Written by Rick McElroy, Head of Security Strategy at VMware Security Business Unit

Critical infrastructure has increasingly become a top target for cybercriminals. Over the weekend, we learned of the ransomware attack against a U.S. fuel company, Colonial Pipeline, that carries nearly half the fuel consumed along the U.S. East Coast. This is one of the largest disruptions of U.S. critical infrastructure by a cyberattack in history. It is a startling reminder of how vulnerable everything from our power grid to our water supply remains if we do not bolster our defences.

“This attack will not be an isolated incident. We will continue to see destructive cyberattacks against industrial control system (ICS) environments, with energy, oil, gas and manufacturing companies as top targets for cybercrime cartels. These groups will leverage ransomware as a means of inflecting kinetic damage in the real world,” said Tom Kellermann, head of cybersecurity strategy at VMware.

On Monday, the FBI attributed the cyberattack to DarkSide, a group believed to be based in Eastern Europe. The VMware Threat Analysis Unit (TAU) analysed DarkSide in February and found the group will customise the ransomware binary to the targeted enterprise. Similar to other variants of ransomware, it will utilise PowerShell to perform the deletion of volume shadow copies to ensure data cannot be restored easily. VMware TAU also identified DarkSide actively looking for affiliates to add to their operation via a dark web listing.

Recent research from Digital Shadows provides an analysis of the DarkSide ransomware operation. While attribution is important, it is also necessary to understand the techniques, tactics, and procedures used during the pre-infection and post-infection phase of ransomware – focusing on the behaviours over the “who.”

The Rise in Secondary Extortion and RaaS

Ransomware groups have widely adopted double extortion as a core tactic to ensure profitability. In fact, nearly 40% of security professionals said double-extortion ransomware was the most observed new ransomware attack technique in 2020.

By taking time to quietly exfiltrate sensitive information from the organisation, cybercriminals gain incrementally significant leverage on their victim organisations, forcing organisations to not only pay to decrypt their content but also prevent potentially harmful data from being sold or otherwise publicly disclosed. Thus, significantly increasing the impact and damage that ransomware groups can inflict upon their victims and sending a stark warning to others to protect their networks from this ever-evolving threat. To understand modern cybercrime, defenders must account for this as part of their security and resiliency programs.

As ransomware-as-a-service (RaaS) explodes in popularity on the crimeware forums, cybercriminals are finding new and unique ways to deploy ransomware across organisations. Similar to how spies are recruited for espionage against government agencies, regular everyday people with access to high-value targets can be recruited to deploy malware. Often, they are lured through offers of significant sums of money or even a percentage of the ransomware payout, with some offering hundreds of thousands of dollars per victimised organisation.

Affiliate programs and partnerships between ransomware groups have also become a common occurrence alongside the general recruiting of insiders. These affiliate programs look to partner with initial access brokers – criminals that specialise in breaking into organisations and subsequently sell direct access and other ransomware gangs in order to improve their tradecraft, furthering their reach and overall profitability.

As demonstrated by DarkSide’s post looking for affiliate partners, the global pandemic has empowered cybercriminals to work together capitalising on the expanding attack surface. This attack only shows what security professionals have known for years: defenders must continue to work to stay one step ahead of attackers.

4 Cybersecurity Best Practices

Here are four best practices from VMware TAU for organisations looking to protect against the increase in ransomware attacks:

Continue to address ineffective legacy security technology and process weakness

Legacy security solutions and process weaknesses continue to pose a significant risk to organisations, and the shift to an anywhere workforce has quickly expanded the threat landscape.  As we emerge from the immediate response phase and begin to see the shape of the long-term future, organisations must identify the critical changes to processes and technology needed to support remote and hybrid workers to work securely and reduce risk.

Deliver security as a distributed service

The world is a more complicated place today with remote workers connecting to applications running on infrastructure that may or may not be managed, owned or controlled by the company. With so many new surfaces and different types of environments to defend, security cannot be delivered as a litany of point products and network choke points. Instead, endpoint and network controls must be delivered as a distributed service. This means delivering security that follows the assets being protected, no matter what type of environment you have.

Adopt an intrinsic approach to cloud-first security

Moving to the cloud is not a security panacea. Not all clouds are equal, and controls need to be vetted because if adversaries want to attack at scale, the cloud is the place to do it. As cloud adoption builds momentum, investment in public cloud security will be critical. When you move to a public cloud, you’re moving to a very tough neighbourhood where security is contingent on your actions and those of your neighbours. You may be able to secure your resources, but you have no control over those sharing that environment with you. Organisations must prioritise securing cloud workloads at every point in the security lifecycle. as the great cloud shift continues.

Engage with and have an IR partner on retainer

When it comes to cyberattacks, it’s no longer a matter of if, but when, organisations will be targeted.  A great first step is to reach out to an incident response partner to ensure that you are prepared.