In May 2021, the Colonial Pipeline carrying oil from Texas to states as far north as New York shut down. News quickly spread, and panic buying caused widespread gasoline shortages. The U.S. President declared a state of emergency and removed all limits on the amount of petroleum-based products transported throughout the country. Later investigation showed the disaster resulted from a hack on Colonial Pipeline’s billing system by an organization operating out of Russia, known as DarkSide.
The DarkSide group made $4.4 million in ransom off the Colonial Pipeline hack through their ransomware. Most ransomware tends to follow the same basic pattern: breach the network, lock out the users, and demand payment with the threat of complete data publication or destruction. One of the novel attributes of this ransomware is that it is ransomware as a service (RaaS). Designing the ransomware this way means they leased out their malware to several other cybercriminals, who used it to commit attacks. Ransomware as a service means that more people can use the technology to launch attacks simultaneously.
Since then, the DarkSide gang appears to have broken up after being targeted by authorities. However, a recent report from Symantec shows that the technology they developed continues to be used and has expanded in functionality. Symantec’s researchers have identified a successor group called Coreid (other names include FIN7 and Carbon Spider). These DarkSide hackers continue to provide and build upon RaaS and threaten many organizations.
What is DarkSide ransomware? And how to protect against it
What Is DarkSide ransomeware?
DarkSide ransomware is a malware threat mainly used to target large, high-revenue organizations that can afford to pay out large ransoms to regain access to their systems. DarkSide ransomware can encrypt and steal sensitive data from an organization.
Noberus provides several features that make it a superior program to the original malware. Coreid has claimed that Noberus can encrypt files using ChaCha20 or AES algorithms on various operating systems, including Windows.
Noberus, like its predecessor, is also being sold as ransom-as-a-service, meaning that “affiliates” can pay a certain percentage to Coreid to use the ransomware on unsuspecting businesses. The threat is real. According to Symantec, “there’s no doubt that Coreid is one of the most dangerous and active ransomware developers at the moment.”
It was first launched in August 2020 and updated to V2.0 in March 2021. Hackers using the DarkSide ransomware often commit double extortion of their victims. In this case, you pay a ransom to access your locked computers, only to find new demand for ransom to gain access to the encrypted data on that computer.
What Is Noberus ransomware?
Although DarkSide and Noberus ransomware often target more prominent organizations, businesses of all sizes are at risk. Many hackers have recognized the profit in attacking organizations that do not have the budgets to have full-scale IT departments or cyber security teams. Fortunately, there are many ways you can keep your data safe, regardless of your budget.
For starters, you’ll want to ensure that you use strong and unique login passwords. We’ve already talked about the problems with reusing passwords. Also, because DarkSide ransomware specifically targets RDP, you should turn it off unless it is indispensable. Establish a lockout policy to prevent hackers from running brute-force attacks that instantly run thousands of password guesses simultaneously. Instead, lock them out after a certain number (often 3 or 4) of incorrect guesses. One of the best ways to mitigate the risks of ransomware is to establish a robust data backup system. If you back up your data to a separate system, it can be restored and used to keep your business running, saving you from paying the ransom.
Another mitigation action you can take is keeping your software up-to-date. You’ve probably heard this a thousand times, but many malware programs rely on out-of-date software to breach company networks. DarkSide fighters patched the vulnerabilities that the ransomware primarily uses in most recent software updates. An organization with up-to-date software is far less vulnerable to a DarkSide malware attack.
As we have seen with DarkSide and Coreid, the threatscape constantly evolves. That’s why knowing the latest cybersecurity and significant data developments is vital. Subscribe to IT Brew to stay up-to-date and protect yourself from future threats.
How To keep your data safe
Recruitment marketing is the technique that involves using marketing strategies to recruit employees for your business.
The definition is in the name.
What is recruitment marketing?
CVE-2019-5544
CVE-2020-3992
TWO VULNERABILITIES CONTRIBUTING TO DARKSIDE RANSOMWARE'S SUCCESS:
One of the ways that DarkSide ransomware has been so successful is that it's based on two vulnerabilities, CVE-2019-5544 and CVE-2020-3992, which are highly sophisticated. The first was an exploit in OpenSLP that enabled remote code execution, and the second was a vulnerability in VMware, software commonly used in enterprise organizations as part of their IT infrastructure. Although patches for both vulnerabilities are available, many organizations continue to run older versions of the software and are at risk for a DarkSide ransomware attack.
DarkSide ransomware combines many different attack strategies to achieve its extortion goal. The initial attack often begins at the remote desktop protocol (RDP), enabling remote access to computer systems. Through brute force tactics and known exploits, the DarkSide ransomware can breach company networks. Once these applications are compromised, the hackers gain a foothold in the organization’s network.
After that, the ransomware relies on privilege escalation attacks to gain the privileges needed to access and control sensitive data. It achieves this by bypassing user access control mechanisms and tricking systems into giving it maximum levels of access. At this level, programs are powerful enough to deny user access completely. Finally, this ransomware also frequently impairs the defenses of company networks to prevent the hackers from being traceable. Depending on the specific kind of DarkSide ransomware used, it will disable security software and potentially eradicate all logs.
Noberus Ransomware was first seen in November 2021 and deployed by Coreid. Most people believe it to be a successor to the DarkSide ransomware.
Although DarkSide and Noberus ransomware often target more prominent organizations, businesses of all sizes are at risk. Many hackers have recognized the profit in attacking organizations that do not have the budgets to have full-scale IT departments or cyber security teams. Fortunately, there are many ways you can keep your data safe, regardless of your budget.
For starters, you’ll want to ensure that you use strong and unique login passwords. We’ve already talked about the problems with reusing passwords. Also, because DarkSide ransomware specifically targets RDP, you should turn it off unless it is indispensable. Establish a lockout policy to prevent hackers from running brute-force attacks that instantly run thousands of password guesses simultaneously. Instead, lock them out after a certain number (often 3 or 4) of incorrect guesses. One of the best ways to mitigate the risks of ransomware is to establish a robust data backup system. If you back up your data to a separate system, it can be restored and used to keep your business running, saving you from paying the ransom.
Another mitigation action you can take is keeping your software up-to-date. You’ve probably heard this a thousand times, but many malware programs rely on out-of-date software to breach company networks. DarkSide fighters patched the vulnerabilities that the ransomware primarily uses in most recent software updates. An organization with up-to-date software is far less vulnerable to a DarkSide malware attack.
As we have seen with DarkSide and Coreid, the threatscape constantly evolves. That’s why knowing the latest cybersecurity and significant data developments is vital. Subscribe to IT Brew to stay up-to-date and protect yourself from future threats.
How To Keep Your Data Safe
What Is Noberus Ransomware?
It was first launched in August 2020 and updated to V2.0 in March 2021. Hackers using the DarkSide ransomware often commit double extortion of their victims. In this case, you pay a ransom to access your locked computers, only to find new demand for ransom to gain access to the encrypted data on that computer.