THE WORKINGS OF DARKSIDE RANSOMWARE

THE WORKINGS OF DARKSIDE RANSOMWARE

DarkSide ransomware is a relatively new ransomware strain that threat actors have been utilising to target numerous businesses, resulting in the encryption and theft of sensitive data as well as threats to make it publicly available if a ransom demand is not met. Read how the meat industry is the latest to be attacked by ransomware

The form of ransomware has been active since August 2020 and was used in a hack against Georgia-based Colonial Pipeline, causing a severe gasoline supply disruption along the United States East Coast. The virus is provided as a service to various hackers via an affiliate scheme and, like other well-known ransomware threats, utilises double extortion, combining file encryption with data theft, and is distributed on infiltrated networks by manual hacking tactics. Recent reports state that the threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the REvil RaaS [ransomware-as-a-service] group.

Main Targets

As mentioned, DarkSide ransomware typically targets high-revenue businesses. With time, several other DarkSide victims have been discovered through incident response engagements and posts on the DarkSide blog. The majority of the victims were situated in the United States and worked in a variety of industries, including financial services, legal, manufacturing, professional services, retail, and technology.

How DarkSide Infiltrates Networks

DarkSide and its associates deliver ransomware using the same human-operated approach as other popular ransomware organisations that have plagued businesses in recent years. This implies that attackers acquire access to networks by several mechanisms, including stolen credentials followed by manual hacking techniques and lateral movement utilising a range of system administration or penetration testing tools.

The objective is to map the network to identify crucial servers, elevate privileges, get domain administrator credentials, disable and remove backups, exfiltrate sensitive data, and then spread the ransomware to as many systems as possible at once. This deliberate and precise technique is far more effective and difficult to fight against than ransomware programmes that spread automatically over networks by utilising built-in routines that may fail and trip detection measures. Read how to identify sensitive data on our blog for more information.

To get a footing, each DarkSide affiliate may use a different strategy. These techniques are similar to those used by other ransomware groups: purchasing stolen credentials from underground markets, performing brute-force password guessing or credential stuffing attacks, purchasing access to machines infected with botnet malware such as Dridex, TrickBot, or Zloader, and so on. It also happens by sending emails with malicious attachments that include a lightweight malware loader.

What is the DarkSide Ransomware Routine?

The DarkSide ransomware encrypts victims’ data with Salsa20 and RSA-1024 and is said to have a Linux variant. When installed on Windows, the virus examines the system’s language setting and, if it is the language of a nation in the former Soviet Bloc or its area of influence, it avoids encrypting the data. This is typical of malware created by groups who are based in the region and who want to avoid attracting the attention of local authorities by not hitting local organizations.

According to Cybereason researchers, the virus then disables services with the following names: vss, sql, svc, memtas, mepocs, sophos, veeam, or backup. These include backup procedures, such as the Windows Volume Shadow Copy Service (VSS), or security solutions. It then proceeds to identify ongoing processes and ends them so that it can decrypt the files they were accessing. It also employs a PowerShell command to remove any existing volume shadow copies that may be utilised to recover files.

DarkSide ransomware generates a unique ID for each victim and appends it to the file extension of the encrypted files. The ransom payments might range from a few hundred thousand dollars to millions of dollars, based on the assailants’ assessment of the victim’s size and yearly income.

Implementing software solutions such as SecurityShield helps to continuously scan servers or provides an endpoint to search for flaws in software design. It discovers vulnerabilities, assesses their impact, classifies them, identifies risks they pose, and then generates a prioritized risk response remediation plan to fix them and more. To know more about our software solutions you can visit our website, read our blog or follow us on Twitter and LinkedIn.

