UPDATE to last week's Headlines: Darkside Ransomware breach on Colonial Pipeline – discuss what happened and the repercussions after our tech tip
This Week's Security Tip: While most businesses understand the importance of backing up their server and files, many forget to back up their website!
Most sites are hosted on a third-party platform like HostGator or WordPress. However, these hosts have limits on what they back up, and the Terms and Conditions you agreed to most likely waive their responsibility to preserve and back up your files and data.
Therefore, if you’re posting a lot of new content, you should be backing up your site weekly if not daily. Hackers can (and do!) corrupt websites all the time. If you don’t want to have the cost of a down website and the cost of rebuilding it, back up your website!
Today's Headlines: Darkside Ransomware breach on Colonial Pipeline
The first DarkSide ransomware attacks were all owner-operated, but after a few successful months, the owners began to expand their operations. On November 10, DarkSide operators announced on Russian-language forums XSS and Exploit the formation of their new DarkSide affiliate program providing partners with a modified form of their DarkSide ransomware to make use in their own operations.
It’s worth noting that DarkSide actors have pledged in the past to not attack organizations in the medical, education, nonprofit, or government sectors. At one point, they also advertised that they donate a portion of their profit to charities. However, neither claim has been verified and should be met with a heightened degree of scrutiny; these DarkSide operators would be far from the first cybercriminals to make such claims and not follow through.
DarkSide Operators Likely Former “REvil” Affiliates
Flashpoint assesses with moderate confidence that the threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the “REvil” RaaS group. Several facts support this attribution:
Spelling mistakes in the ransom note and grammatical constructs of the sentences suggest that the writers are not native English speakers.
The malware checks the default language of the system to avoid infecting systems based in the countries of the former Soviet Union.
The design of the ransom note, wallpaper, file encryption extension and details, and inner workings bear similarities to “REvil” ransomware, which is of Russian origin and has an extensive affiliate program. This shows the evolution path of this ransomware and ties it to other Russian-origin ransomware families.
The affiliate program is offered on Russian-language forums XSS and Exploit.
Timeline:
Thursday, May 6, 2021 – Hackers Launch Colonial Pipeline Cyberattack: stealing 100 gigabytes of data before locking computers with ransomware and demanding payment (undisclosed original amount, estimated ~$100mill). Breached through phishing attack. Encrypted Sales and billing network. They then hired FireEye.
Friday, May 7, 2021: Colonial Pipeline paid $4.4mil to Eastern European hackers on May 7, 2021, contradicting reports that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline
Saturday, May 8, 2021: U.S. Government Assists Attack Response: Colonial Pipeline, unnamed U.S. companies and several U.S. government organizations (including the White House, the FBI, CISA and NSA) shut off key servers operated by the hackers. The steps stopped the flow of stolen Colonial Pipeline data from the United States to alleged hacker locations in Russia.
Tuesday, May 11, 2021: CISA-FBI Advisory: The CSIA and FBI issued a cybersecurity advisory that described DarkSide ransomware and associated risk mitigation strategies. Colonial Pipeline’s Website Offline: The company’s site was offline for a portion of the day. Colonial Pipeline Statement 5: The company described alternative fuel shipping strategies that are now in place amid the effort to safely restore the pipeline.
Monday, May 10, 2021: Alleged Russia Connection: President Biden directly blames Russia in the Colonial Pipeline attack as a "State-hack", then in a later statement took it back and suggested that Russia may deserve some blame for the attack since the hackers and/or their software are allegedly located within Russia’s borders. FBI Statement: The FBI confirmed that DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks. Sec of Energy issues emergency waiver, allowing non-EPA emissions standards gasoline to be stored, moved, and sold. 3 million barrels (125mil gallons) came in not meeting regulations requiring EPA guidelines on emissions on May 11th. Did not report how much has been obtained during the EPA emissions waiver timeline, to May 18th.
Wednesday, May 12, 2021: Colonial Pipeline Restarts Pipeline Operations: The restart began at about 5:00 p.m. ET, though it will take several days for the delivery supply chain to return to normal, the company indicated. The update did not mention the cyber incident investigation.
Thursday, May 13: Full system restart Biden signs Executive order that: removes contractual terms that may limit "information sharing" with CISA, NSA, FBI, require service providers (including cloud service providers) to preserve data it will name later, provide said information, and share all related information, including proprietary network and security information, with federal government| also to begin discussing zero-trust framework for federal government, as practical. They are also creating a Cyber Safety Review Board, to convene after "major" incidences, made of FBI, DOJ, DOD, NSA, FBI, and select Private sector. They will also appoint a National Cyber Director. They will also require FCEB networks to employ tools for host-level visibility, attribution, and response, without authorization.
May 15th: Biden spoke with Putin, blamed him for SolarWinds hack, 2020 election interference, and imposed sanctions and expulsion of diplomats
Next Week's Teaser: Lie, lie, lie!
Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!
