The alert regards major Colonial Pipeline's cyberattack

May 13, 2021 10:14 GMT  ·  By

Following a devastating ransomware attack on the Colonial Pipeline, the FBI and Cyber Security and Infrastructure Security Agency (CISA) issued a joint advisory. 

The alert was published on Tuesday and contains information on DarkSide, malware operators running a network for Ransomware-as-a-Service (RaaS).

DarkSide oversees the Colonial Pipeline's recent cyber-attack. The fuel giant said on Friday that a cyber-attack had forced the company to stop pipeline operations and to pull temporarily IT systems offline to contain the incident.

Colonial Pipeline is yet to recover, and the FBI has become involved considering that the attack targeted a critical infrastructure supplier.

The alert states "Cybercriminal groups use DarkSide to gain access to a victim's network to encrypt and exfiltrate data".

"These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy".

DarkSide modus operandi 

DarkSide's ransomware targets RaaS (also known as Ransomware Affiliate Schemes) customers. The cybercriminals method is quite popular because only a core team is needed to develop malware.

RaaS may be supplied by a subscription. Another method involves the creators receiving a cut of the profits when a ransom is paid. In exchange, the developers keep improving their malware products.

DarkSide cultivates a Robin Hood image, with terms of service not being targeted to medical, care homes, or palliative care providers.

Both agencies stated that they do not encourage paying a ransom to criminal actors. Paying a ransom encourages other bad actors to engage in the distribution of ransomware and this phenomenon will get more attention as adversaries can try targeting additional organizations.

FBI and CISA suggest that the best defense plan against ransomware is prevention and following best practices to protect against attacks.