DarkSide Offered Ransomware-as-a-Service Before Pipeline Attack
Colonial Pipeline might be tight-lipped about the vulnerability hackers exploited to launch a ransomware attack that shut down the U.S.’s largest pipeline, but details are emerging about the DarkSide ransomware variant behind the attack and the cybercriminals associated with it.
A relative newcomer, the variant first emerged in the cybercriminal underground last year and quickly rose to prominence. “While spotted in the wild as far back as August 2020, DarkSide’s developer ‘debuted’ the ransomware on the popular Russian-language hacker forum XSS in November 2020, advertising that he was looking for partners in an attempt to adopt an affiliate ‘as-a-service’ model,” according to Intel471 researchers, who have been tracking cybercriminals linked to the variant since its emergence.
The researchers then spotted the ransomware in attacks on manufacturers and law firms in the U.S. and Europe. In March, the variant’s developer tried to lure new affiliates with a bevy of new features, Intel471 said, including versions aimed at Microsoft Windows and Linux systems. They also sported enhanced encryption settings and “a full-fledged and integrated feature built directly into the management panel that enabled affiliates to arrange calls meant to pressure victims into paying ransoms” as well as a way to launch distributed denial-of-service (DDoS) attacks.
Many of the affiliates gained access to networks – at least initially – through vulnerable software like Citrix, Remote Desktop Web (RDWeb) or via remote desktop protocol (RDP), then performed lateral movement and exfiltrated sensitive data before they deployed ransomware.
“For initial access to networks, actors usually purchased access credentials on underground forums, conducted brute-force attacks, used spam campaigns to spread malware loaders and/or bought access to popular botnets such as Dridex, TrickBot and ZLoader,” Intel471 researchers said. “As for post-exploitation tools, the arsenal usually included Cobalt Strike and Metasploit frameworks, Mimikatz and BloodHound.”
The researchers called out some tactics, techniques and procedures used by DarkSide affiliates, including a prominent actor partnering with network access brokers to obtain initial access credentials by using the Mega.nz file-sharing service to exfiltrate data, then leveraging a PowerShell backdoor “for reconnaissance and persistence within corporate networks, and also operating the KPOT.”
In another instance, an actor tapped pen testers “to use VPNs in conjunction with already-obtained network access, allowing attackers to move laterally within the network, exfiltrate sensitive data and deploy ransomware,” Intel471 said.
After the FBI fingered DarkSide in the Colonial Pipeline attack and President Biden’s keen interest in the incident, the ransomware’s operators tried to turn down the heat by making a statement pledging to “introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” The consequences of the pipeline attack are reverberating across the Eastern half of the U.S. in the form of higher gas prices and shortages.
It’s certainly easy to understand why the group doesn’t want to invite the wrath of the federal government. But how likely is that Given the group’s reputation as a criminal enterprise, not a nation-state actor, what will the authorities do? It’s true that law enforcement may come knocking at some point, but more cybercriminals slip through law enforcement’s grip than get caught and punished.
DarkSide operators’ rise to prominence – in such a short time – and their packaging and shaping of features to lure affiliates underscore what Intel471 sees as “the popularity and increasing maturity of the ransomware-as-a-service model.” Aging technology controlling energy systems are prime targets for actors armed with RaaS. Their success only inspires others to join in the fun. There’s plenty of room in the cybercrime underground for the likes of access brokers, credential shops and bulletproof hosting providers.
All the more reason why companies responsible for critical infrastructure, Intel471 researchers said, must stand up and bolster the security of their systems. It’s a little late for Colonial Pipeline, which now finds itself in a reactive crouch. But those that take the lessons of this attack to heart and respond accordingly have the opportunity to assume a more proactive posture.
