Let’s take the network view in tracking DarkSide and ransomware

While news updates as more evidence emerges, lacking from the discussion so far is a network-centric view of the general behaviours and detection possibilities associated with ransomware deployment.

So here’s an overview of the event, the behaviours linked to similar ransomware operations, the importance of network visibility, and possibilities for network detection and monitoring to meet these adversaries and related malicious activities head-on.


On May 7, 2021, Colonial Pipeline suffered a ransomware incident. While all available information indicates that ransomware impacted only enterprise IT systems for Colonial, the company pre-emptively shut down linked industrial control systems (ICS) out of an abundance of caution.

Subsequently the intrusion and resulting disruption were linked to a ransomware variant known as DarkSide. Active since at least August 2020, DarkSide operates under a ‘Ransomware as a Service’ or ‘affiliate’ model where the group provides double-extortion ransomware services to other entities that execute the actual network breach and capability deployment.

DarkSide then manages negotiations and payment to both decrypt a victim’s information and to stop the selective leaking of data exfiltrated from the target network.

While DarkSide-related activity has continued in a relatively steady state since its initial discovery in 2020, the Colonial Pipeline incident is notable given its disruptive impact. While neither the first notable cyber intrusion in pipeline systems, nor the first ransomware event on pipeline infrastructure, Colonial’s pre-emptive shutdown of critical systems triggered a halt in their operations.

The disruption induced reactions from panic buying of gasoline through statements from the White House. Although Colonial was able to begin restoring operations as early as May 12, 2021, the shock and short-term impacts of the event were felt across both policymaker and information security circles.

Ransomware entity intrusion tradecraft

DarkSide ransomware impacted multiple victims since discovery in 2020. Yet while this ultimate payload inducing network disruption (and data theft for extortion) is concerning, defenders should focus on the preliminary steps enabling ransomware execution rather than the ransomware family itself.

In this respect, given the ‘affiliate model’ through which adversaries deploy DarkSide, the ransomware variant can be linked to multiple behavioural profiles.

Multiple vendors provide insight into initial access, entrenchment, and subsequent lateral movement activity linked to DarkSide deployment. Among the most notable examples are the following:

  • Initial reporting from Digital Shadows in September 2020
  • Cyberreason Nocturnus’ overview of activity in April 2021
  • Varonis reporting, subsequently updated after the Colonial incident
  • An overview of recent DarkSide behaviours from FireEye, also after the Colonial incident
  • Observations from incident response engagements from Sophos
  • Further analysis from Palo Alto Unit 42

These are all valuable contributions to the discussion concerning DarkSide’s deployment, and my company highly recommends that defenders review these items for awareness and to become familiar with this threat.

Yet all these items largely focus on host-based actions and observations, which is unsurprising, as most of the entities in question are involved in host-based security solutions. In addition to these observations, defenders possess a multitude of options for tracking behaviours over the network related to DarkSide deployment, as well as other ransomware operations.

Initial access mechanisms

Adversary deployment of DarkSide ransomware is linked to a variety of initial access mechanisms, as one would expect given that multiple entities relate to its use. Based on a review of available literature and analysis, my company identifies the following as primary Darkside affiliate mechanisms to initially breach victim networks:

  • Phishing activity leveraging malicious attachments
  • Credential replay attacks against external-facing services, such as Remote Desktop Protocol (RDP)
  • Use of publicly disclosed exploits against external-facing services, such as vulnerabilities in externally accessible VPN appliances (including CVE-2021-20016).

While these represent known vectors linked to DarkSide affiliate operations, the specific mechanism used to infiltrate Colonial Pipeline is not known at present. Nonetheless, these initial intrusion mechanisms align well with common tradecraft associated with not only criminal operations (such as ransomware), but also advanced persistent threat (APT) or state-directed intrusions.

While one specific VPN exploit is called out in research from FireEye, my company assesses that other publicly disclosed exploits have likely been used as part of intrusions leading to ultimate ransomware deployment more generally.

Given the significant increase in disclosure and subsequent use of exploits targeting external-facing appliances such as VPN concentrators, network defenders should anticipate rapid moves by a variety of adversaries, whether related to DarkSide or not, to take advantage of such potential ingress points.

Lateral movement and command and control activity

Once inside victim networks, DarkSide-related intrusions leverage a combination of built-in system tools (such as ‘LoLBins’) and publicly or commercially available tools for varying levels of network communication and functionality. Such items are deployed to both spread throughout the victim network, as well as to maintain command and control (C2) over any implants or tools. Examples include:

  • The Sysinternals remote command execution utility PSExec
  • Commercially available remote access tools such as TeamViewer
  • The PuTTY-related application Plink
  • The commercially available (but frequently pirated or cracked) Cobalt Strike
  • The publicly available Custom Command and Control (C3) framework
  • Network enumeration tools such as ADRecon and BloodHound for mapping victim Active Directory instances
  • Tunneling C2 traffic, including RDP, via The Onion Router (TOR) to mask activity

Additionally, adversaries leverage built-in tools such as RDP and server message block (SMB) connections to enable tool or capability deployment and lateral movement in victim environments, combined with continuous credential harvesting via tools such as Mimikatz.

At this stage, endpoint-related visibility becomes valuable in assessing an intrusion in many cases. However, even the best endpoint visibility on its own is insufficient to track, detect, and monitor elusive adversaries.

This is especially the case for internal network movement. By pairing network monitoring and visibility with robust network security monitoring, defenders can ensure that all possible avenues for intruder operation are accounted for.

Like the initial access vectors, the lateral movement and C2 mechanisms identified here are hardly unique to DarkSide deployment. Instead, these techniques encompass behaviours also deployed by entities ranging from APTs to other, criminal actors.

By establishing monitoring for either external communication linked to the tools or techniques listed above, or examining internal communication flows for lateral movement activity, defenders can identify malicious behaviours even when endpoint and similar visibility can be evaded.

Data exfiltration

One other component to DarkSide-related operations, along with some other ransomware families, is the use of ‘double extortion’ to prompt payment. In addition to encrypting data, victim information is stolen with threat of publication unless payment is made.

Identifying large-scale data exfiltration in progress can be an indicator of imminent disruptive actions, and if caught in time may allow for defenders to respond quickly to prevent further harm. Based on reporting from researchers at Red Canary on general trends in this space, as well as specific observations on DarkSide, the following tools and techniques appear associated with ‘double extortion’ operations:

  • Use of cross-platform, free tools such as Rclone or WinSCP
  • Mega.io-focused tools such as MEGAcmd or MEGAsync

Although not conclusively proven, media reporting indicates at least in the Colonial incident that criminals leveraged cloud hosting infrastructure, specifically from Digital Ocean, as an intermediary for data exfiltration as part of this process.

The above behaviours provide a variety of potential detection possibilities. Examples include simple tracking of large, anomalous traffic flows indicative of large-scale data exfiltration to use of specific service and destination combinations (such as WinSCP to an Autonomous System Number (ASN) associated with a cloud provider).

Network visibility and monitoring

The mechanisms identified above are not distinct to DarkSide deployment; this provides a substantial benefit to defenders in that…

Read More:Let’s take the network view in tracking DarkSide and ransomware

Leave a Reply

Your email address will not be published. Required fields are marked *