Critical infrastructure has increasingly become a top target for cybercriminals. Recently, we learned of the ransomware attack against a US fuel company, Colonial Pipeline, that carries nearly half the fuel consumed along the US East Coast. It is one of the largest disruptions of US critical infrastructure by a cyberattack in history. Moreover, it is a startling reminder of how vulnerable everything from our power grid to our water supply remains if we do not bolster our defences.
“This attack will not be an isolated incident. We will continue to see destructive cyberattacks against industrial control system (ICS) environments, with energy, oil, gas and manufacturing companies as top targets for cybercrime cartels. These groups will leverage ransomware as a means of inflecting kinetic damage in the real world,” said Tom Kellermann, head of cybersecurity strategy at VMware.
The FBI attributed the cyberattack to DarkSide, a group believed to be based in Eastern Europe. The VMware Threat Analysis Unit (TAU) analysed DarkSide in February. It found that the group will customise the ransomware binary to the targeted enterprise. Similar to other ransomware variants, it will utilise PowerShell to perform the deletion of volume shadow copies to ensure data cannot be restored easily. VMware TAU also identified DarkSide actively looking for affiliates to add to their operation via a dark web listing.
Recent research from Digital Shadows provides an analysis of the DarkSide ransomware operation. While attribution is important, it is also necessary to understand the techniques, tactics, and procedures used during the pre-infection and post-infection phase of ransomware – focusing on the behaviours over the “who.”
The Rise in Secondary Extortion and RaaS
Ransomware groups have widely adopted double extortion as a core tactic to ensure profitability. Nearly 40% of security professionals said double-extortion ransomware was the most observed new ransomware attack technique in 2020.
Cybercriminals take time to exfiltrate sensitive information from the organisation quietly. It allows them to gain incrementally significant leverage on their victim organisations. It forces organisations to not only pay to decrypt their content but also prevent potentially harmful data from being sold or otherwise publicly disclosed. Thus, significantly increasing the impact and damage that ransomware groups can inflict upon their victims. It also sends a stark warning to others to protect their networks from this ever-evolving threat. To understand modern cybercrime, defenders must account for this as part of their security and resiliency programs.
RaaS and affiliate programs on the rise
Ransomware-as-a-service (RaaS) has exploded in popularity on the crimeware forums. It has resulted in cybercriminals finding new and unique ways to deploy ransomware across organisations. It is similar to how spies are recruited for espionage against government agencies. They are regular everyday people with access to high-value targets that can be recruited to deploy malware. Often, they are lured through offers of significant sums of money or even a percentage of the ransomware payout. Some groups offer hundreds of thousands of dollars per victimised organisation.
Affiliate programs and partnerships between ransomware groups have also become a common occurrence alongside the general recruiting of insiders. These affiliate programs look to partner with initial access brokers. These criminals specialise in breaking into organisations and subsequently sell direct access and other ransomware gangs to improve their tradecraft, furthering their reach and overall profitability.
As demonstrated by DarkSide’s post looking for affiliate partners, the global pandemic has empowered cybercriminals to work together, capitalising on the expanding attack surface. However, this attack only shows what security professionals have known for years: defenders must continue to work to stay one step ahead of attackers.
Four Cybersecurity Best Practices
Here are four best practices from VMware TAU for organisations looking to protect against the increase in ransomware attacks:
Continue to address ineffective legacy security technology and process weakness
Legacy security solutions and process weaknesses continue to pose a significant risk to organisations. The shift to an anywhere workforce has quickly expanded the threat landscape. As we emerge from the immediate response phase and begin to see the shape of the long-term future, organisations must identify the critical changes to processes and technology needed to support remote and hybrid workers to work securely and reduce risk.
Deliver security as a distributed service
The world is a more complicated place today. There is an increasing number of remote workers. These connect to applications running on infrastructure that may or may not be managed, owned or controlled by the company. It creates many new surfaces and different types of environments to defend.
It means that security cannot be delivered as a litany of point products and network choke points. Instead, endpoint and network controls must be delivered as a distributed service. This means delivering security that follows the assets being protected, no matter what type of environment you have.
Adopt an intrinsic approach to cloud-first security
Moving to the cloud is not a security panacea. Not all clouds are equal, and controls need to be vetted because if adversaries want to attack at scale, the cloud is the place to do it. As cloud adoption builds momentum, investment in public cloud security will be critical.
When you move to a public cloud, you’re moving to a very tough neighbourhood. Security is contingent on your actions and those of your neighbours. You may be able to secure your resources, but you have no control over those sharing that environment with you. Organisations must prioritise securing cloud workloads at every point in the security lifecycle as the great cloud shift continues.
Engage with and have an IR partner on retainer
When it comes to cyberattacks, it’s no longer a matter of if but when organisations will be targeted. A great first step is to reach out to an incident response partner to ensure that you are prepared.
VMware Carbon Black is a leader in cloud-native endpoint protection dedicated to keeping the world safe from cyberattacks. The VMware Carbon Black Cloud consolidates endpoint protection and IT operations into an endpoint protection platform (EPP) that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations. By analysing billions of security events per day across the globe, VMware Carbon Black has key insights into attackers’ behaviours, enabling customers to detect, respond to and stop emerging attacks.
More than 6,000 global customers, including approximately one-third of the Fortune 100, trust VMware Carbon Black to protect their organizations from cyberattacks. The company’s partner ecosystem features more than 500 MSSPs, VARs, distributors and technology integrations, as well as many of the world’s leading IR firms, who use VMware Carbon Black’s technology in more than 500 breach investigations per year.