Author: Yadu Nadh
1. Executive Summary
On 11 May, the Cybersecurity and Infrastructure Security Agency (CISA) published analytic report AA21-131A,1 which detailed a ransomware attack on the Colonial Pipeline, an important infrastructure entity in the U.S. In this attack, the threat actor(s) deployed DarkSide ransomware against the pipeline company’s critical IT infrastructure, causing the company to take the precautionary measure of shutting down 5,550 miles of the pipeline, which left fuel stranded on the Gulf Coast.2
Although first observed in the wild in August 2020, DarkSide ransomware officially appeared on XSS, a popular Russian-language hacker forum in November 2020.3 Infoblox has observed and can confirm this activity since early 2021.
DarkSide is a ransomware-as-a-service (RaaS), where the threat actors who deploy the ransomware, also known as “affiliates,” share a portion of the profits with the developers. Threat actors use DarkSide to encrypt and steal sensitive data, and have been known to target large, high-revenue organizations that can afford to pay large ransoms versus hospitals, schools, governments, etc.
Once the DarkSide actors gain access to a victim’s network, they deploy the ransomware to encrypt and exfiltrate sensitive data. The actors then use a double extortion method where they threaten to publicly release this data to pressure the victims into paying the ransom demand, as well as demand another ransom for a digital key to decrypt their files.
DarkSide affiliates have been known to use a variety of strategies to gain initial access to networks such as brute-force attacks, spam campaigns, credentials purchased from underground forums, or by exploiting vulnerable software such as Remote Desktop Web (RDWeb), Remote Desktop Protocol (RDP) or Citrix. Actors have also purchased access to popular botnets, including Dridex, Trickbot and Zloader.
The DarkSide attackers establish communication with a command and control (C&C) system using an RDP that runs over a TOR network. As a secondary C&C communication method, the attackers used Cobalt Strike and other post-exploitation tools. Threat actors associated with DarkSide have also been known to use additional tools such as Metasploit, Mimikatz and BloodHound.
DarkSide uses a “living off the land” (LotL) tactic,4 but researchers at Varonis observed the ransomware also scanning for networks, running commands, dumping processes, and stealing credentials. It will use Salsa20 encryption with an RSA-1024 public key to encrypt files on both fixed and removable hardware, as well as on network devices.5 This malware also specifically creates executables and extensions to evade signature-based detection mechanisms.
On execution, DarkSide copies itself to the path “%Temp%” and injects its code into an existing process. It will dynamically load its libraries to avoid detection by an antivirus (AV) or an endpoint detection and response (EDR) solution, as well as stop running if it observes any indication that it is being run in a virtual machine.6
3. Prevention and Mitigation
CISA urges critical infrastructure owners and operators to apply the following mitigations to reduce the risk of compromise by ransomware attacks:
- Require multi-factor authentication for remote access to OT and IT networks.
- Filter network traffic to prohibit ingress and egress communications with known malicious IP.
- Update software, including operating systems, applications and firmware on IT network assets in a timely manner.
- Limit access to resources over networks, especially by restricting RDP.
- Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures.
- Monitor and/or block inbound connections from TOR exit nodes Originating from TOR.
- Deploy signatures to detect and/or block inbound connections from Cobalt Strike.
- Implement and ensure robust network segmentation between IT and OT networks.
- Organize OT assets into logical zones.
- Identify OT and IT network inter-dependencies and develop workarounds manual controls.
- Implement regular data backup procedures on both the IT and OT networks.
4. Indicators of Compromise
Hashes related to Darkside ransomware attack