Darkside Ransomware Attack and Domain Compromise - Attivo Networks
Attivo Networks Blogs

Darkside Ransomware Attack and Domain Compromise

Author: Venu Vissamsetty, V.P Security Research, Attivo Networks – Colonial Pipeline, one of the largest pipeline operators in the United States, had to shut down operations on May 8th, 2021 after becoming the victim of a ransomware attack. The FBI confirmed that the DarkSide ransomware group was responsible for the attack on the Colonial Pipeline infrastructure.

Darkside is human-operated ransomware that uses various post-exploitation tools (such as Cobalt Strike, Metasploit framework, Bloodhound, etc.) to perform Active Directory enumeration, identify paths to high privilege targets, and deploy ransomware organization-wide.

Prior IR (Incident Response) engagements of organizations infected with Darkside ransomware have seen that the group targets the organization’s domain controllers after getting initial access.

“We observed Darkside payload (e.g., azure_agent.exe.exe) staged on the domain controller in a network-shareable folder (e.g., C:\Windows\IME\azure), followed by the establishment of a scheduled task (e.g., \Windows\SYSVOL\domain\Policies\{L0NGMGU1D}\User\Preferences\ScheduledTasks) set with Group Policy and instructing hosts to obtain and execute the payload. This resulted in a fully automated enterprise-wide deployment less than 24 hours after data was exfiltrated.”

Source: https://www.areteir.com/darkside-ransomware-caviar-taste-on-your-big-game-budget/

The following are some of the methods the threat actors used to gain domain dominance after the initial compromise.

  • Use tools such as Cobalt Strike, Metasploit framework, Bloodhound, Powershell Empire, etc., to perform Active Directory enumeration and move laterally from the initially infected system to escalate privileges.
  • Use Mimikatz to dump credentials and gain domain administration access.
  • Deploy ransomware payload to a network shared folder that is accessible to all computers in a domain.
  • Deploy ransomware payload across the organization by creating GPO scheduled tasks.

How organizations can protect against human-operated ransomware operators

The Attivo Networks ThreatDefend® platform prevents attackers from moving laterally and stops ransomware from encrypting or exfiltrating data at multiple stages of the attack cycle.

Step 1: The Attivo Networks ADSecure solution restricts Active Directory enumeration access on an as-needed basis, preventing attackers from discovering privileged Active Directory users or group permissions.

Attackers must perform domain reconnaissance to discover:

They must also perform SMB Net session enumeration to discover the systems of privileged users.

Step 2: The Attivo Networks ADSecure solution detects attacker attempts to dump credentials, extract tickets, and elevate domain credentials to perform Golden Ticket and DC Sync Attacks.

Step 3: The Attivo Networks ADSecure solution prevents attackers from discovering and gaining access to the organization’s domain controllers.

Step 4: The Attivo Networks DataCloak function hides and denies access to local files, folders, and network or cloud shares from ransomware payloads. Files are not visible to malicious ransomware processes, and they can’t exfiltrate or encrypt files that are not visible.

The Darkside ransomware attack on Colonial Pipeline caused significant damage to the company and disrupted pipeline operations for much of the east coast of the United States. Organizations can limit the damage these attacks can cause by implementing the Attivo ThreatDefend® platform.

About Attivo Networks:

Attivo Networks®, the leader in preventing identity privilege escalation and detecting lateral movement attacks, delivers a superior defense for countering threat activity. ThreatDefend® Platform customers gain unprecedented visibility to risks, attack surface reduction, and speed up attack detection. Patented innovative defenses cover critical points of attack, including at endpoints, in Active Directory (AD), in the cloud, and across the entire network. Concealment technology hides critical AD objects, data, and credentials. Bait and misdirection efficiently steer attackers away from production assets, and deception decoys derail lateral movement activities. Attivo has won over 150 awards for its technology innovation and leadership. www.attivonetworks.com.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free

FAST AND EASY

Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial

GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY

  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise

RSS

Leave a Comment

Your email address will not be published. Required fields are marked *

nineteen − 14 =

Ready to find out what’s lurking in your network?

Scroll to Top