Colonial Pipeline Breached by Darkside Ransomware Group

5/10/2021

On Saturday May 8, US Colonial Pipeline announced that they were victim of a ransomware attack that affected their network on Friday May 7.

US Colonial Pipeline is said to be the largest fuel pipeline in the United States and the main source of gasoline, diesel and jet fuel for the East Coast providing 45% of all fuel consumed on the East Coast.

To contain the threat, the company took certain systems offline, and these actions temporarily halted all pipeline operations and affected some of their IT systems. The company said that they have remained in contact with law enforcement and other federal agencies, including the Department of Energy who is leading the Federal Government response.

ARETE DARKSIDE RANSOMWARE GROUP ANALYSIS

Arete Incident Response has worked on multiple breach response engagements associated with the DarkSide ransomware group. The following are statistics and metrics from our DFIR engagements associated with this threat:

• • Sectors affected
    • Critical Infrastructure
    • Manufacturing
    • Professional Services
    • Public Service
    • Financial Services
    • High Technology/Engineering/Social Media
    • Retail
  • Average ransom demand in US dollars: 2,720,909
    • The highest ransom demand Arete observed has been 12 million dollars
  • Average ransom paid in US dollars: 1,548,509
  • Data exfiltration has been observed in 80% of the cases

FBI RESPONSE AND RECOMMENDATIONS

Today, the FBI announced in their Twitter page that the DarkSide ransomware is confirmed to be the malware affecting Colonial Pipeline:

Source: https://twitter.com/FBI/status/1391783864016703493

The FBI also released an FBI FLASH alert MU-000146-MW coordinated with DHS-CISA and the Department of Energy. The alert confirms press reporting on Darkside infecting a critical infrastructure company in the United States and describes Darkside as a ransomware-as-a-service (RaaS) variant, in which criminal affiliates conduct the attacks and the proceeds are shared with the ransomware developer(s). It also mentions that Darkside has impacted numerous organizations across various additional sectors including manufacturing, legal, insurance, healthcare, and energy.

Recommended Mitigations by the FBI:

• • Backup data regularly, keep offline backups, and verify integrity of backup process.
  • Keep software updated. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities.
  • Use two-factor authentication and strong passwords.
  • Audit logs for all remote connection protocols.
  • Audit logs to ensure all new accounts were intentionally created.
  • Scan for open or listening ports and disable SMBv1.
  • Consider disabling RDP if it is not being used.
  • Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
  • Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.
  • Monitor Active Directory and local administrators group changes.
  • Maintain only the most up-to-date version of PowerShell and uninstall older versions.
  • Enable PowerShell logging and monitor for unusual commands, especially execution of Base64 encoded PowerShell.
  • Turn off the option to automatically download attachments. To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option and disable it.

Arete strongly recommends the use of advanced behavioral endpoint detection and response (EDR) technology to counter ransomware attacks! Advanced behavior EDR systems should include artificial intelligence (AI) and machine learning (ML).