With a renewed focus on preventing and mitigating the impacts of ransomware, the U.S. Cybersecurity and Infrastructure Security Agency has released a new report on the indications of compromise and best practices for preventing business disruption, which a particular focus toward critical infrastructure operators.
This comes after Colonial Pipeline was hit with a ransomware attack, causing the provider of fuel to the East Coast to shut down its operations for several days and setting in motion a chain reaction that saw fuel prices skyrocket.
CISA’s initial report was released May 11, but the agency on Wednesday released a STIX package of indicators of compromise that were initially shared with infrastructure partners and network defenders last week.
Like other ransomware operators, DarkSide gains initial access through phishing attacks, exploiting remotely accessible accounts and systems and virtual desktop infrastructure, external remote services and leveraging remote desktop protocol to maintain persistence.
According to CISA, DarkSide them deploys the ransomware of the same name to encrypt and steal data, then threaten to release it if the ransom isn’t paid.
DarkSide primarily uses The Onion Router for Command and Control, but have also been observed using Cobalt Strike.
With critical infrastructure now the focus, CISA is urging IT and security teams of infrastructure owners and operators to take these mitigations to help prevent disruptions due to ransomware:
- Require multi-factor authentication for access to both OT and IT networks.
- Enable strong spam filters to prevent phishing emails from reaching users
- Train end users and conduct simulated attacks
- Filter network traffic to prevent communication with known malicious IP addresses and prevent users from accessing malicious websites
- Update and patch any and all systems via a patch management system and use a risk-based assessment strategy to determine with OT network assets and zones should be included
- Limit access to resources over networks, especially by restricting remote desktop protocol. If necessary, restrict the originating sources and require multi-factor
However, even with those mitigations, organizations can still fall victim if just one account is compromised. To prepare for a successful ransomware attack, CISA urges critical infrastructure IT pros to:
- Implement network segmentation between IT and OT networks to limit the ability of attackers to impact the OT network.
- Organize OT assets into logical zones
- Identify OT and IT network inter-dependencies and develop workarounds or manual controls
- Regularly test manual controls
- Implement regular data backup procedures for both IT and OT networks, including storing backups offline, maintaining regularly updated images of critical systems and retaining backup hardware to rebuild systems.
- Ensure user and process accounts are limited
- Set antivirus and malware programs to conduct regular scans
If your organization is in the midst of responding to a ransomware attack, CISA advises IT pros to:
- Isolate the affected system and remote it from all networks
- Turn off other computers and devices and remove them from the network of infected devices. This could help recover files.
- Secure your backups, make sure it is offline and conduct a malware scan.
For more information and indicators of compromise, read CISA’s updated alert.