We still don’t know much about the attacks that crippled Colonial Pipeline. But we do know a lot about Darkside, the ransomware group that is responsible for it, what weaknesses they exploit, and how defenders can keep them at bay.
The Federal Bureau of Investigation (FBI) on Monday confirmed reports that the Darkside ransomware is responsible for the disruption at Colonial, which has halted delivery of oil and gas from the U.S. Gulf Coast refineries to the Northeast of the country. The attribution followed public reports, citing unnamed sources that pointed to the group. The Bureau said it continues to work with the company on the investigation. CISA, the government’s lead cybersecurity agency, is also playing a role in the government’s response, though controversy has erupted over delays in CISA learning about the incident and Colonial’s failure to involve that agency directly.
Darkside is Ransomware-as-a-Corporation
What do we know about Darkside? The ransomware-for-hire gang first announced itself, via a press release, in August 2020 and appears to operate out of Russia or one of the former Soviet bloc countries. (For example, Darkside operators participate in Russian language cybercrime forums. Also, analysis of the Darkside ransomware shows that it filters for computers configured to use Russian and does not infect them.)
The group made headlines for its “corporate” approach to the ransom business, which some have dubbed “Ransomware as a Corporation.” That includes an affiliate business model built around Darkside’s malware and substantial support infrastructure and public facing promotional efforts aimed at the cyber underground and the broader public: press releases, ransoms calibrated to the wealth of its victims and Robin-Hood like promises to donate criminal proceeds to charity and to steer clear of attacking schools and hospitals.
For Defenders: More of the Same
From a defender’s point of view, however, Darkside is more of the same when compared against other prominent ransomware as a service operations like Maze. Analysis by security experts, for example, suggest that the Darkside code shares some features with the REvil and GandCrab ransomware. Also, prior research by security firms such as Varonis and Cybereason paint Darkside as a typical ransomware-as-a-service (RaaS) operation with an interest in wealthy firms and a well-defined attack playbook. That includes concerted efforts to avoid detection via “live off the land” techniques and efforts to compromise domain controllers within compromised environments.
Darkside’s initial attack vectors for organizations are also nothing new. Varonis notes that the Darkside group targets vulnerable, public facing servers, enabling remote desktop protocol (RDP) for long-term access. Darkside criminals were also seen leveraging compromised contractor accounts and Virtual Desktop Infrastructure (VDI) which has grown more common as COVID has prompted millions of employees to work from home. RDP running over Port 443 and, often, Cobalt Strike are used to facilitate command and control (C2) to the compromised environment.
The group also makes use of common dual-use and post-exploitation tools like advanced_ip_scanner.exe, psexec, and Mimikatz, according to Varonis. Once again: Critical Control Infrastructure like Active Directory is the target. Varonis notes that Darkside grabs Kerberos ticket requests and NTLM connections from initially compromised hosts to gain access to additional systems and accounts. The Active Directory reconnaissance tool ADRecon.ps1 is then used to gather detailed information about users, groups, and privileges. (Read our post Worried About Human Operated Ransomware? Stop Using NTLM, Start Validating Kerberos for more on the link between successful ransomware campaigns and the use of the aging and insecure NTLM protocol.)
A Human-Operated Ransomware Playbook
Large point headlines aside, Darkside is a classic example of sophisticated, human-directed ransomware at work. These campaigns use purpose-built open-source tools to perform automated exploitation and credential extraction. More subtle, human-directed operations leverage that access to move laterally, elevating privileges and expanding access to sensitive assets such as domain controllers.
Typically, these groups persist on compromised networks by creating new accounts in sensitive groups, scheduling tasks, and/or registering new services. In addition to the deployment of encrypting ransomware, data stolen from the victim organization is posted on so-called “dox” websites to increase leverage on target organizations - a so-called “double extortion” campaign.
The Colonial Pipeline attack may seem like a drastic escalation of the ransomware problem, but it is really another data point in a long running campaign of targeted, human-directed campaigns. The message for companies worried that they might be the next Colonial is simple enough: limit the exposure of employees, contractors and external facing assets to stem initial incursions. Guidance from the OT-ISAC encourages firms to monitor for attacks on privilege accounts including lockout after a specified number of failed attempts and to note login attempts and monitor for suspicious account behavior. Finally: secure critical controls infrastructure including Active Directory and Kerberos which are the focus of attackers once they’re inside.
Need Help with Active Directory Attacks and Mitigating Other Threats?
Use the following form to request more information about QOMPLX detection of human-operated/ human-directed ransomware campaigns and other threats to your organization.