The criminal organization DarkSide snuck into Colonial Pipeline’s VPN through an unused account (and while not using MFA). Or so goes the public’s current understanding of how the story started. But the infamous pipeline shutdown that followed was not directly because operations systems were encrypted by malware. The Colonial Pipeline team reports shutting those systems down to prevent the ransomware from spreading to them.
While DarkSide claimed to not be politically aligned or motivated, the Eastern European group appears to have operated under tacit agreement with Russia. Or so says their code that checks to verify that it is not attacking a system in a CIS (former Soviet Bloc) country. While this does not implicate that Russia is attacking the U.S. economy through DarkSide, it does indicate that DarkSide (and likely other criminal gangs) operate for Russia as privateers operated for European kings and queens; they were allowed to profit from their attacks on enemy vessels only, and would split the benefit with their kings and queens when they did. So while Russia may not have given DarkSide the order to attack Colonial Pipeline, they knowingly benefited from it.
This is what the public generally knows:
- DarkSide’s attack was simple to do, given their toolset that allows them to execute ransomware easily in any environment, and to sell those ransomware tools to others.
- Colonial Pipeline paid 75 Bitcoin to DarkSide within hours of the attack to recover their systems and to safely restore their operations.
- The delayed restart of their operations had more to do with the physical complications of stopping and starting a massive petroleum pipeline.
- A specialized ransomware task force, operating within the FBI, was able to recover a significant portion of the paid Bitcoin be obtaining a warrant for the decryption key that was used to access a
- Crypto currency wallet used by DarkSide.
This is what you should not be focused on:
- Don’t breathe a sigh of relief if you’re not operating critical infrastructure. DarkSide definitely was interested in people who would pay because of an emergency. But their retail-model ransomware toolset makes it easy for any criminal to launch ransomware attacks on any company that looks open to those attacks.
- Don’t think backups are your safety net for ransomware. When your systems are getting infected you will likely decide to shut down all critical neighboring systems, applications, and data stores until you know the threat is eradicated. That loss of business and loss of services 0 and the harm it causes others – is the actual impact.
This is what you should be focused on:
- This is no longer a fear-uncertainty-and-doubt scenario. Ransomware is a monetized, commoditized business that targets any business simply because the business has vulnerabilities that enable the attacks.
- Also, consider these ransomware prevention tips from eSecurity Planet.
Ransomware Prevention Tips
- Staff Awareness Raising awareness about ransomware is a baseline security measure. But it could only take one employee lowering their guard for an organization to be compromised. As training sessions have little influence over staff for every potential attack, it makes added security more imperative.
- Spam Filter Cybercriminals send millions of malicious emails to at-random organizations and users, but an effective spam filter that continually adapts alongside a cloud-based threat intelligence center can prevent more than 99% of these from ever reaching employees’ desktops.
- Configure Desktops Extensions Employees should be trained not to double-click on executable files with a .exe extension. However, Windows hides file extensions by default, allowing a malicious executable such as “evil.doc.exe” to appear to be a Word document called “evil.doc”. Ensuring that extensions are always displayed can go a long way to countering that kind of threat.
- Block Executables Filtering files with a .exe extension from emails can prevent some malicious files from being delivered to employees, but bear in mind that this isn’t foolproof. Malicious emails can instruct employees to rename files, and ransomware is also increasingly being delivered as JavaScript files (see below).
- Block Malicious JavaScript Files Ransomware being delivered in .zip files containing malicious JavaScript files are common. These are disguised as text files with names like “readme.txt.js” – and often just visible as “readme.txt”, with a script icon for a text file. You can prevent this vulnerability for staff by disabling Windows Script Host.
- Restrict Use of Elevated Privilege Ransomware can only encrypt files that are accessible to a particular user on their system – unless it includes code that can elevate a user’s privileges as part of the attack, which is where patching and zero trust come into play.
- Promptly Patch Software It’s a basic security precaution to ensure that all software is updated with the latest security patches, but it’s worth reiterating because breaches continue due to prolonging updating. Just in 2020, the SolarWinds hack could’ve been prevented for organizations that promptly patch software.
- Zero Trust Moving toward zero trust offers visibility and control over your network, including stopping ransomware. The next three actions: prioritize assets and evaluate traffic, microsegmentation, and adaptive monitoring are central steps of the zero trust architecture and greatly reduce your risks of an attack.
- Prioritize Assets and Evaluate Traffic With the use of inventory tools and IOC lists, an organization can identify its most valuable assets or segments. This full picture offers staff a look into how an attacker could infiltrate your network and gives needed visibility into traffic flows. This gives your team clear guidelines as to what segments need added protection or restrictions.
- Microsegmentation Microsegmentation is the ultimate solution to stopping lateral movement. By implementing strict policies at the application level, segmentation gateways and NGFWs can prevent ransomware from reaching what’s most important.
- Adaptive Monitoring and Tagging Once your micro-perimeters surround your most sensitive segments, there’s a need for ongoing monitoring and adaptive technology. This includes active tagging of workloads, threat hunting, and virus assessments, and consistent evaluation of traffic for mission-critical applications, data, or services.
- Utilize a CASB A cloud access security broker (CASB) can help manage policy enforcement for your organization’s cloud infrastructure. CASBs provide added visibility, compliance, data security, and threat protection in securing your data.
- Rapid Response Testing In the event of a successful breach, your team must be ready to restore systems and data recovery. This includes pre-assigning roles and ensuring a plan is in place.
- Sandbox Testing A common method for security analysts to test new or unrecognized files is by utilizing a sandbox. Sandboxes provide a safe environment, disconnected from the greater network for testing the file.
- Update Anti-Ransomware Software As noted, consistent updating of network software is critical. This is especially true for your existing intrusion detection and prevention system (IDPS), antivirus, and anti-malware.
- Offline Backups While virtual backups are great, if you’re not storing data backups offline, you’re at risk of losing that data. This means regular backups, multiple copies saved, and monitoring to ensure backups hold true to the original. Restoring data after an attack is often your best approach.
- Update Email Gateway All email for your network typically travels through a secure web gateway (SWG). By actively updating this server, you can monitor email attachments, websites, and files for malware. This visibility into attacks trending for your organization can help inform staff moving forward of what to expect.
- Block Ads All devices and browsers should have extensions that automatically block pop-up ads. With the extensive use of the internet, malicious ads pose a long-lasting threat if not blocked.
- Bring-Your-Own-Device (BYOD) Restrictions If you have a remote work staff or just a loose policy surrounding devices acceptable for network access, it might be time to crack down. Unregulated use of new or unique devices poses an unnecessary risk to your network. Enterprise mobility management (EMM) is one solution.
- Forensic Analysis After any detection of ransomware, there needs to be an investigation into its entry point, time in the environment, and confirm that it’s been fully removed from all network devices. From there, the task of ensuring it never returns begins