DarkSide Ransomware Targets US Critical Infrastructure

DarkSide Ransomware Targets US Critical Infrastructure

DarkSide Ransomware Behind Colonial Pipeline Hack

Colonial Pipeline provides 45% of the fuel supply of the eastern seaboard of the USA. Early Saturday, reports surfaced that the Oil and Gas behemoth had temporarily stopped operations of their fuel transport service due to a cyber security breach.

Colonial responded by announcing it was the victim of a targeted ransomware campaign. Although the situation is evolving, reports are coalescing around the organization DarkSide as the source of this security breach.

What is DarkSide?

DarkSide is a highly-coordinated team of offensive cyber security criminals who use their expertise to extort organizations for profit by infecting corporate networks with ransomware.

Ransomware is a form of malware which infects and then encrypts computers, locking the owner out of their own property. Once encrypted, the attacker then sends a ransom note to the owner of the infected property. Generally, ransom demands are expected to be paid out through Bitcoin, and if the owner of the affected assets is a large company, the ransom demand can range up to millions of dollars worth of Bitcoin.

How Ransomware Attacks Start

Many ransomware attacks are started through simple phishing scams. An unsuspecting user opens a bad email, clicking on a link which infects their computer with the malware. Then, the malware attempts to reach out to additional resources until it has access to a large aspect of the organization.

Once the malware has infected a wide scope of the company, the malware triggers it’s payload and locks down access to the assets it has infected. Although details are still murky around the Colonial Pipeline breach, we do know a fair bit about how DarkSide has implemented their malware in the past, and it’s much more complex than a standard phishing campaign.

What We Know About the DarkSide Ransomware Group

DarkSide has made a name for itself by performing complex breaches into target networks to deliver malware. They do this by initiating automated vulnerability scans on potential victims, prior to selecting a target.

Once a potential target is found, the team at DarkSide then performs a more complex audit of the victim’s network, looking for specific vulnerabilities to exploit. If the team finds a viable exploit, they will then exercise the exploit to deliver their malware to the target’s network.

Adding insult to injury, DarkSide does not just encrypt corporate data, but also copies a target’s data to servers operated by DarkSide. If the target then chooses to perform a disaster recovery data restoration and not pay DarkSide, their sensitive corporate data will be released to the public by DarkSide.

This added layer of criminal extortion has forced the hands of multiple companies and has made the DarkSide approach extremely lucrative for the criminal group.

The Latest with the Colonial Pipeline Hack

On Saturday, Colonial Pipeline reported that they were breached by a ransomware attack. Cyber security experts close to the event informed the media that the company was targeted by DarkSide.

Even though Colonial reported the issue on Saturday, there is reason to believe that DarkSide may have been on their network for significantly longer. Multiple government agencies are now investigating the breach as Colonial works to repair their damaged environments.

Recovering from a ransomware attack like DarkSide can be a complex and difficult process. Even after the ransom has been paid or recovery processes initiated, the network must be thoroughly audited for compromises. This process takes time and money. As of Monday morning, much of Colonial’s services are still offline.

How to Protect Your Business from DarkSide Ransomware

The story of Colonial Pipeline is not a new one — this is just the newest chapter in the long history of cyber extortion. But your organization does not have to participate in this story.

The DarkSide intrusion relies on exploitable vulnerabilities found on a target network. Syxsense Secure provides a simple interface for performing vulnerability audits across your entire corporate network. The visibility offered by Syxsense Secure shows your IT and security teams an in-depth view of your company’s vulnerabilities.

Outfits like DarkSide are interested in picking off easy targets. The best defense against DarkSide is a hard-to-breach corporate environment. By remediating vulnerabilities in your organization, DarkSide and other similar cybercriminal outfits will choose to look elsewhere to make their money. Colonial Pipeline has already given up millions of dollars in consulting fees, remediations, and lost revenue due to this breach. Appropriate vulnerability audits would have helped prevent this disaster.

Start a free trial to see how Syxsense Cortex can help you defend against DarkSide and other complex ransomware attacks.

Start Your Free Trial of Syxsense

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.