Any time a major cyberattack occurs, news organizations of all types of rush to get out the news and report on the available facts to get the “scoop”. The attackers were identified as a group called DarkSide out of Russia.
A company called Elliptic says it identified the Bitcoin wallet that received the ransom from the operators of Colonial Pipeline. Darkside began as just a ransomware tool, but over time it morphed into ransomware-as-a-service (RaaS), meaning the developers behind the code don’t necessarily conduct the intrusions that use the tool. Instead, they provide their malicious tools and services to other criminal affiliates or partners, who then use them to infect and extort victims, giving a percentage of the paid ransoms to the Darkside developers.
According to Mandiant, the developers take a 25 percent cut for ransoms less than $500,000 and a 10 percent cut for ones exceeding $5 million.
Blockchain analysis company Elliptic also found and analyzed ransom payments made to DarkSide from 47 distinct Bitcoin wallets. The transactions totaled just over $90 million since October 2020.
What have we learned from this attack? The same things cybersecurity professionals have been saying for years and that this is nothing new. It’s finally happened, and a critical infrastructure attack has had a major impact on the average American.
For this specific attack, FireEye has provided some specific indicators of compromise (IOCs) that organizations can use to determine if they have been compromised. But what organizations need to understand is that these IOCs will be quickly out of date and unhelpful in preventing future attacks because they will change. Organizations need to understand and get back to cybersecurity fundamentals, in the Age of Cloud if we want to stop these breaches. We can extrapolate from many attacks the common patterns that always apply, and the tactics so commonly used that can help us identify and stop data breaches. Call security professionals at ITRemedy today for a free security assessment.