The ransomware campaign against the Colonial Pipeline highlights the dangers and real-life consequences of cyberattacks. If you want to understand how to use Splunk to find activity related to the DarkSide Ransomware, we highly recommend you first read “The DarkSide of the Ransomware Pipeline” from Splunk’s Security Strategist team. In short, according to the FBI, the actors behind this campaign are part of the “DarkSide” group.
Organizations today are challenged by an increased exposure to cyber threats. Attackers often target emerging technologies since the new technology is often ill-equipped to handle an attack. Moreover, the internet has become filled with malicious links, Trojans, and viruses.
DarkSide is a ransomware-as-a-service platform that made headlines on May 8, 2021, for targeting Colonial Pipeline, resulting in a shutdown of their pipeline operations. The DarkSide ransomware platform first appeared in August 2020, advertising that they would not target organizations in the education, government, medical, or non-profit sectors.
Over the weekend, the Alpharetta-based Colonial Pipeline was hit by an extensive ransomware attack that shut down its information technology (IT) and industrial operational technology (OT) systems. Simply put, an all-too-common ransomware event targeting IT systems encouraged a voluntary shutdown on the production side (OT) of the business to prevent further exposure. Colonial Pipeline is responsible for 45% of the gasoline, diesel fuel and natural gas transported from Texas to New Jersey.
Every career has defining moments. Most are spread out over years or even decades, but the cybersecurity world has had two career-defining moments just in the past year. It started with the global shutdown due to the COVID-19 pandemic. Overnight, many organizations were forced to support employees working remotely. CISOs, like me, were expected to keep both our company and its employees safe in a completely unpredictable world.
Arguably the greatest threat to organisations in 2021 is ransomware. Ransomware attacks proliferated in 2020, increasing by 435% compared to 2019. The number of ransoms paid has also increased from 39% in 2018 to 58% in 2020 (the figure is likely to be even higher when factoring in those organisations that have not disclosed whether a ransom has been paid).
In 2021, Kroll investigators have had multiple opportunities to respond to a series of interconnected network intrusions, ransomware events and cyber incidents which, upon investigation and review, possessed overlapping tactics, techniques and procedures (TTPs) and similar indicators of compromise (IOC) among them. The incidents affected organizations of various sizes across diverse industry sectors through what Kroll’s investigations confirmed was a range of separate intrusion vectors.
For most internet users, there’s not much of a perceivable difference between the domain name they want to visit and the server that the domain queries. That’s because the Domain Name System (DNS) protocol does a good job of seamlessly routing users to different IP addresses that are all associated with a single domain name.
Clop Ransomware has been active since 2019 and has been mostly associated with financially-driven criminal groups. However, lately this ransomware payload has been observed in campaigns against universities and other institutions in the education vertical.
