By Dylan Duncan

DARKSIDE Ransomware Operations

DARKSIDE Ransomware first emerged in August 2020 and is used as a Ransomware-as-a-Service. The ransomware has been confirmed by the FBI as responsible for the compromise of the Colonial Pipeline networks. Traditionally, the goal of ransomware is to infect an organization that can pay the ransom. This attack certainly shows the financial impact a successful ransomware infection can have in terms of operational and economic disruption.

Since the malware release, DARKSIDE ransomware operators, and affiliates that use the service, have been seen targeting a variety of major organizations across most sectors. A report from FireEye sheds light on the ransomware by diving into the infrastructure, and shows that the initial compromise vectors are password attacks on perimeter infrastructure, the CVE-2021-20016 vulnerability, and malicious email with embedded links.

One of the ways threat actors abuse cloud platforms is by using them to host malicious content. In a quarterly trend review for Q4 2020, Cofense Intelligence predicted an increase in ransomware campaigns, along with the abuse of trusted platforms and software. We noted an expectation that it would continue to grow into the first two quarters of 2021. The DARKSIDE ransomware campaigns using malicious emails with embedded links have been reported to use Google Drive URLs to deliver .NET backdoors like SMOKEDHAM. As seen in other ransomware campaigns like Ryuk, the use of a backdoor allows threat actors to drop the ransomware manually, often long after the initial infection. We see no data indicating a decline in this trend if trusted platforms continue to represent a straightforward way for threat actors to host their malicious content while avoiding detection.

Cofense Intelligence reports on and provides actionable intelligence on phishing emails with embedded links that abuse trusted platforms every day. As organizations continue to move business processes to these trusted platforms, threat actors have also migrated their tactics to these platforms to bypass the secure email gateway (SEG). As seen in Figure 1, this year approximately 27% of the phishing emails with embedded links used for malware delivery abused Google Drive. Emerging technologies continue to create new opportunities for similar abuse by threat actors. Cloud solution providers have to maintain balance between offering services to the public and policing the abuse of the same services. While organizations often gain great value from using cloud services, they must also address the accompanying risk.

Figure 1: Phishing Emails with embedded links compared to Google Drive links.

Mitigation

Campaigns like this remain a key example of how crucial phishing education can be for an organization. A phishing simulation program allows users to practice in the same environment where they will experience a real phish. Also critical to your phishing defense program is providing a method for the user to quickly report the suspicious message using a tool such as Cofense Reporter. Additional infosec program essentials include steps to prepare in case of a ransomware infection, along with regular backup and tabletop exercises to practice your incident response plan. Having secure file backups with regular backup procedures help if an infection occurs. Also key is software maintenance and performing regular updates to protect against vulnerabilities and exploits. Blocking trusted platforms often is not feasible for organizations, but a security operations team should understand the business goals and procedures relative to baseline usage. This will allow for hunting and alerting more effectively against anomalous activity. Although mitigation of a cloud source threat vector is difficult, it is possible with layered defenses, auditing and training.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.