A joint advisory from the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) warms about ransomware-as-a-service that came into the spotlight after a devastating ransomware attack on Colonial Pipeline.
FBI and CISA published an alert on Tuesday detailing DarkSide, malware operators that offer Ransomware-as-a-Service (RaaS) and responsible for shutting down the Colonial Pipeline last week.
Last Friday, the US fuel giant disclosed a cyberattack by DarkSide affiliates that disrupted pipeline operations. The company’s IT systems went offline when the company had to shut them down to prevent the further spread of the malware.
The company hasn’t restored the pipeline service yet. This presents a major problem for the country and risks of supply shortages, since Colonial Pipeline is a critical infrastructure provider supplying 45% of the US East Coast’s fuel and delivering up to 100 million gallons of fuel daily.
The advisory explains for organizations how cybercriminals usually operate in such attacks:
“Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data,” the alert says. “These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy.”
Under the RaaS cybercriminal model, also known as a ransomware affiliate scheme, a core team develops malware, in this case, it’s DarkSide ransomware, and then rents it to others. Malware authors often provide RaaS on a subscription basis or the creators receive a percentage of the profits when a ransom is paid. Usually, this is in the range of 20-30%. The original developers provide support and continue to improve their product.
DarkSide group tries to portray itself as some sort of “Robin Hood:”
“Our goal is to make money, and not creating problems for society,” DarkSide said. They also made donations to charities, although soem of these donations have been rejected.
The FBI/CISA advisory gives best practices for preventing such ransomware attacks.
“CISA and FBI urge CI [critical infrastructure] asset owners and operators to adopt a heightened state of awareness and implement recommendations […] including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections,” the agencies say. “These mitigations will help CI owners and operators improve their entity’s functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.”