In recent days, the whole world has heard about the group that attacked Colonial Pipeline, called DarkSide Ransomware Group. The attacks on large companies have added up to around U$90 million in Bitcoin. There have been at least 47 companies in the last nine months. In May, Colonial Pipeline and Grupo Moura were attacked, the second Brazilian, by means of a different ransomware than what has been recorded so far. It is a highly customizable modality.

See the other vulnerability alerts

First reports of attack by group that attacked Colonial Pipeline

The first report of a DarkSide Ransomware attack is from August 10, 2020, and already carried the information that the ransomware was highly personalised, and that lucrative payouts, worth millions of dollars, were coming from large corporate targets in the finance, technology and manufacturing sectors. That same day, the group launched the associated DarkSide website on the Tor network, which is also a platform that functions as a Ransomware-As-A-Service (RaaS). Profit is shared between the owners and partners or affiliates.

How do the attacks work?

Several industry reports suggest that the ransomware not only encrypts victims' data, but also spreads laterally on the network and steals confidential information from the affected machines. If victims refuse to pay, their data will be publicly posted on DarkSide's Tor website and offered for download.

While there is no publicly available information on the vector of infection, as attacks are highly specific, compromised Remote Desktop Protocol ( RDP ) servers and custom phishing attacks are two highly plausible options.

The first DarkSide ransomware attacks were all owner-operated. After a few successful months, operations expanded. On November 10, the DarkSide operators announced on the Russian-language XSS and Exploit forums the formation of their new DarkSide affiliate program, providing partners with a modified form of their DarkSide ransomware.

The group that attacked Colonial Pipeline, DarkSide, uses Salsa20 and RSA-1024 to encrypt victims' files on the Windows operating system. It would also come in a Linux version, although no samples are publicly available. The Linux version is written in C++ and uses ChaCha20 and RSA-4096 to encrypt files.

MITRE ATT&CK - tactics and techniques

The following are the MITRE ATT&CK tactics and techniques associated with DarkSide.

Colonial Pipeline and Moura Group

In May 2021, the group fell back into the media following the attack on Colonial Pipeline, the victim of a Darkside ransomware attack. The action led to the voluntary shutdown of the main pipeline that supplied 45% of the fuel to the US East Coast. The attack has been described as the worst cyberattack to date on America's critical infrastructure.

The Moura Group confirmed on May 12, 2021 to the website that it had suffered a cyber attack that hit its servers.

In their dark web leak site, the bandits published the logo of Grupo Moura and some information about the attack. Initially, they informed that the attack happened on April 16 and that personal data of clients, contracts, agreements, blueprints and information about the activities of the company were obtained, in a total of 400GB of files. The data began to be published on 20 April, in zipped files of 40GB each. On that day alone six 40GB batches were published; on the 30th another batch was published and on May 1st another one.

The Moura Group sent the following note of clarification to the press: "The Moura Group confirms that it was the victim of an offensive to its internal servers, which resulted in the disclosure of data supposedly attributed to the enterprise. We are taking the necessary measures to strengthen all the information security protocols. The disclosed data is being analysed to follow with the appropriate measures. Even with the attack, the company's manufacturing and distribution operations were not affected. Asked about the value of the ransom demanded, the company replied that "informing values demanded by the criminals or any other additional information could compromise the ongoing investigations"."

Mitigation

According to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recommend that CI (critical infrastructure) owners and operators apply the following mitigations to reduce the risk of compromise by ransomware attacks.

