Editorial Update 5/11 - In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) urge critical infrastructure (CI) asset owners and operators to adopt a heightened state of awareness based on the attack. There is no new information relating to the attack itself, nor are there any indicators of compromise (IOCs) associated with the attack, but they encourage organizations to implement the recommendations they list in the Mitigations section of the advisory.
FortiGuard Labs is aware of reports of a ransomware attack on the largest refined petroleum pipeline in the United States, Colonial Pipeline. Reports have surfaced over the weekend that the ransomware attack is attributed to the DarkSide ransomware group. The pipeline spans from Texas to New Jersey and was shutdown as a precautionary measure while assessments were being made. According to multiple sources, only information systems were affected, and not industrial control systems (ICS). The modus operandi of the group is similar to that of several ransomware groups that follow the data leak extortion model where they threaten to publish confidential stolen data and documents on the dark web if victims fail to comply.
The DarkSide ransomware group maintains a TOR onion web page where it lists over two dozen victims in the construction, dental, energy, gaming, insurance, power, and property verticals, amongst others. Data that was claimed to have been stolen were in the gigabytes per organization. For purposes of providing anonymity to victims, we will not name them or reference the TOR onion site here.
Also included on their website is a "Press Center" page that provides further information about the group. This includes a list of statements saying that they are not related to a government operation and that they will not attack any hospitals, nursing homes, COVID-19 research facilities and funeral homes.
Samples related to DarkSide were shared with FortiGuard Labs through multiple partnerships that helped us identify and analyze further remnants of this campaign.
What are the Technical Details?
Based on known available samples attributed to DarkSide campaigns, it appears that the group prefers living off the land techniques. That means that the group utilizes tools that already exist in the computing environment for lateral movement after compromise to evade detection. Examples of post-compromise tools and techniques associated with DarkSide are legitimate tools such as:
Cobalt Strike - a pentesting suite widely used by red teams around the globe
PSExec.exe - a command line tool that offers extensibility and functionality similar to telnet for remote administration (and lateral movement)
Putty.exe - a widely used SSH/Telnet tool for remote administration of servers
PCHunter - provides low level system information at the kernel level
MegaSync - Russian language version of MegaSync which coordinates with the cloud storage provider MEGA and is likely used to move exfiltrated data and documents, etc.
The ransomware note contains the usual informational text file that uses a FAQ-like format to provide details on what is ransomware, what happened, unique identifiers and contact information. It also includes a sinister section that specifies how many GB of files have been stolen from other victims, along with a breakdown specific to the victim. The victim is then presented with a custom TOR onion site to go to along with instructions from the DarkSide operators on inputting a provided key within the website's form. Contrary to other ransomware attackers, the DarkSide attackers have not provided details of a preferred payment method (bitcoin, etc.) and price. The main goal is to get the victim's attention and to have them contact the DarkSide operators to discuss terms directly.
What Operating Systems Are Affected?
Windows-based operating systems.
How Serious of an Issue is This?
HIGH/MEDIUM. This is rated HIGH/MEDIUM due to the shutdown implications of the Colonial Pipeline and appears to be restricted to targeted attacks. Reports have confirmed that only information systems and not industrial control systems are affected. As we have not seen other instances of this ransomware elsewhere, the spread appears to be primarily restricted to focused targeted attacks.
How Widespread is this Attack?
Low. Currently at this time, it appears to be confined to targeted attacks.
Is there Any Identified Nation State Activity or Attribution?
Initial reports have attributed to possible nation state activity over the weekend. However, on Monday, May 10th, the Federal Bureau of Investigation has confirmed that attacks are attributed to the DarkSide ransomware group and not a nation state.
Should Victims Pay the Ransom?
FortiGuard Labs cannot provide any guidance here. It is up to each organization to determine their risk. Factors in that decision include determining the potential for loss due to downtime and reputation, along with whether or not an organization has cybersecurity insurance coverage to help mitigate such potential losses.
What is the status of Protections?
FortiGuard Labs has the following (AV) signatures in place for publicly available DarkSide Ransomware and associated campaign samples as:
FortiGuard Labs has the following (IPS) signatures in place for Cobalt Strike Beacon Activity as:
For TOR (darkweb) activity, Application Control signatures will detect all TOR related activity.
For FortiEDR protections, all related IOC's were added to our Cloud intelligence and will be blocked if executed on customer systems.
All network IOC's are blocked by the WebFiltering client.
Any Other Suggested Mitigation?
Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.
Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.
On May 7, Colonial Pipeline Company learned it was the victim of a cybersecurity attack and has since determined that the incident involved ransomware. Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring.