Threat Signal Report

Colonial Pipeline Attack Attributed to DarkSide Ransomware Group

Description

Editorial Update 5/11 - In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) urge critical infrastructure (CI) asset owners and operators to adopt a heightened state of awareness based on the attack. There is no new information relating to the attack itself, nor are there any indicators of compromise (IOCs) associated with the attack, but they encourage organizations to implement the recommendations they list in the Mitigations section of the advisory.


FortiGuard Labs is aware of reports of a ransomware attack on the largest refined petroleum pipeline in the United States, Colonial Pipeline. Reports have surfaced over the weekend that the ransomware attack is attributed to the DarkSide ransomware group. The pipeline spans from Texas to New Jersey and was shutdown as a precautionary measure while assessments were being made. According to multiple sources, only information systems were affected, and not industrial control systems (ICS). The modus operandi of the group is similar to that of several ransomware groups that follow the data leak extortion model where they threaten to publish confidential stolen data and documents on the dark web if victims fail to comply.


The DarkSide ransomware group maintains a TOR onion web page where it lists over two dozen victims in the construction, dental, energy, gaming, insurance, power, and property verticals, amongst others. Data that was claimed to have been stolen were in the gigabytes per organization. For purposes of providing anonymity to victims, we will not name them or reference the TOR onion site here.


Also included on their website is a "Press Center" page that provides further information about the group. This includes a list of statements saying that they are not related to a government operation and that they will not attack any hospitals, nursing homes, COVID-19 research facilities and funeral homes.


Samples related to DarkSide were shared with FortiGuard Labs through multiple partnerships that helped us identify and analyze further remnants of this campaign.


What are the Technical Details?

Based on known available samples attributed to DarkSide campaigns, it appears that the group prefers living off the land techniques. That means that the group utilizes tools that already exist in the computing environment for lateral movement after compromise to evade detection. Examples of post-compromise tools and techniques associated with DarkSide are legitimate tools such as:


Cobalt Strike - a pentesting suite widely used by red teams around the globe


PSExec.exe - a command line tool that offers extensibility and functionality similar to telnet for remote administration (and lateral movement)


Putty.exe - a widely used SSH/Telnet tool for remote administration of servers


PCHunter - provides low level system information at the kernel level


MegaSync - Russian language version of MegaSync which coordinates with the cloud storage provider MEGA and is likely used to move exfiltrated data and documents, etc.


The ransomware note contains the usual informational text file that uses a FAQ-like format to provide details on what is ransomware, what happened, unique identifiers and contact information. It also includes a sinister section that specifies how many GB of files have been stolen from other victims, along with a breakdown specific to the victim. The victim is then presented with a custom TOR onion site to go to along with instructions from the DarkSide operators on inputting a provided key within the website's form. Contrary to other ransomware attackers, the DarkSide attackers have not provided details of a preferred payment method (bitcoin, etc.) and price. The main goal is to get the victim's attention and to have them contact the DarkSide operators to discuss terms directly.


What Operating Systems Are Affected?

Windows-based operating systems.


How Serious of an Issue is This?

HIGH/MEDIUM. This is rated HIGH/MEDIUM due to the shutdown implications of the Colonial Pipeline and appears to be restricted to targeted attacks. Reports have confirmed that only information systems and not industrial control systems are affected. As we have not seen other instances of this ransomware elsewhere, the spread appears to be primarily restricted to focused targeted attacks.


How Widespread is this Attack?

Low. Currently at this time, it appears to be confined to targeted attacks.


Is there Any Identified Nation State Activity or Attribution?

Initial reports have attributed to possible nation state activity over the weekend. However, on Monday, May 10th, the Federal Bureau of Investigation has confirmed that attacks are attributed to the DarkSide ransomware group and not a nation state.


Should Victims Pay the Ransom?

FortiGuard Labs cannot provide any guidance here. It is up to each organization to determine their risk. Factors in that decision include determining the potential for loss due to downtime and reputation, along with whether or not an organization has cybersecurity insurance coverage to help mitigate such potential losses.


What is the status of Protections?

FortiGuard Labs has the following (AV) signatures in place for publicly available DarkSide Ransomware and associated campaign samples as:


PossibleThreat

Riskware/Agent

Riskware/PCH

Riskware/PowerTool

Riskware/RemoteUtilities

Riskware/TorTool

W32/DarkSide.B!tr.ransom

W32/Filecoder.ODE!tr.ransom

W32/Filecoder_DarkSide.A!tr

W32/Filecoder_DarkSide.B!tr

W32/GenKryptik.FBOV!tr

W32/Packed.OBSIDIUM.BV!tr

W64/Kryptik.BVR!tr


FortiGuard Labs has the following (IPS) signatures in place for Cobalt Strike Beacon Activity as:


Backdoor.Cobalt.Strike.Beacon


For TOR (darkweb) activity, Application Control signatures will detect all TOR related activity.


For FortiEDR protections, all related IOC's were added to our Cloud intelligence and will be blocked if executed on customer systems.


All network IOC's are blocked by the WebFiltering client.


Any Other Suggested Mitigation?

Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.


Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.