Breaking Down the US Colonial Pipeline Attack: Insights from Cyberstanc Team at AVAR2021
The colonial pipeline ransomware attack $5 million paid, stole 100GB of Data, shut down the pipeline and website presence. It was the largest cyberattack on an oil infrastructure target in the history of the United States.
Our team started research on Darkside from an early uprising of the ransomware-as-a-Service operator and tracking all intelligence covered by the R&D center and partnered malware researcher. Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. They targets medical, government, education, non-profit organizations, and organizations launched shame-wall with extortion. From Virginia to Louisiana, convenience stores and corner gas stations are turning away customers as tanks tap out amid panic buying.
Association of Anti Virus Asia Researchers (AVAR) - The DarkSide of ransomware (Colonial Pipeline attack and other threats)
Speakers - Rohit bankoti and Souhardya Sardar
DarkSide operator use human-operated model of ransomware deployment as other prolific ransomware groups that have plagued businesses in recent years. This means attackers gain access to networks through a variety of methods, including stolen credentials followed by manual hacking techniques and using a variety of system administration or penetration testing tools to perform lateral movement.
STREET-SMART OPERATIONS
The goal is to map the network to identify critical servers, escalate privileges, obtain domain administrative credentials, disable and delete backups, exfiltrate sensitive data and only when the terrain is all set, deploy the ransomware to as many systems as possible in one go.
This careful and methodical approach is much more effective and harder to defend against than ransomware programs that propagate automatically through networks by using built-in routines that might fail and trip detection mechanisms. Dark Side demonstrates modern corporate techniques to lure foot soldiers
A malware developer caled "Woris", who may not have the technical skills to actually create ransomware and darkside operators help them hooked darkside custom payloads into Woris/IABs compromised account for maximizing the ransom profits.
RaaS IAB (Initial Access Brokers (IABs))
IABs provide affiliates with a seemingly infinite pool of potential victims belonging to different geographies and sectors. Affiliates typically buy corporate access from IABs for cheap and then infect those networks with a ransomware product previously obtained by the operators. They allow this business model to continuously feed on new victims cheaply and efficiently, thus making ransomware work increasingly as a corporation rather than a criminal organization.
INSIDER THREAT UPRISING
DarkSide offers customer support, YouTube tutorials and onion website. Services include providing technical support for hackers, negotiating with targets like the publishing company, processing payments, and devising tailored pressure campaigns through blackmail
Timeline
Introduction to dark side Ransomware
Explanation about attack lifecycle of dark side Ransomware
Entry, Vulnerability, Encryption, Privilege Escalation, Data Exfilitration
Tactics, Techniques and Procedures
Darkside operation workflows such as initial access, stagers, Initiate encryption and Clean up routine
Scrutiny detects darkside sample without rely on signatures
Demonstrate crypto caging process
Simulation and technical analysis of whole darkside operations
Website Reference
https://aavar.org/avar2021/index.php/agenda/
US Colonial pipeline attack timeline at AVAR2021
CONFERENCES & PRESENTATIONS
AVAR conducts conferences and conclaves to enable networking and information sharing along with conducted events. They conducted events during the year 2021, When - 2nd to 3rd December 2021
Theme - Cybersecurity in Peril: The Changing State of Threat Actors
AVAR2021 MISSION
Organizing and hosting AVAR annual conference and seminar on anti virus issues.
Providing information on computer virus incidents through Asia on AVAR website.
At Cyberstanc, we are committed to ensuring a safer and more secure digital world for all.
Apart from our Vortex platform, we also provide the RIPx scanner and threat intelligence service. This powerful service is designed to provide real-time threat detection and analysis, using cutting-edge technology and threat intelligence. It has already been consumed by product-based companies, Auditors, Pen-tester and our threat intelligence partners and OEM clients providing them with comprehensive detection mechanism.
Is your organization prepared to face the ever-evolving cyber threats? Schedule a demo or a meeting with us now and take the first step towards a more secure future.