Exposing the dark side of the Colonial Pipeline attack – Three lessons for APAC organisations

When we think of the term ‘as-a-service’, we often think of the cloud community and the ability for organisations to simplify their reliance on IT infrastructure.

But the term has also been used by technology’s greatest foe – cybercriminals. The hacking group, DarkSide, has popularised the term ‘Ransomware-as-a-Service’ (RaaS).

Much like the software-as-a-service model, RaaS allows ransomware developers to lease ransomware variants to malicious actors. This brings to light an additional element of threat. By simply signing up for a service, anybody can launch a ransomware attack, with little to no technical knowledge. 

Furthermore, what makes RaaS attacks challenging to prevent is that it involves a coordinated effort from multiple parties. They employ a ‘divide and conquer’ approach, which plays to the strengths of the different attackers involved – experienced malware writers develop ransomware code, while affiliates who specialise in gaining access deploy it.

RaaS has proven to be successful and is believed to be behind the Colonial Pipeline attack, perpetuated by DarkSide. The impact of the attack was far reaching, disrupting fuel consumption, transportation, and prices in the US. Imagine not being able to drive your car due to lack of access and availability of fuel – this could disrupt an individual’s entire day!

In the last few years, Asia Pacific’s critical infrastructures have not been spared by cyber criminals. In 2019 alone, there were two major incidents in the region that threatened to cut power supply – in February, a cyber sabotage group was revealed to be targeting electric utilities in Asia Pacific; and in September, the IT network of the largest nuclear power plant in India was compromised.

The RaaS model lowers the barriers of entry for cybercriminals, hence, increasing the possibilities of ransomware attacks. To that end, the Nozomi Networks Labs team has studied the inner workings of DarkSide and RaaS, and discovered some vital information for organisations in Asia Pacific to help avoid Colonial’s fate. 

  1. Not all files are equal

Once the ransomware code is launched, the malware starts by collecting basic information about a computer’s system to understand the technical environment. 

The malware will first check the languages used by the systems for an indication of the victims’ geographical location. To avoid being discovered, perpetrators will usually avoid targeting victims from the same geographical location in which they are based. In the case of DarkSide, they are likely to avoid systems that use Russian or other Eastern European languages, due to their home base.

After selecting its target, the malware then considers what files to encrypt. While an attack on all available files seems like a logical approach, this can actually leave the victim with no way to contact the attackers and pay the ransom, rendering the attack pointless. 

This approach also means encryption can take much longer, leaving more time for the malware to be discovered before the attacker wants that to happen.

DarkSide is a file expert. The group thoroughly sifts through an environment to find the perfect files to encrypt, a process mainly driven by examining their file directories, names and extensions. This information then helps them determine the nature and importance of files – focusing on the ‘crown jewels’ that the victim can’t work without.

  1. Anonymity is key

Anonymity is an essential tool for a cybercriminal. Once locations, servers, and other parameters are known, it’s quite easy for authorities to shut down attacks. 

DarkSide, and many other ransomware gangs, uses Tor, an open-source anonymous communication software, which protects their anonymity. 

Furthermore, they also have a unique way of interacting with Windows’ operating system. Normal, non-malware programs interact using the Windows application programming interface (WinAPI). However, this approach would quickly alert basic security systems and the game would be over. 

To avoid this, DarkSide doesn’t make all the APIs it uses available within the system straight away – it resolves them in a dynamic way before using them, using a mixture of hashed (active) and encrypted names. While this method breaks the normal rules programs use, it can do so without causing detection. 

  1. Back up your back ups

If all organisations were able to simply replace the encrypted files, ransomware attacks might become redundant. Therefore, DarkSide not only encrypts your files but also ensures that the backup copies are unusable. 

While most businesses back up their data, most backups sit on the same system as the original files. Unsurprisingly, DarkSide deletes backup files once it sees them.

But it doesn’t stop there. DarkSide aims to stop the entire process of backing up data by disabling various backup solutions, searching for them by name.

DarkSide uses the culmination of tried and tested techniques and the RaaS model to inflict the most damage possible. It is estimated that over 40 victims have paid out more than $90 million in cryptocurrency payments. In Colonial’s case, it paid out $4.4 million, which was later partially recovered by the US Justice Department. 

These threats are growing globally, particularly in critical sectors. Research has shown that vulnerabilities in industrial control system (ICS) has increased by 44 percent, while vulnerabilities in the critical manufacturing sector rose by nearly 150 percent in the first half of 2020. These numbers cannot be ignored, especially in Asia Pacific, where critical infrastructure operators are increasingly being targeted by cyber espionage and sophisticated attacks. 

Many believe that the Colonial Pipeline attack framework could be used in other regions across the world – and Asia Pacific is no exception. Hence, it is essential for organisations to focus on the lessons learned above. As governments across the region accelerate their cybersecurity plans and investments, it’s vital to first and foremost, protect our most critical assets.