Colonial Ransomware Attack

On Friday 7th May 2021, Colonial, the largest gasoline pipeline operator in the USA, shut down all of its operations after a ransomware attack. The pipeline carries 2.5 million barrels a day - 45% of the East Coast's supply of diesel, petrol, and jet fuel. On Monday, the FBI officially confirmed that DarkSide was responsible for compromising Colonial Pipeline's networks. The gang stole almost 100 gigabytes of data, threatening to leak it onto the internet. This threat group is known for its double ransom technique where victim’s data is not only encrypted and held for ransom, but is first held with the threat of being made public if the victim refuses to pay. This effectively undermines data backups as an effective remediation tactic because the victim is still faced with having to pay in order to avoid the release of sensitive data. In the past, the group has leaked the information belonging to multiple targets.

Once established within the victim’s organization, the threat steals sensitive information and sends it out to the attacker before deploying the encryption payload. Ransomware uses multiple stealth techniques in the initial stages of the attack to stay under the radar. Some common stealth techniques used in the early part of the attack are:
  • Command and control over TOR
  • Avoiding nodes where EDR is running
  • Waiting periods and saving noisier actions for later stages
  • Customized code and connection hosts for each victim
  • Obfuscation techniques like encoding and dynamic library loading
  • Anti-forensics techniques including deleting log files

During the later stages of the attack the malware performs actions such as:
  • Harvesting credentials stored in files, in memory, and on domain controllers
  • Utilizing file shares to distribute attack tools and store file archives
  • Relaxing permissions on file shares for easy harvesting
  • Deleting backups, including shadow copies
  • Deploying customized ransomware
Initial access:
The group is known to utilize the compromised credentials of remote access services like RDP. In some cases, it exploits server vulnerability and immediately deploys a standby RDP in case the server is patched. This underlines the need for deploying the multi-factor authentication for all internet facing accounts and rapid patching of internal and internet facing systems.
SecurityAdvisor Employee Tips :
Apply strong conditional access policies for remote desktop applications and infrastructure.
Regularly patch all public facing servers for OS and application vulnerabilities.
Use complex and strong passwords and keep changing passwords on periodic basis.
 

Learn how SecurityAdvisor can help your team

Schedule some time to talk with one of our experts and they will show you how we can help your organization.

Request Demo