Best practices to prevent DarkSide ransomware
18614
Created On 05/12/21 22:09 PM - Last Modified 05/13/21 07:57 AM
Question
What is the DarkSide ransomware and what are the best mitigation and prevention steps?
Environment
- All PAN-OS
- Anti-Virus license
Answer
What is DarkSide ransomware?
DarkSide ransomware was first seen in August 2020 on Russian language hacking forums. It is a ransomware-as-a-service platform that cybercriminals can hire. DarkSide is mainly known to target only big companies in several industries, including healthcare, funeral services, education, public-sector, and non-profits.
Who is the latest target for DarkSide ransomware?
Colonial Pipeline, the company learned on Saturday, May 8th, 12.30 PM.
Here is the company blog:Colonial Pipeline System Disruption
CISA and FBI alert.
Here is the alert sent by the FBI and CISA that explains the detailed steps and process of mitigation.
The kill chain and threat actors.
- The first step is to gain initial access by exploring the remotely accessible accounts, VDI, RDP, and more by phishing.
- The second step is to encrypt and steal sensitive data.
- The DarkSide ransomware uses Salsa20 and RSA encryption. The file extension can be random.
- For command and control, the threat actor primarily uses "The Onion Router(TOR)," in some instances, threat actors have also used Cobalt Strike.
- The mode of payment is with Bitcoin and Moreno cryptocurrencies.
Here is the PAN advisory for the Best Practices for Ransomware Prevention.
PAN coverage:
Palo Alto Networks covers many DarkSide related hashes, URLs, and IP addresses. These IOCs are delivered in the Anti-Virus, Anti-Spyware, and URL Filtering threat packages. Additional information contains the current coverage for the DarkSide AV signature.
Unit 42 article:
Here is the Unit 42 article.
Mitigation steps based on Palo Alto Networks Best Practices documents, and CISA/FBI recommendations:
- Unit 42 blogs cover the migration steps in detail.
- Here is the PAN advisory for the Best Practices for Ransomware Prevention.
- Antivirus signature, make sure all protocols, HTTP2, IMAP, POP3, and others, are set to "reset-both".
- Vulnerability and spyware signatures with the severity of High and Critical to "reset-both" or "drop" is a good practice.
- Your URL Filtering and setting the following categories to block: command and control, dynamic DNS, hacking, high-risk, insufficient-content, malware, newly-registered-domains, not-resolved, parked, phishing, questionable, unknown. Here is a best-practices document.
- SSL Decryption is one of the requirements for detecting malicious patterns as most of our signatures use the http_decoder to inspect the content in the payload. The firewall can only inspect and encrypt traffic (TLS/SSL/HTTPS) if decrypted using decryption profile and policy. Documentation on configuring decryption policy can be found here.
- File blocking profile: Block password-protected compressed and zip file.
- Remote access to OT and IT networks needs multi-factor authentication.
- Use strong spam filters to prevent phishing emails from reaching end-user.
- Continuous monitoring and improvement in security posture based on alerts and threat logs.
- Continuously train IT and end-user for social engineering.
-
Network traffic:
-
IP-based: prohibit ingress and egress communications with known malicious IP addresses.
-
URL-based: Prevent users from accessing malicious websites by implementing URL blocklists and allow lists.
-
-
Software-update: Make your software update as centralized and controlled.
-
Risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
-
Limit RDP
-
Limit Resources access
-
Limit resources access attempts
-
-
Regular Scanning of the resources by antivirus/antimalware.
Additional Information
Here is the list of known Darkside signatures, this list is valid at the time of publication. PaloAlto Networks reserves the right to replace these signatures based on prevalence in WildFire cloud.
Signature Name UTID trojan/Win32 EXE.darkside.aa 373806183 trojan/Win32 EXE.darkside.z 407907864 Virus/Linux.WGeneric.bbunth 402945111 Virus/Win32.WGeneric.anajbm 366300777 Virus/Win32.WGeneric.ankojr 369421158 Virus/Win32.WGeneric.anyfxg 373481343 Virus/Win32.WGeneric.aumvzg 387811014 Virus/Win32.WGeneric.awzjiz 391455654 Virus/Win32.WGeneric.axqzpj 392983785 Virus/Win32.WGeneric.bayxfp 400229172 Virus/Win32.WGeneric.bbdzgp 400676694 Virus/Win32.WGeneric.bbdzul 400678365 Virus/Win32.WGeneric.bbeceq 400685469 Virus/Win32.WGeneric.bbfjpf 400838946 Virus/Win32.WGeneric.bcltkq 405810150 Virus/Win32.WGeneric.bdbmwd 407418306 Virus/Win32.WGeneric.bdjddu 408156777 Virus/Win32.WGeneric.bdulsc 409279299