Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!

On Friday, May 7, 2021, Colonial Pipeline confirmed that a cyberattack forced the company to proactively close down operations and freeze IT systems after becoming the victim of a ransomware attack. Even though the specifics of how the attack was carried out and its impact have not been disclosed, Colonial confirmed that operations is only partially restored even after three days. On May 10, 2021, the FBI confirmed that DarkSide ransomware was responsible for this attack on Colonial Pipeline.

What is Ransomware? 

Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems unusable. This is usually carried out by malicious actors who then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data if the ransom is not paid. According to the latest industry trends, ransomware activity increased by close to 150% in 2020, with each event resulting in an average downtime of 18 days. The report also mentions an increase of financial loss for each event by 200% from 2019.

What is DarkSide? 

DarkSide is a group that has used ransomware to attack various companies in the U.S. and Europe. They have attempted to extort companies with threats and claims to give part of the money it makes to charity organizations. DarkSide follows a growing trend by ransomware gangs called “double extortion,” where the hackers not only encrypt and lock the data but threaten to release the data if ransomware is not paid.

FBI Flash Announcement of Indicators of Compromise (IOCs) 

On May 10, 2021, the FBI announced IOCs for the DarkSide ransomware. The list included a set of IP addresses and URLs that are associated with this ransomware. Our security team has incorporated these IOCs into the Ordr platform.

IP addresses associated with DarkSide

URLs associated with DarkSide  


Tracking DarkSide using Ordr 

There are a number of challenges when tracking ransomware typically:

  • Security controls might not have complete visibility to track Patient 0. Most ransomware is targeted
  • Lateral movement of malware is widespread. Security teams need complete visualization of East-West traffic to detect lateral movement
  • Ransomware typically uses standard protocols like HTTPS to communicate to C&C servers, so the traffic may appear benign.

Here are best practices using your Ordr deployment to track a potential DarkSide ransomware infection within your organization.

1. Identify and understand risks for every device 

Ordr uses DPI and AI, along with enrichment from a variety of different security and threat intelligence feeds to calculate the risk and security posture of every device. Device context including static attributes like O/S of the device, hotfixes deployed, installed software deployed, and the behavioral patterns of the device provides a unique view of the risks of a device. Ordr uses industry-leading threat intelligence to detect close to 25 critical event types to identify vulnerable devices in the network, and offers an actionable risk score.

2. Track East-West lateral movement with Ordr Threat Detection Engine 

Ordr sensors deployed across the network support the full stack L7 threat detection capabilities. Most organizations focus on north-south threat detection, but east-west traffic analysis is critical to lateral movement and is a major blind spot for enterprises as this analysis is outside the realm of perimeter firewall.

3. Monitor Communications to DarkSide C2  

Ordr’s multi-dimensional threat intelligence (URL reputation, IP reputation, IDS, weak passwords/certificates, etc.) has been updated to track all future communications to the malicious entities associated with the DarkSide ransomware in real-time. Ordr SCE also supports capabilities to analyze traffic retrospectively for these communications.

Currently, in the Ordr SCE 7.4.2 R1 release this can be accomplished by working with the Ordr Customer Support team. In the upcoming Ordr 7.4.2 R2 release this can be done via YAML and Ordr will support a simple customized YAML file to track these entities. Users can simply edit the YAML file and add the above list of IOCs to the file. This will update the system in real-time and will analyze all new and retrospective communications against the list and mark them accordingly.

All the IP addresses communications will be captured under Prohibited IP, and the URL communications will be captured as part of suspicious domains in the security page of SCE. The risk score for the devices with these communications will increase accordingly. This information is also available on the traffic analysis tool, where you can drill down on the data based on the classification type, VLAN or Subnet.

4. Customized Security Event Monitoring 

One other feature added to the upcoming 7.4.2 R2 release is the ability to create a special event that track customized IP addresses and suspicious domains. Users can configure the event by simply editing the YAML file named “monitoring-groups.yaml”.

Users can follow steps to create a new event called DarkSide and add associated URLs and IPs given in the list to the file. This will create a new entry in the Ordr Group Traffic Analysis constellation view which, provides users with a complete overview of network communications. The user will have an option to drill down the communication patterns of each device associated with the event. This could give some pointers to other devices that should be analyzed for potential infections. Multiple events can be created if needed.

Twas the night before Christmas, when all through the enterprise

Not a creature was stirring, not even network or IT guys.

Proxy firewalls were humming by the perimeter with care,

Just in case intruders or hackers would dare.

The CISOs were all nestled all snug in their beds,

While visions of protected networks danced in their heads.

And the IT Staff all cozy and I in my cap,

Had just settled down for a nice well-earned nap.

When out from my iPhone, there arose such a clatter,

I sprang from the bed to see what was the matter.

Away to my computer, I flew like a flash

I typed in my password as fast as I could dash.

The screen on my dashboard it started to glow

Gave the luster to the objects below

When what to my worried eyes should appear,

But a scary demand…, oh no ransomware!

A million in bitcoin I’d have to pay quick

Or else all devices and my network will be sick

My heart started to race thinking about WannaCry

I’m just a regional hospital, attack me but why?

And then a buzz on the phone, I worried what was next.

My anxiety was relieved, Pandian had sent me a text.

As I drew in my hand, and was turning around,

Down the chimney ORDR came with a bound.

It was the team best known for proactive protection

Micro-segmentation, my network was in sections

Luckily the damage was quickly contained

Spreading is cut short and order maintained

Ordr’s SCE, a closed-loop solution that’s smart

Implementing policies it’s a real art

Flow genome, it’s about being context-aware

Asset managers and IT staff, no need for despair

When everything today is hyper-connected

It will tell you right away when the MRI is infected.

Up and running my network was clean

Relieved, my happy face started to gleam

He sprang to his sleigh, to his team gave a thumbs up,

And away they all flew like a nimble startup.

And I heard him exclaim, as he drove out of sight,