How Zero Trust Could Have Stopped DarkSide’s Ransomware Malware
If you live on the East Coast, you’ll definitely be aware by now that the price of gasoline has gone up. And if you have paid any attention at all to the news you’ll know why: On Friday, May 7, a ransomware attack on one of the country’s biggest fuel pipeline operators, Colonial Pipeline, caused the company to shut down its entire corporate computer network and, consequently, the pipeline itself.
This pipeline, which is over 5,500 miles long and transports over 100 million gallons every day, carries 45 percent of the East Coast’s gasoline, diesel, and other fuels. Within a couple of days of shutting down, widespread fuel shortages began with one in five gasoline stations in Atlanta reporting being out of fuel by the evening of Tuesday, May 11.
The ransomware attack was the work of a Russian or Eastern European hacking group named DarkSide and, according to Bloomberg, despite early reports claiming Colonial Pipeline had no intention of paying the ransom, the company did, in fact, pay almost immediately to the tune of nearly $5 million in Bitcoin cryptocurrency. In fact, this was a relatively small ransom; for companies the size of Colonial Pipeline, ransoms are usually in the $25 million plus range. In return for paying up, Colonial Pipeline received a ransomware decryption tool that was so slow the company was forced to rely on its own backups to restore their systems.
On May 13, Colonial Pipeline announced that it were restarting the pipeline but reaching full capacity would take several days so reduced fuel availability continued for roughly one more week.
Not surprisingly, as with bathroom tissue in early 2020, a wave of panic buying of gasoline started on the East Coast, and bizarrely it led to the U.S. Consumer Product Safety Commission publishing a warning that Americans should not fill plastic bags with gasoline.
The Rise of Darkside
The DarkSide hacking group first emerged as a significant cyber security threat in August 2020 when it published a press release stating:
We are a new product on the market, but that does not mean that we have no experience, and we came from nowhere.
We received millions of dollars profit by partnering with other well-known cryptolockers.
We created DarkSide because we didn’t find the perfect product for us. Now we have it.
Once a group like DarkSide manages to penetrate a network, it can copy all the data it finds to its own servers then encrypt the victim’s data in place using ransomware. If the data are private or commercially sensitive, the hackers publish a portion of the stolen data on a website it controls to demonstrate that it succeeded.
DarkSide usually makes it clear that if the ransom isn’t paid, it will publish all of the data online for at least six months so even if the victim can successfully restore from backups there’s still a serious incentive to pay up.
If the victim does pay up, then DarkSide, in common with most ransomware criminals, promises to provide a decryption tool to recover the encrypted data. Moreover, as noted above, even when the cyber criminals provide a decryption tool, there’s no guarantee it will work well enough to fix the ransomware attack.
U.S. Infrastructure Vulnerability
While ransomware attacks on American companies and services aren’t new, the scale and consequences of the Colonial Pipeline attack really underscore just how vulnerable U.S. infrastructure is and, as a result, the government has been prodded to take action.
Eric Goldstein, executive assistant director of the cyber security division at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, commented:
“We are engaged with the company and our interagency partners regarding the situation. This underscores the threat that ransomware poses to organizations regardless of size or sector. We encourage every organization to take action to strengthen their cyber security posture to reduce their exposure to these types of threats.”
DarkSide’s targets are corporate networks running Microsoft Windows and the group claims that they will not target medicine (hospitals, hospices), education (schools, universities) and non-profit organizations.
Interestingly, the response from the U.S. government to the attack on Colonial Pipeline may have unnerved DarkSide which may explain why they comparatively low-balled the ransom. Their latest press release also sounds somewhat less confident than their usual releases (note that all spelling and punctuation mistakes are in the original):
We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment and look for other our motives. Our goal is to make money. and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.
Given that this kind of assault on national infrastructure isn’t new, it begs the question why aren’t organizations defending themselves with what has become recognized as information technology’s best practice for securing networks—the Zero Trust model.
Trust in Zero Trust
There are four components to the Zero Trust model that enterprises and governments should be using to defend their networks:
- Create network micro-segments and micro-perimeters to restrict traffic flow and limit excessive user privileges and access as much as possible.
- Strengthen incident detection and response using comprehensive analytics and automation.
- Integrate solutions across multi-vendor networks with ease, so they can work together seamlessly, enabling compliance and unified cyber security. The solutions should also be easy to use so that additional complexity can be removed.
- Provide comprehensive and centralized visibility into users, devices, data, the network, and workflows. This also includes visibility into all encrypted channels.
Fundamentally, the Zero Trust model is based on not trusting anyone or anything on your network. This means that network access is not granted without the network knowing exactly who you are. This access is scrutinized at multiple points throughout the network, using micro-perimeters, to make sure no unauthorized user is moving laterally throughout the network. But to make a Zero Trust model work it must be supported by in-depth traffic inspection and analytics to fill what is essentially the blind spot in the model.
Key to this approach is the use of TLS/SSL Inspection solutions that decrypt and analyze encrypted network traffic to ensure policy compliance and privacy. By monitoring encrypted traffic to detect malware payloads and suspicious network communications as well as the exfiltration of controlled data (for example, credit card and social security numbers), TLS/SSL Inspection makes it possible for the Zero Trust model to do what it’s supposed to do – protect networks from internal and external threats indiscriminately.
If your organization has not adopted a Zero Trust strategy combined with deep TLS/SSL traffic inspection, now is the time to start rethinking your security position because threat actors like Darkside are not going away any time soon.
How A10 Can Help
A10 Networks Thunder® SSL Insight fulfills the promise of Zero Trust by delivering full traffic visibility. By taking a “decrypt once, inspect many times” approach, the A10 solution lets the cyber security infrastructure rapidly inspect all traffic in clear text to avoid performance penalties and excess complexity.Learn More