4 STAGES OF A SUCCESSFUL VULNERABILITY MANAGEMENT PROGRAM

There are new vulnerabilities in the cyber world being discovered constantly. It seems like virtually every day, there is a story about an organization that is breached owing to vulnerabilities in its information technology systems. More disturbingly, news of the SolarWinds attack highlighted the sophistication of cyberattacks wherein a legitimate utility on the targeted system was modified, executed, and then replaced with the legitimate one. The integration of 5G and machine learning can further open the network to several serious cybersecurity vulnerabilities. Given this scenario, the obvious answer involves securing your networks and IT systems from potential attacks by eliminating threats.

Other than securing your networks, you also need to deal with breaches caused by known vulnerabilities. Sometimes, patches are available for weeks and months yet the vulnerability is left unaddressed. If an organization is aware that its network has vulnerabilities, why not patch them up immediately? The delay occurs because they encounter too many vulnerabilities and have little time to fix these issues. So what you need to be asking is, “How can you know which vulnerabilities to rectify first?”

The solution is by building a strong vulnerability management system.

Here are 4 stages to keep in mind when setting up a successful vulnerability management program.

1) Scanning of assets

The most important step involves recognizing your organization’s Operational Technology (OT) and Information Technology (IT) assets. After all, you cannot protect your assets if you aren’t aware of the assets you have. Make sure to critically examine networks, connected third-party systems, different data types, storage devices, and computing systems on the company’s network. Following this, classify these factors based on risk to the business. Understand how certain factors can also increase an asset’s inherent risk by measuring system availability and user access. You also need to focus on coupling, a term that revolves around the interdependencies of systems. This shows you how adversely one factor such as a higher risk asset can affect another factor in a security framework. While assets with greater importance should be at the top of your priority list, do not ignore those with a lower risk value. Remember, every asset contributes to the overall operational risk so it is essential to pay attention to all elements and accordingly seek the right remediation effort.

Next, identify asset owners in an organization by understanding how they are responsible for the asset and the risk involved in case the asset is compromised. Unless individuals are held accountable, the vulnerabilities found will be ignored as a nameless risk. Also, have an up-to-date vulnerability scanning tool and conduct recurrent scans so that new risks are identified and remediation of vulnerabilities can be reprioritized as information gets updated. Establishing timelines for remediation helps understand the extent to which an attacker is taking advantage of a vulnerability.

2) Asset discovery and inventory

As an organization, you need to simplify every element of your vulnerability management program so that it proves to be effective. To do this, you need to go through asset discovery and inventory. Asset discovery aims to manage all hardware devices on the network. This ensures only authorized devices can gain access while unmanaged devices are identified and prevented from getting into the network. On the other hand, asset inventory contributes to actively look at all software on the network, making sure only authorized software can be installed and implemented. These two controls are important so that attackers cannot exploit potentially unpatched shadow IT devices (devices used by a department or individual without the explicit approval or knowledge of the IT or security group in an organization).

3) Vulnerability detection, categorization and prioritization

It is imperative to conduct regular vulnerability scans as they proactively check for existing and potential application, network, and security issues. These scans distinguish and categorize system weaknesses in infrastructure equipment, computers, and networks. This scan can also be carried out by attackers when trying to locate points of entry into your organization’s network. It is therefore important for the IT department to run a vulnerability scanning service from the perspective of the organization examining the attack surface. Accordingly, you can categorize and prioritize the vulnerability that threatens your vital system.

Since this scan also shows you what can occur if your system or network is exploited, you gain the guidance necessary to minimize the risk posed to those assets. The scanning service uses a database to check details about the attack in question. These scans can also tell how competent counter-measures are in the event of a threat.

4) Reporting and remediation

After vulnerability detection is completed, a score is given to every vulnerability. This score is provided using a specialized convention that also connects to the skills required to examine the flaw and other critical data. If the vulnerability is easy to exploit, it results in a higher risk score. Also, as the vulnerability age increases so does the score of the vulnerability. This helps you generate a vulnerability risk management solution so that a remediation plan can be set in place.

