Overview of the Colonial Pipeline Ransomware

Cooperatives are no more immune to ransomware than anyone else is. In fact, as we saw recently, because of the mass disruption that can be created by targeting critical infrastructure, cooperatives are likely at more risk! The colonial pipeline became infected with ransomware that caused their company to completely shut down operations. 

The Russian gang “Darkside” is a ‘ransomware as a service’ (RaaS) attacker that runs their operation like a business would. From tech support with toll-free numbers to mission statements and even a marketing team, only they’re members are victims. They even have a ‘code of conduct’. That code states that they do not attack hospitals, hospices, schools, universities, government agencies and non-profit organizations. They brand themselves as good ransomware people.

How Does this Happen?

So we’ve seen ransomware attacks occur on organizations that have older systems that aren’t updated or patched. These attackers are scanning the internet looking for any vulnerabilities they can find and then exploiting those as they find them. They’ll use phishing schemes or purchase previously phished accounts on the dark web. They’ll employ social engineering attacks or any other method that can get them traction. 

The attackers establish a foothold in your systems, often we see an initial set of access followed by a creation of a backdoor to allow them persistence access in case a password is changed or systems are swapped out. Then, the attackers will begin siphoning off some data about you using encrypted traffic to hide what is being sent and to obfuscate it with the legitimate traffic that is going on within your network. From a network monitoring tool or firewalls perspective, this is business as usual. Traffic is mostly indistinguishable from other forms of communications going on throughout the network through the internet.

Next, they work on lateral movement through the systems. The idea is to pivot from one part of the network to another where more protected assets are located. They’re looking for SCADA servers, operational systems, anything that will make you pay up to get it working again. They’re also looking for treasure troves of information that may have embarrassing data you’ll be willing to pay to have back. 

Before encrypting those systems, and alerting the organization to their presence, they need to finish mapping out their systems to make sure they have everything they want and also have a path back inside in case you seem like a good potential “return customer”. They also want to see if you have any larger connections to larger organizations that may give them an even bigger return on investment. So, they will map your entire network and begin trying to do credential harvesting. A common method is to dump credentials with mimikatz (a hacking tool used to get windows credentials), getting microsoft active directory users and credentials from the NTDS.DIT and other sources. Once all the credentials are obtained, next is usually mass-data exfiltration. After the data is exfiltrated, using the same encrypted methods to disguise itself as normal traffic, the attacker simply uses some home-made or open source software to encrypt your files and records the keys to recall for your anticipated payment!

What can be done?

• First, use a modern next-gen antivirus software like FortiEDR or Carbonblack. I can’t recommend these products enough. SkyHelm has a 24/7 SOC that monitors and manages FortiEDR on client computers and has the ability to detect and roll back damage from ransomware. 
• Second, make sure your software is up-to-date and patched. This isn’t just your operating systems and Microsoft products but software applications too. Adobe products, TeamViewer, chrome, etc… everything has to be kept up-to-date! 
• Third, use a modern firewall. We recommend Fortigates because they are affordable and just as powerful as their more costly rivals. We manage Palos and have experience with several other brands too, but without a next-gen behavioral based firewall… Your chance of detecting remote exploits dwindles quickly.
• Fourth, scan for vulnerabilities. Do this often, not once or twice a year. SkyHelm sets up a always-on vulnerability scanner that scans your network, finishes the scan, updates itself, then begins the scan again. This is the only way to catch the latest known vulnerabilities.
• Fifth, SIEM. Have a Security Information and Event Management system pulling data in from all over your systems to ensure that 
• Sixth, and maybe one of the most important… Have 24/7 security monitoring! 

Ensure everything is patched and up to date. Not just your external services – internal too. This will help shut down attackers or at least drastically slow them down should they get any footholds in the environment.

Finally, Enforce good security practices and policies. Follow modern password recommendations that focus on length and not complexity. When it comes to email, multi-factor authentication goes a long way to stopping attacks.

Systems and SCADA security isn’t easy, but that’s why SkyHelm exists… SkyHelm protects America’s critical infrastructure and with our background in electric cooperatives, oil and gas, and other industries, we know what tools can make your systems secure.