• Requires multi-factor authentication for remote access to TO (Operational Technology) and IT (Information Technology) networks;
• Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users;
• Implement a program of user training and mock spear phishing attacks to discourage users from visiting malicious sites or opening malicious attachments and reinforce appropriate user responses to spear phishing emails;
• Filter network traffic to prohibit inbound and outbound communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL block lists and/or whitelists;
• Update software, including operating systems, applications and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which TO network assets and zones should participate in the patch management program;
• Limit access to resources on networks, especially restricting RDP. After assessing the risks, if RDP is deemed operationally necessary, restrict the sources of origin and require multi-factor authentication;
• Configure antivirus / anti-malware programs to perform regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how TO network assets are identified and assessed for the presence of malware;
• Implement unauthorised execution prevention:
• 1. Disabling Macro Scripting of EmailedMicrosoft Office Files. Consider using the Office Viewer software to open e-mailed Microsoft Office files instead of the full Microsoft Office suite applications;
  2. Implement application whitelisting, which only allows systems to run programs known to and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from running in common ransomware locations, such as temporary folders that support popular web browsers or compression/decompression programs, including the AppData/LocalAppData folder;
  3. Monitor and/or block incoming connections from outgoing Tor nodes and other anonymity services to IP addresses and ports for which external connections are not expected (i.e. other than VPN gateways, mail ports, web ports);
  4. Deploy signatures to detect and/or block incoming connection from Cobalt Strike servers and other post-exploitation tools.

CISA and the FBI recommend that CI owners and operators apply the following mitigations now to reduce the risk of serious business or functional degradation should their CI entity fall victim to a ransomware attack in the future:

• Implement and ensure robust network segmentation between the IT and TOnetworks to limit adversaries' ability to pivot to the TO network, even if the IT network is compromised. Define a demilitarised zone that eliminates unregulated communication between the IT and TO networks;
• Organize TO assets into logical zones, taking into account criticality, consequences and operational need. Define acceptable communication conduits between zones and implement security controls to filter network traffic and monitor communications between zones. Prohibit industrial control system (ICS) protocols from traversing the IT network;
• Identify TO andITnetwork interdependencies and develop workarounds or manual controls to ensure ICS networks can be isolated if connections create risk to the safe and reliable operation of TO processes. Regularly test contingency plans, such as manual controls, so that critical safety functions can be maintained during a cyber incident. Ensure that the TO network can operate at the required capacity, even if the IT network is compromised;
• Regularly test manual controls so that critical functions can be kept running if ICS or TO networks need to be taken offline;
• Implement regular data backup procedures on the IT and TO networks. Backup procedures shall be performed frequently and regularly. Data backup procedures should also address the following recommended practices:
  1. Make sure that the backups are tested regularly;
  2. Store your backups separately. Backups should be isolated from network connections that could allow the spread of ransomware. It is important that backups are kept offline, as many ransomware variants attempt to find and encrypt or delete accessible backups. Keeping current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems to their previous state. The recommended practice is to store your backups on a separate device that cannot be accessed from a network, such as on an external hard drive;
  3. Maintain regularly updated "golden images" of critical systems in case they need to be rebuilt. This involves maintaining image "templates" that include a pre-configured operating system (OS) and associated software applications that can be rapidly deployed to rebuild a system, such as a virtual machine or server;
  4. Retain backup hardware to rebuild systems if rebuilding the primary system is not preferable. Hardware newer or older than the primary system may present installation or compatibility obstacles when rebuilding from images;
  5. Store source code or executables. It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to the necessary software will help in these cases.
• Ensure user accounts and processes are limited through account usage policies, user account control and account management with privileges. Organise access rights based on the principles of least privilege and separation of duties.

If your organisation is affected by a ransomware incident, CISA and the FBI recommend the following actions:

• Isolate the infected system. Remove the infected system from all networks and disable the computer's wireless connection, Bluetooth and any other potential network features. Ensure all shared and networked drives are disconnected, whether wired or wireless;
• Disconnect other computers and devices. Shut down and separate (i.e. remove from the network) the infected computer(s). Shut down and separate all other computers or devices that shared a network with the infected computer(s) that were not fully encrypted by the ransomware. If possible, gather and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label all computers that have been encrypted. Shutting down and segregating infected computers and computers that have not been fully encrypted may allow experts to recover partially encrypted files;
• Protect your backups. Make sure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to verify that it is free of malware.

 

Sources:

https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/

https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin

https://us-cert.cisa.gov/ncas/alerts/aa21-131a

https://www.cisoadvisor.com.br/grupo-moura-e-vitima-do-ransomware-darkside/

By Flavio Pereira Nogueirão