To set up a good vulnerability management program, you need to begin with patch management by understanding which patches are available and applicable to the environment’s vulnerabilities. Implementing a security software solution such as SecurityShield helps you discover vulnerabilities, examine their impact, classify them and accordingly generate a prioritized risk response remediation plan to fix them. It is also important for all individuals in your organization to have intuitive workflows to coordinate remediation efforts carried out by the vulnerability risk management team and system owners. This helps to identify undetected data leaks and further strengthen the vulnerability management program.

Whether you are a government entity, small business, or huge corporation, every organization with an internet connection is at risk. Given how cyber threats are increasing and getting trickier by the day, it is better to proactively fight potential threats than manage the problem after an attacker has successfully paved their way into your system. If you aren’t sure about how to begin securing your organization’s sensitive information, you can read our blog on how to conduct a cyber risk assessment to get started or email us on info@sure-shield.com for guidance. For further information on how to enhance data security, follow SureShield on Twitter or LinkedIn.

HOW TO INCORPORATE RISK MANAGEMENT IN YOUR ORGANIZATION

Recent years have not been kind to workplace cybercrimes. To keep your organization secure, it is critical to conduct a cyber risk assessment. As the name suggests, it assesses the cyber risks your company or organization is facing. Risk assessments are used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals and other organizations. Thus, resulting from the operation and use of information systems. It is essential to identify mitigation strategies for these risks for several different reasons such as safety of your employees and customers, financial security, operational continuity and dependability. Read our earlier blog post to know how to conduct a cyber risk assessment.

Here are 6 different ways you can incorporate risk management in your organization.

Assess Risks and Vulnerability

The nature of threats are constantly evolving and a change in security systems are required to keep up with this. The main goal of a security assessment is to assess and evaluate areas of vulnerability in the organization. Next, it is crucial to determine what kind of vulnerabilities they are (Potential or actual) so that they can be addressed effectively and efficiently. Last, appropriate measures are taken to minimize exposure to the threats or eliminate them.

Prioritize Risks

It is always necessary to determine the priorities of your workplace. Different security setups are implemented to mitigate different risks, and different systems are designed to protect different types of targets in your workplace. There are systems implemented to protect the personal safety of your organization, tangible property (cash, products) and intangible property (classified data). Identifying risks, prioritizing them based on their urgency and mitigating them effectively can vastly improve workplace risk management.

Comprehensive Planning

Comprehensive planning is vital to risk management strategies. Several security systems are specifically designed to detect risks and mitigate them. This takes time and advanced coordination. An organization may also need a custom setup that takes time to design, build and implement. Planning thoroughly for your organization’s security needs can contribute to better risk management. Healthcare organizations especially have become a common target during the ongoing pandemic. Read our blog on how to implement a healthcare risk management plan.

Monitor Software and Hardware 

Some of the more straightforward risks an organization faces are vulnerabilities in its software and hardware. These can be managed by monitoring and implementing the regular security updates of your technology provider. The task can prove to be difficult as every employee will need to be monitored. Implementing robust IT policies and regular check-ins for employees in the organization to monitor their technology usage and habits are critical steps in minimizing risk exposure.

Firewalls and Threat Intelligence

Securing your network is vital as several thousand sites are being accessed by your employees and every single computer is exposed to the internet, thus increasing your chances of being hacked. It is important to implement firewalls, which blocks untrustworthy websites and apps, conduct regular threat intelligence and implement security protocols on your networks. Implementing HackShield into your systems can greatly reduce your exposure. It mitigates risks by:

  • Instantly discovering sensitive data and applying transparent encryption
  • Monitoring and auditing data movement at the endpoint to ensure compliance
  • Assessing the level of liability on endpoints and stratify risk
  • Tracking and protecting selected data for anyone in the system
  • Shutting down access to protected data for terminated employees or discontinued third parties
  • Monitoring third-party downloading of protected health information (PHI) on any device
  • Writing rules as to who can have access to information
  • Preventing the transfer of data to non-authorized targets

Companies such as SureShield implement software to holistically conduct secure risk management for your organization. To know more, follow us on LinkedIn and Twitter or email us at info@sure-shield.com for any questions and we’ll be happy to help.