How to detect and respond to DarkSide Ransomware attack
Quick summary
The operator of the nation’s largest gasoline pipeline — hit earlier this week by ransomware attack — announced Saturday it has resumed “normal operations”. Georgia-based Colonial Pipeline had begun the process of restarting the pipeline’s operations on Wednesday evening, warning it could take several days for the supply chain to return to normal.
Gas shortages, which spread from the South, all but emptying stations in Washington, D.C., have been improving but it is still going to take a lot of work for things to get back to normal.
The ransom — 75 Bitcoin — was paid last Saturday, a day after the criminals locked up Colonial’s corporate network, according to Tom Robinson, co-founder of the crypto tracking firm Elliptic.
World Economic forum outlined at a high level, the 6 ways to act now to prevent another one of these types attacks, see herehttps://www.weforum.org/agenda/2021/05/oil-gas-cybersecurity-ransomware-colonial-pipeline/, but that is not what we will talk about in this article.
Briefly about DarkSide group
DarkSide group is very aggresive when it comes to pressuring their victims to pay ransom. They try different techniques, and if none of them work, they also threaten to launch a DDoS attack. On Tuesday, FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident. Ransomware is one of the biggest threats to enterprise cybersecurity, and it continues to grow. In Q3 2020 alone, ransomware attacks increased by 50% worldwide compared to the previous quarter. One of the biggest drivers behind ransomware’s continued success is the adoption of Ransomware as a Service (RaaS), a ransomware distribution model similar to cloud-based “as a Service” offerings where a provider maintains infrastructure or services and sells access to them to customers.
Let’s briefly overview about practical approach on how to detect and prevent at the initial stage of ransomware, without even waiting for 5–10 minutes for some sandboxing solution to create a signature and then stop it, which by then it could be a game over if ransomware is using DarkSide hacking tool sets:
- PowerShell: for reconnaissance and persistence
- Metasploit Framework: for reconnaissance
- Mimikatz: for reconnaissance
- BloodHound: for reconnaissance
- Cobalt Strike: for installation
Prevention of DarkSide group ransomware
Check Point customers are protected in the Cloud, on the Endpoint, at any IoT perimeter and Network perimeter from this threat using these built-in technologies:
- TE(Threat Emulation) and TX(Threat Extraction) stops any malicious macro embedded documents or ransomware files at the initial entry point without to have to create a signature for it.
- Anti-Bot and Behavioral Anti-Virus protection, detects and stops any C2 infrastructure comms, as well deployment of any command line tools with Behavioural AV.
- Harmony Endpoint uses built-in Anti-Ransomware and Behavioral Guard technologies to stop before the ransomware starts additional hooks or Windows API calls and creates a graphical forensics report
- InfinitySOC(tracks twitter feeds, google, forums, etc) + Siemplify SOAR playbooks use IoC integrations and integrations with any third party security solution
- Quantum NGFW gateways can deliver up to 1,5 Tbps of threat prevention performance and scale on demand to protect any network perimeter either in Cloud, Branch office or Data center, on-premises.
If you think you have been impacted, you could contact the Check Point Incident Response toll-free hotline:
United States: +1(866)923–0907 (US & Canada are the same number)
Email address for events that are not time critical:
emergency-response@checkpoint.com
There are several researchers identified DarkSide ransomware TTPs and published it here on CISA and on Fireeye’s blog:
Indicators of Compromise
From the Endpoint security defense perspective, these are the areas you want your solution to have proper protections:
