Friday, May 14, 2021

Trusted Internet regarding the Colonial Pipeline Hack

On May 10, the FBI announced that on Friday, May 7, a group known as Darkside was responsible for a ransomware attack that effectively shut down the operation of the Colonial Pipeline. This morning, it was reported that Colonial Pipeline paid $5 mil in ransome tor restore operations.

DarkSide’s team is considered relatively professional and organized.  The group even has a dedicated phone number and a helpdesk to facilitate negotiations with its victims.  DarkSide has traditionally presented itself to be quite meticulous in using this process to collect information from the victim to only use its ransomware on the “right targets.” This stems from the claim that DarkSide is only interested in extorting large for-profit businesses and has even attempted to donate a portion of its earnings to various charities.  Further analysis of the group’s historic attacks shows that only western, English-speaking companies have been targeted with a mandate to exempt companies in Soviet states grouped under the Commonwealth of Independent States (CIS) coalition, including Georgia and Ukraine, hinting at the origins of the group.

DarkSide is a relatively new actor that presents itself as an independent for-profit group that follows the RaaS (ransomware-as-a-service) model touting new ransomware, DarkSide 2.0, equipped with the “fastest encryption speed on the market.” Along with conducting its ransomware operations, the group also markets and sells its software and tools to other hacking groups. 
 
Darkside 2.0 features multithreading in both Windows and Linux versions.  The Linux version of the ransomware can now target VMware ESXi vulnerabilities, meaning it can hijack virtual machines and encrypt their virtual hard drives targeting network-attached storages (NAS), including Synology and OMV.  A unique feature of the DarkSide ransomware is that it targets domain controllers, which puts the entire network environment at risk.

What have we done about it, and is your company at risk? 

Trusted Internet utilizes a defense-in-depth approach to protect our clients from ransomware attacks such as DarkSide.  Trusted Internet’s cybersecurity solution detects and prevents ransomware deployment from several aspects. 
  • As information has come available, Trusted Internet has been combing our logs for indicators of Dark Side activities.
  • As well, while we do participate in some of the larger information sharing environments, any intelligence offered has been validated and loaded into firewalls and endpoint solutions. 
  • We continue to remain vigilant for updates in other kinds of pre-ransomware attacks, including loaders, installers, and dormant code.
  • Last we've been working with our security vendors to ensure the latest indicators are loaded, in an effort to keep our customers safe and free of ransomware. 
Our 24/7 Security Operations Center monitors both next-generation firewalls and our Secure Workstation endpoint software to protect your corporate network and devices. These systems are specifically designed to prevent this type of and other attacks.  To keep up with the ever-evolving threat landscape, our internal systems and deployed equipment and software are uniquely equipped and constantly updated in real-time with the latest threat intelligence to stay ahead of malicious actors and malware.  

From an Intelligence and Analysis perspective, we continue to monitor the situation. We receive intelligence from dozens of high-quality, reliable sources and will update your firewalls with any additional information as it is received and validated.
 
In the meantime, if you are a Trusted Internet Cyber Security client, you are already protected. If you are interested in establishing cybersecurity services to secure your network, Trusted Internet can assist immediately.

If you're concerned or have had a problem or breach, please contact Trusted Internet to speak with a Virtual CISO® today. 

Contact our 24x7 Security Operations Center at 800-853-6431, or staysafeonline@trustedinternet.io.

www.trustedinternet.io