The malware strain shut down operations at the US fuel provider last week
Further details related to notorious ransomware DarkSide have emerged, as the FBI urges critical infrastructure operators to adopt a “heightened state of awareness” following the Colonial Pipeline attack.
The malware strain first emerged in 2020 with a Ransomware as a Service (RaaS) model, meaning that the group behind it launched attacks on behalf of paying clients, or “partners”, rather than simply selling its code.
Last week, DarkSide hit the headlines after the group targeted US gas supplier Colonial Pipeline, shutting down operations and raising alarm about the prospect of gasoline shortages.
The statement released last night (May 11) “urged” critical infrastructure asset owners and operators to “adopt a heightened state of awareness” and implement mitigations including robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections.
“These mitigations will help C I [critical infrastructure] owners and operators improve their entity’s functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware,” the advisory adds.
An exhaustive list of mitigations and best practices can be found in the advisory, which also condemns the paying of a ransom to cybercrime gangs.
It reads: “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities.
“Paying the ransom also does not guarantee that a victim’s files will be recovered. CISA and FBI urge you to report ransomware incidents to your local FBI field office.”
President Joe Biden also condemned the attack and vowed to “disrupt and prosecute” the responsible actors.
Although the Colonial Pipeline incident thrust the RaaS strain into the spotlight, DarkSide has been tracked in at least 60 cases already this year, according to researchers from Mandiant FireEye.
In a report released last night (May 11), researchers from the threat detection team released further information about DarkSide, which it first encountered on a dark web forum in November 2020.
Interestingly, the group behind DarkSide originally stated it would not carry out attacks on hospitals, schools, universities, non-profit organizations, and public sector entities, which FireEye suggested was a tactic to evade law enforcement detection.
However, after last week’s attack resulted in the shutdown of critical services in the US – the affected pipeline carries 2.5 million barrels a day, 45% of the East Coast’s supply of diesel, petrol, and jet fuel – the cybercrime gang took the unusual step of issuing an apology.
In a statement posted on the DarkSide website, the threat actor appeared to regret this latest incident.
The group commented: “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment (sic) and look for other our motives.
“Our goal is to make money, and not creating problems for society.
“From today we introduce moderation and check each company that our partners [customers] want to encrypt to avoid social consequences in the future.”
The group also prohibits attacks targeting the Commonwealth of Independent States, which include Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan, and Ukraine, suggesting they could reside in one of these countries.
FireEye, which also published a detailed timeline of DarkSide’s movements, said that threat actors have “become more proficient at conducting multifaceted extortion operations”, adding that this success has “directly contributed to the rapid increase in the number of high-impact ransomware incidents over the past few years”.
Researchers expect to see varying extortion techniques leveraging DarkSide malware that “will continue to evolve throughout 2021”.