{"id":6336,"date":"2021-05-13T19:09:53","date_gmt":"2021-05-14T02:09:53","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6336"},"modified":"2024-04-26T13:20:41","modified_gmt":"2024-04-26T20:20:41","slug":"cyber-threat-advisory-darkside-ransomware-attack-on-colonial-pipeline","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/cyber-threat-advisory-darkside-ransomware-attack-on-colonial-pipeline\/","title":{"rendered":"Cyber Threat Advisory: DarkSide Ransomware Attack on Colonial Pipeline"},"content":{"rendered":"

Author: Yadu Nadh<\/h3>\n

TLP: WHITE<\/h3>\n

 <\/p>\n

1. Executive Summary<\/h3>\n

On 11 May, the Cybersecurity and Infrastructure Security Agency (CISA) published analytic report AA21-131A,1<\/sup> which detailed a ransomware attack on the Colonial Pipeline, an important infrastructure entity in the U.S. In this attack, the threat actor(s) deployed DarkSide ransomware against the pipeline company\u2019s critical IT infrastructure, causing the company to take the precautionary measure of shutting down 5,550 miles of the pipeline, which left fuel stranded on the Gulf Coast.2<\/sup><\/p>\n

Although first observed in the wild in August 2020, DarkSide ransomware officially appeared on XSS, a popular Russian-language hacker forum in November 2020.3<\/sup> Infoblox has observed and can confirm this activity since early 2021.<\/p>\n

DarkSide is a ransomware-as-a-service (RaaS), where the threat actors who deploy the ransomware, also known as \u201caffiliates,\u201d share a portion of the profits with the developers. Threat actors use DarkSide to encrypt and steal sensitive data, and have been known to target large, high-revenue organizations that can afford to pay large ransoms versus hospitals, schools, governments, etc.<\/p>\n

Once the DarkSide actors gain access to a victim\u2019s network, they deploy the ransomware to encrypt and exfiltrate sensitive data. The actors then use a double extortion method where they threaten to publicly release this data to pressure the victims into paying the ransom demand, as well as demand another ransom for a digital key to decrypt their files.<\/p>\n

2. Analysis<\/h3>\n

DarkSide affiliates have been known to use a variety of strategies to gain initial access to networks such as brute-force attacks, spam campaigns, credentials purchased from underground forums, or by exploiting vulnerable software such as Remote Desktop Web (RDWeb), Remote Desktop Protocol (RDP) or Citrix. Actors have also purchased access to popular botnets, including Dridex, Trickbot and Zloader.<\/p>\n

The DarkSide attackers establish communication with a command and control (C&C) system using an RDP that runs over a TOR network. As a secondary C&C communication method, the attackers used Cobalt Strike and other post-exploitation tools. Threat actors associated with DarkSide have also been known to use additional tools such as Metasploit, Mimikatz and BloodHound.<\/p>\n

DarkSide uses a \u201cliving off the land\u201d (LotL) tactic,4<\/sup> but researchers at Varonis observed the ransomware also scanning for networks, running commands, dumping processes, and stealing credentials. It will use Salsa20 encryption with an RSA-1024 public key to encrypt files on both fixed and removable hardware, as well as on network devices.5<\/sup> This malware also specifically creates executables and extensions to evade signature-based detection mechanisms.<\/p>\n

On execution, DarkSide copies itself to the path \u201c%Temp%\u201d and injects its code into an existing process. It will dynamically load its libraries to avoid detection by an antivirus (AV) or an endpoint detection and response (EDR) solution, as well as stop running if it observes any indication that it is being run in a virtual machine.6<\/sup><\/p>\n

3. Prevention and Mitigation<\/h3>\n

CISA urges critical infrastructure owners and operators to apply the following mitigations to reduce the risk of compromise by ransomware attacks:<\/p>\n