.
The pipeline is said to carry roughly 45% of the fuel consumed on the East Coast, with the attack considered the most disruptive cyberattack to date on critical U.S. infrastructure.
The incident was quickly associated with the cybercriminal gang known as DarkSide, which has been active since August 2020.
In January 2021, Bitdefender released a decryptor for the DarkSide ransomware, to help victims restore their files without paying the ransom. However, the hackers took steps to ensure that the decryptor no longer works.
DarkSide functions as a ransomware-as-a-service (RaaS), where affiliates help deliver the malware in exchange for a percentage of the amount the victim pays in ransom. At least five Russian-speaking affiliates have been identified to date, security researchers with FireEye’s Mandiant team reveal.
The RaaS features the typical characteristics of any ransomware enterprise: after the target systems have been compromised, data is encrypted and exfiltrated for extortion purposes, and the victim is provided with means of contacting the attackers to receive details on the payment request and to negotiate the ransom.
The profit is shared with the affiliates, which are provided access to an administrative panel only after passing an interview, and which can perform various actions, including breaching organizations and helping with ransomware deployment. The affiliate receives up to 25% from payments of up to $500,000, or 10% for payments above $5 million.
Unlike other similar enterprises out there, the DarkSide gang maintains a blog on the Tor network, where they boast about compromised organizations, likely in an attempt to pressure them into paying the ransom, FireEye notes. The threat actor might also engage in distributed denial-of-service (DDoS) attacks against victims unwilling to pay.
Victims are also provided with the possibility to directly negotiate the ransom payment with the attackers. In one incident, the attackers demanded a $30 million ransom, but the victim got it down to $11 million after negotiations and also received assurances that all of the stolen data would be deleted and that its network would not be hit again, investigative journalist Brian Krebs reports.
To date, DarkSide has been used in attacks targeting tens of organizations in the financial services, technology, legal, manufacturing, retail, and professional services sectors.
Security researchers with cybercrime intelligence firm Intel 471 say that, for initial access, the threat actors use access credentials purchased on underground forums, brute-force attacks, and spam email campaigns or botnets for malware delivery. At least one zero-day vulnerability was used in such attacks.
Post-exploitation tools employed in DarkSide attacks may include Cobalt Strike, Metasploit, BloodHound, Mimikatz, F-Secure Labs’ Custom Command and Control (C3) framework, TeamViewer, the SMOKEDHAM backdoor, and the NGROK utility.
FireEye has analyzed the attacks associated with three of the DarkSide affiliates, revealing that, while one of them would deploy the ransomware only three days after the initial compromise, a more established adversary (active since April 2019) tends to lurk in the compromised networks for months before making a similar move.
“We believe that threat actors have become more proficient at conducting multifaceted extortion operations and that this success has directly contributed to the rapid increase in the number of high-impact ransomware incidents over the past few years. Ransomware operators have incorporated additional extortion tactics designed to increase the likelihood that victims will acquiesce to paying the ransom prices,” FireEye notes.
On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released an alert to provide information on the best practices organizations should adopt to prevent falling victim to DarkSide ransomware attacks.
Some of these include multi-factor authentication, robust network segmentation between IT and OT networks, regular testing, the implementation of backups (which should be isolated), restricted access, and unauthorized execution prevention.