DHS CISA, FBI Alert to DarkSide Ransomware, After Pipeline Attack

May 12, 2021 - Several days after the DarkSide ransomware attack against the US critical infrastructure pipeline company, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the FBI are urging entities to shore up their security defenses.

On May 7, a cyberattack on Houston-based Colonial Pipeline forced its computerized equipment offline, which has since temporarily disrupted 5,550 miles of its fuel supply chain in the southeast. The FBI confirmed the DarkSide ransomware group was behind the attack, which could impact fuel costs and cause gas shortages.

DarkSide first appeared just nine months ago and have quickly made an impact. Developed by Russian-backed threat actors, the variant is highly customized and designed to target large corporations, particularly those in technology, finance, and manufacturing sectors.

CISA confirms the threat is Ransomware-as-a-Service, meaning it’s sold to other nefarious actors for use in their own attacks, as long as the developers receive a large percentage of any profits.

According to Flashpoint, there’s strong evidence from its code to suggest DarkSide is an offshoot of REvil: a ransomware leader that’s strongly targeted the healthcare sector in the past (and as recently as February).

The average ransom demands range widely from $200,000 to $2 million, depending on the size of the organization and other factors. When victims refuse to pay, the threat actors promptly post the stolen data on publicly visible websites.

“DarkSide uses Salsa20 and RSA-1024 to encrypt victims’ files on Windows OS. It also allegedly comes in a version for Linux, although no samples are publicly available,” Flashpoint researchers explained.

“The Linux version is said to be written in C++ and to use ChaCha20 and RSA-4096 for file encryption,” they added. “Various industry reports suggest that the ransomware not only encrypts victims data, but also propagates laterally on the network and steals sensitive information from affected machines.”

Given the potential impact of DarkSide against critical infrastructure entities, the FBI and CISA are urging those entities to adopt a heightened state of awareness and implement recommended mitigations to bolster the security of the enterprise.

Those recommendations include employing robust network segmentation between IT and OT networks, regularly testing manual controls, and ensuring offline backups are implemented, routinely tested, and isolated from network connections.

Further recommendations include implementing multi-factor authentication for remote access to OT and IT networks, enabling spam filters to prevent phishing emails from reaching the inbox, and employing user training programs and simulated attacks to defend against spear-phishing.

Network traffic should be filtered to prohibit any communication between known malicious IP addresses, as well as to prevent users from accessing malicious websites through URL blocks and or allow lists.

Entities need strong patch management policies for operating systems, applications and IT network asset firmware, to ensure software updates are applied in a timely manner. A risk-based strategy can allow entities to determine the assets for which to focus these efforts.

Administrators should disable macro scripts from Microsoft Office files sent through email, while considering using Office Viewer software. Those leaders should also employ allow-listing, which only restricts systems from executing programs unknown or unpermitted by security policies.

“Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder,” CISA recommended.

“Monitor and/or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports),” they added.

In doing so, these entities can improve their cyber resilience and simultaneously reduce their vulnerability to ransomware, as well as the risk of severe business degradation if an attack breaks through defenses.

It should be noted that the group prefers to target larger organizations that can afford to pay large ransom demands and not those like hospitals and governments. However, previous criminal groups have made similar promises, only to break them.

Not to mention, reports show the group did not intend to disrupt the supply chain with its pipeline attack -- they were just seeking a large payout. And as seen with the SolarWinds supply chain attack, victims can accumulate even when they’re not the targeted organization.