Business continuity management / Disaster recovery, Fraud and cybercrime management, Fraud risk management
Big game hunting and the risk of advanced Crime Syndicate extortion become commonplace
Mathew J. Schwartz (euroinfosec) •
May 12, 2021
For anyone wondering how a Russian-speaking crime syndicate using ransomware could disrupting a major US pipeline, a more relevant question might be: why didn’t this happen sooner?
See also: Live Webinar | The role of passwords in the hybrid workforce
Operation DarkSide first appeared in August 2020 with a clear MO: to eliminate large targets in search of massive ransom payments. Information security experts call this strategy the big game hunt.
Unless something is done to disrupt this criminal business model, what looks bold today is likely to become even more common tomorrow.
Unfortunately, extortionists who pursue this strategy have not only disrupted large organizations, but have also seen many of them pay ransoms, generating huge profits.
On Monday, the FBI accused DarkSide of disrupting the computer systems of Colonial Pipeline Co., which transports about 45% of all fuel used on the US east coast. While full details of the attack have not yet been made public, the US Cybersecurity and Infrastructure Security Agency says the attackers appear to have only hit computer systems, rather than Colonial Pipeline’s operational technology networks, such as the pipelines themselves.
– FBI (@FBI) May 10, 2021
Perhaps this is because once Colonial Pipeline realized on Friday that it had been affected by ransomware, it said it reacted quickly and “proactively logged off certain systems to contain the threat.” which “temporarily halted all pipeline operations and affected some of our IT systems.” White House officials say they expect the pipeline to be “mostly operational” by this weekend.
“We don’t want to kill your business”
For a newcomer, DarkSide has already left a big impression. The operation announced its debut on cybercrime forums on August 10, 2020, claiming that “we are a new product in the market, but that doesn’t mean we don’t have any experience and we came from nowhere.” . Threat Intelligence Firm Breaking point says the group’s first known attack also took place on the same day.
At the time, the gang promised that they would not attack any organization in the medical, healthcare, nonprofit or government sectors. “We only attack businesses that can pay the amount requested, we don’t want to kill your business,” the gang claimed.
In November 2020, on Russian-language cybercrime forums, the “darksupp” gang member began advertising two types of affiliates for what was becoming a ransomware-as-a-service operation: ‘initial access capable of hacking targets and attackers capable of using the access already gained to deploy ransomware, security companies say.
Ransomware as a service model
Most gangs using ransomware today operate through this type of ransomware-as-a-service model, in which operators develop malware and infrastructure, including payment portals for victims, and provide as a service to affiliates, who infect victims. Such specialization has helped ransomware operators increase their profits, especially as they recruit more technical specialists for the operation and sign more technically advanced affiliates. Every time a victim pays, the operator and the affiliate share the profits.
Experts say competition among RaaS operators for qualified affiliates remains fierce, prompting operators to continually improve their malware, add new features, and negotiate generous profit-sharing deals.
The version of DarkSide ransomware spotted last November, for example, included the ability to encrypt Windows systems as well as Linux, with the latter feature likely appealing to big game hunters. Sophos said.
DarkSide operators adjust the amount of each ransom they keep to encourage affiliates to take out larger targets. “Based on forum ads, this percentage starts at 25% for ransom fees less than $ 500,000 and decreases to 10% for ransom fees greater than $ 5 million,” which means affiliates keep 75-90% of every successful ransom payment, FireEye’s Principal incident response group said in a blog post.
Not every potential hacker can join this crime syndicate. “DarkSide RaaS affiliates are required to pass an interview after which they have access to an administration panel,” says Mandiant. The panel allows affiliates to generate a new version of ransomware, queue stolen content for posting to DarkSide’s dedicated data breach site – accessible only through the anonymous Tor browser – and contact support . The alleged capabilities offered to affiliates also include the ability to launch a distributed denial of service attack against victims, as well as have a call center contact them, in order to demand payment of a ransom.
Affiliate skill sets
The different DarkSide subsidiaries operate in different ways, depending on their skills.
Mandiant says he has so far identified at least five Russian-speaking subsidiaries, which “all relied on legitimate and commercially available tools to facilitate the various stages of their operations,” although at least one of them “also used a now corrected zero. vulnerability of the day “- a flaw in SonicWall’s SMA100 SSL VPN, referred to as CVE-2021-20016. The dwell time for this affiliate tended to be less than 10 days, Mandiant said, while other affiliates typically went from first accessing a victim’s network to leaving crypto-locked files and requesting to ransom in just two or three days.
Sophos notes that the five DarkSide attacks it has investigated to date have all had much longer dwell times – 44 to 88 days, with a median of 45 days. “This time can vary considerably depending on the branch,” explains Kimberly Goody, senior director of financial crime analysis at Mandiant Threat Intelligence.
As with almost all types of ransomware attack code seen in the wild, DarkSide is designed not to encrypt a system that appears to belong to the Commonwealth of Independent States, which includes Russia and other countries. that were part of the former Soviet Union (see: Reminder of the Russian rule on cybercrime: never hack the Russians).
In response to allegations that gang members are acting like state-sanctioned hackers, DarkSide released this statement via its website: “We are apolitical, we don’t participate in geopolitics, we don’t need to. partner with a defined government and seek out other motivations. Our goal is to make money, not to create problems for society. “
In the wake of the pipeline disruption, the gang also claimed they would now review targets for all affiliates before allowing their systems to be crypto-locked (see: DarkSide’s Pipeline Ransomware Hit: Strictly Commercial?).
Continuously Refined Extortion Tactics
The DarkSide ransomware operation caused a stir in April after suggesting that it would notify stock traders in advance of the organizations it violated so that traders could capitalize on likely declines in stock prices once. the attacks would have become public.
New “press release” from the DarkSide ransomware players: “About stock traders”.
So if I haven’t missed anything, this is the first ransomware group to come up with information for the short.
– MalwareHunterTeam (@malwrhunterteam) April 22, 2021
Operation DarkSide has also proven to be adept at obtaining inside information from victims in order to strengthen its bargaining power. In one case, for example, Mandiant notes that “an attacker was able to obtain the victim’s cyber insurance policy and exploited this information during the ransom negotiation process, refusing to reduce the ransom amount given of his knowledge of the limits of the police ”.
Overall, however, DarkSide is just one of many RaaS operations that continue to refine its extortion tactics, as well as its ability to successfully target and eliminate large targets, including the private operator. occasional critical infrastructure. Unless something is done to disrupt this criminal business model, what looks bold today is likely to become even more common tomorrow.