This weekend’s news about the Colonial Pipeline attack leaves many IT and Security practitioners asking – “if this doesn’t clearly show that we are currently in a security crisis, what will?”
On Friday, May 7th, Colonial Pipeline disclosed that they had taken key IT systems offline due to a security incident. The FBI has confirmed that the DarkSide Ransomware Group is behind the incident. DarkSide is part of a growing group of ransomware-as-a-service (RaaS) providers taking aspects of what we expect from legitimate industry and bringing them to the front lines of cyberattacks. On a post on their website, DarkSide has tried to soften their image, stating, “it’s an apolitical organization and only wants to make money without causing problems for society.”
But these attacks undoubtedly cause problems for society and impact every sector of the economy. Aside from triggering a jump in gasoline futures to the highest level they have been since 2018 and forcing 18 states to declare a state of emergency, it lays plain the reality of our current situation in cybersecurity – it is open season for bad actors on legitimate businesses – a sobering reality check for many organizations, especially in light of the continually increasing spending on security tools.
What is Ransomware-as-a-Service (RaaS)?
The RaaS model allows affiliates to use pre-developed ransomware tools to execute attacks. Their affiliates then earn a percentage of each successful ransomware payment. This significantly lowers the bar for technical expertise required to execute an attack. The combination of easy deployment and the affiliate earning up to 80% of each ransom payment means it has been easier and more lucrative to leverage ransomware as part of an attack.
In 2019, ransomware attacks generated $7.5 billion from victims in the US alone, according to Emsisoft. That’s a big business. So, it’s not too surprising that groups like DarkSide are trying to treat it as such. There are a lot of articles talking about this commercialization of ransomware, but for a great overview check out this article by Tripwire.
What Does a DarkSide Attack Typically Look Like?
Although we don’t have many details yet from the Colonial Pipeline attack, we do know how DarkSide typically operates. The hallmark of their attacks is that they do extensive research on their targets and are mainly interested in large corporations.
DarkSide has two main goals to accomplish when they infiltrate a victim organization:
-
Move laterally through the network and exfiltrate sensitive data
-
Encrypt data on critical systems to lock users out
Once these two goals are accomplished, DarkSide will typically provide a ransom note to the victim organization with a ransom demand in the 6-8 figure range in Bitcoin. In these ransom notes, DarkSide will threaten to leak the sensitive files stolen from the victim’s network on their DarkWeb public leak site if the ransom demands are not met.
Based on previous attacks, DarkSide has followed through on extortion threats, publishing stolen files from victim organizations on their “DarkSide Leaks” DarkWeb website. One thing to note about the Colonial Pipeline incident is that Arctic Wolf has not observed a post made on the DarkSide Leaks website related to Colonial Pipeline.
Addressing the Crisis
“By the time you get your ransomware note, it’s often too late. You are forced to make some hard decisions – pay, or start rebuilding. It’s painfully obvious that the best option is to avoid being in this situation entirely.”
–Mark Manglicmot, Vice President Security Services
Arctic Wolf has been monitoring the tactics, techniques, and procedures (TTPs) associated with the DarkSide Group over the past year and has multiple detections in place to identify and alert on DarkSide activity. As we learn more about this specific attack, we will continue to update these detections. This ensures that Arctic Wolf is in a strong position to detect these type of ransomware attacks earlier on in the cyber kill chain before they have a chance to steal sensitive files and lock systems.
If you’ve been following our posts on the Microsoft Exchange Server Vulnerabilities, patching is equally critical to stopping ransomware activity before it happens. DearCry came within weeks of the first set of vulnerabilities, self-propagating and targeting anyone behind on their patching program. It is no wonder why organizations with a vulnerability management program suffer 80% fewer breaches than ones without, according to Gartner.
Most alarming is that 90% of cyberattacks target employees, making them a key attack surface for ransomware. We must work with our employees on an ongoing basis to ensure they are aware of social engineering tactics and how to avoid becoming the victim of a successful phish or scam.
To end this crisis, we need to address these underlying issues. As the bar to execute an attack lowers, so too must the bar for entry for organizations into high-functioning, world-class security operations that can help protect against the disruption of attacks such as ransomware. It has to be easier for you to protect your organization than for a malicious actor to attack it.
At Arctic Wolf, it is our mission to make security operations accessible to organizations of any size and help them in their efforts to reduce and end cyber risk.
