Best practices to prevent DarkSide ransomware

Best practices to prevent DarkSide ransomware

9823
Created On 05/12/21 22:09 PM - Last Modified 05/13/21 07:57 AM


Question


What is the DarkSide ransomware and what are the best mitigation and prevention steps?

Environment


  • All PAN-OS
  • Anti-Virus license 


Answer


What is DarkSide ransomware? 
DarkSide ransomware was first seen in August 2020 on Russian language hacking forums. It is a ransomware-as-a-service platform that cybercriminals can hire. DarkSide is mainly known to target only big companies in several industries, including healthcare, funeral services, education, public-sector, and non-profits.

Who is the latest target for DarkSide ransomware? 
Colonial Pipeline, the company learned on Saturday, May 8th, 12.30 PM. 
Here is the company blog:Colonial Pipeline System Disruption

CISA and FBI alert.
Here is the alert sent by the FBI and CISA that explains the detailed steps and process of mitigation. 

The kill chain and threat actors.

  • The first step is to gain initial access by exploring the remotely accessible accounts, VDI, RDP, and more by phishing. 
  • The second step is to encrypt and steal sensitive data. 
  • The DarkSide ransomware uses Salsa20 and RSA encryption. The file extension can be random. 
  • For command and control, the threat actor primarily uses "The Onion Router(TOR)," in some instances, threat actors have also used Cobalt Strike.
  • The mode of payment is with Bitcoin and Moreno cryptocurrencies.
Best Practices:
Here is the PAN advisory for the Best Practices for Ransomware Prevention. 

PAN coverage:
Palo Alto Networks covers many DarkSide related hashes, URLs, and IP addresses. These IOCs are delivered in the Anti-Virus, Anti-Spyware, and URL Filtering threat packages. Additional information contains the current coverage for the DarkSide AV signature.

Unit 42 article:
Here is the Unit 42 article. 

Mitigation steps based on Palo Alto Networks Best Practices documents, and CISA/FBI recommendations:
  • Unit 42 blogs cover the migration steps in detail. 
  • Here is the PAN advisory for the Best Practices for Ransomware Prevention.
  • Antivirus signature, make sure all protocols, HTTP2, IMAP, POP3, and others, are set to "reset-both".
  • Vulnerability and spyware signatures with the severity of High and Critical to "reset-both" or "drop" is a good practice.
  • Your URL Filtering and setting the following categories to block: command and control, dynamic DNS, hacking, high-risk, insufficient-content, malware, newly-registered-domains, not-resolved, parked, phishing, questionable, unknown. Here is a best-practices document. 
  • SSL Decryption is one of the requirements for detecting malicious patterns as most of our signatures use the http_decoder to inspect the content in the payload. The firewall can only inspect and encrypt traffic (TLS/SSL/HTTPS) if decrypted using decryption profile and policy. Documentation on configuring decryption policy can be found here.
  • File blocking profile: Block password-protected compressed and zip file.
  • Remote access to OT and IT networks needs multi-factor authentication.
  • Use strong spam filters to prevent phishing emails from reaching end-user.
  • Continuous monitoring and improvement in security posture based on alerts and threat logs.
  • Continuously train IT and end-user for social engineering. 
  • Network traffic:  
    • IP-based: prohibit ingress and egress communications with known malicious IP addresses.
    • URL-based: Prevent users from accessing malicious websites by implementing URL blocklists and allow lists.
  • Software-update: Make your software update as centralized and controlled.
  • Risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
    • Limit RDP
    • Limit Resources access 
    • Limit resources access attempts 
  • Regular Scanning of the resources by antivirus/antimalware. 


Additional Information


Here is the list of known Darkside signatures, this list is valid at the time of publication. PaloAlto Networks reserves the right to replace these signatures based on prevalence in WildFire cloud. 
            Signature Name                UTID    
 trojan/Win32 EXE.darkside.aa            373806183 
 trojan/Win32 EXE.darkside.z             407907864 
 Virus/Linux.WGeneric.bbunth             402945111 
 Virus/Win32.WGeneric.anajbm             366300777 
 Virus/Win32.WGeneric.ankojr             369421158 
 Virus/Win32.WGeneric.anyfxg             373481343 
 Virus/Win32.WGeneric.aumvzg             387811014 
 Virus/Win32.WGeneric.awzjiz             391455654 
 Virus/Win32.WGeneric.axqzpj             392983785 
 Virus/Win32.WGeneric.bayxfp             400229172 
 Virus/Win32.WGeneric.bbdzgp             400676694 
 Virus/Win32.WGeneric.bbdzul             400678365 
 Virus/Win32.WGeneric.bbeceq             400685469 
 Virus/Win32.WGeneric.bbfjpf             400838946 
 Virus/Win32.WGeneric.bcltkq             405810150 
 Virus/Win32.WGeneric.bdbmwd             407418306 
 Virus/Win32.WGeneric.bdjddu             408156777 
 Virus/Win32.WGeneric.bdulsc             409279299 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VMY&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language