Threat Analysis Unit

Critical Infrastructure Remains at Risk Following Ransomware Attack

Critical infrastructure has increasingly become a top target for cybercriminals. Over the weekend, we learned of the ransomware attack against a U.S. fuel company, Colonial Pipeline, that carries nearly half the fuel consumed along the U.S. East Coast. This is one of the largest disruptions of U.S. critical infrastructure by a cyberattack in history. It is a startling reminder at how vulnerable everything from our power grid to our water supply remains if we do not bolster our defenses.

“This attack will not be an isolated incident. We’ll continue to see destructive cyberattacks against industrial control system (ICS) environments, with energy, oil, gas and manufacturing companies as top targets for cybercrime cartels. These groups will leverage ransomware as a means of inflecting kinetic damage in the real world,” said Tom Kellermann, head of cybersecurity strategy at VMware.

On Monday, the FBI attributed the cyberattack to DarkSide, a group believed to be based in Eastern Europe. The VMware Threat Analysis Unit (TAU) analyzed DarkSide in February and found the group will customize the ransomware binary to the targeted enterprise. Similar to other variants of ransomware, it will utilize PowerShell to perform the deletion of volume shadow copies to ensure data cannot be restored easily.

Screenshot of DarkSide ransom note

Screenshot of DarkSide ransom note

VMware TAU also identified DarkSide actively looking for affiliates to add to their operation via a dark web listing.

The above image taken from the dark web is a recent example of a recent post by the ransomware group, DarkSide, actively looking for affiliates to add to their operation.

The above image taken from the dark web is a recent example of a recent post by the ransomware group, DarkSide, actively looking for affiliates to add to their operation.

Recent research from Digital Shadows provides an analysis of the DarkSide ransomware operation. While attribution is important, it is also necessary to understand the techniques, tactics, and procedures used during the pre-infection and post-infection phase of ransomware – focusing on the behaviors over the “who.”

The Rise in Secondary Extortion and RaaS

Ransomware groups have widely adopted double extortion as a core tactic to ensure profitability. In fact, nearly 40% of security professionals said double-extortion ransomware was the most observed new ransomware attack technique in 2020.

By taking time to quietly exfiltrate sensitive information from the organization, cybercriminals gain incrementally significant leverage on their victim organizations, forcing organizations to not only pay to decrypt their content but also prevent potentially harmful data from being sold or otherwise publicly disclosed. Thus, significantly increasing the impact and damage that ransomware groups can inflict upon their victims and sending a stark warning to others to protect their networks from this ever-evolving threat. To understand modern cybercrime, defenders must account for this as part of their security and resiliency programs.

As ransomware-as-a-service (RaaS) explodes in popularity on the crimeware forums, cybercriminals are finding new and unique ways to deploy ransomware across organizations. Similar to how spies are recruited for espionage against government agencies, regular everyday people with access to high-value targets can be recruited to deploy malware. Often, they are lured through offers of significant sums of money or even a percentage of the ransomware payout, with some offering hundreds of thousands of dollars per victimized organization.

Affiliate programs and partnerships between ransomware groups have also become a common occurrence alongside the general recruiting of insiders. These affiliate programs look to partner with initial access brokers – criminals that specialize in breaking into organizations and subsequently sell direct access and other ransomware gangs in order to improve their tradecraft, furthering their reach and overall profitability.

As demonstrated by DarkSide’s post looking for affiliate partners, the global pandemic has empowered cybercriminals to work together capitalizing on the expanding attack surface. This attack only shows what security professionals have known for years: defenders must continue to work to stay one step ahead of attackers.

4 Cybersecurity Best Practices

Here are four best practices from VMware TAU for organizations looking to protect against the increase in ransomware attacks:

  1. Continue to address ineffective legacy security technology and process weakness

Legacy security solutions and process weaknesses continue to pose significant risk to organizations, and the shift to an anywhere workforce has quickly expanded the threat landscape.  As we emerge from the immediate response phase and begin to see the shape of the long-term future, organizations must identify the critical changes to processes and technology needed to support remote and hybrid workers to work securely and reduce risk.

  1. Deliver security as a distributed service

The world is a more complicated place today with remote workers connecting to applications running on infrastructure that may or may not be managed, owned or controlled by the company. With so many new surfaces and different types of environments to defend, security cannot be delivered as a litany of point products and network choke points. Instead, endpoint and network controls must be delivered as a distributed service. This means delivering security that follows the assets being protected, no matter what type of environment you have.

  1. Adopt an intrinsic approach to cloud-first security

Moving to the cloud is not a security panacea. Not all clouds are equal, and controls need to be vetted because if adversaries want to attack at scale, the cloud is the place to do it. As cloud adoption builds momentum, investment in public cloud security will be critical. When you move to a public cloud, you’re moving to a very tough neighborhood where security is contingent on your own actions and those of your neighbors. You may be able to secure your own resources, but you have no control over those sharing that environment with you. Organizations must prioritize securing cloud workloads at every point in the security lifecycle. as the great cloud shift continues.

  1. Engage with and have an IR partner on retainer

When it comes to cyberattacks, it’s no longer a matter of if, but when, organizations will be targeted.  A great first step is to reach out to an incident response partner to ensure that you are prepared.

VMware Carbon Black Cloud Customers

DarkSide ransomware is blocked and detected by existing policies within VMware Carbon Black products. Typically, DarkSide will customize the ransomware binary to the targeted enterprise and ensure volume shadow copies are deleted, which makes it challenging to restore data. It is important not only to have a good data back-up process in place but also to have an endpoint security solution which can utilize behavioral detection capabilities for the best protection. Click here to learn more about VMware Carbon Black Cloud.

VMware Advanced Threat Prevention Customers

DarkSide ransomware, its variants and network activities can be detected and blocked by VMware NSX Advanced Threat Prevention (ATP). Darkside is typically delivered via a phishing email with links that lead to the download of malware, which is detected and can be prevented from being delivered by NSX ATP. From there the adversary can perform many malicious network activities to include command and control communications, additional malware and tool downloads, port scanning, host profiling, beaconing, lateral movement using RDP and anomalous data uploads all of which can be detected by NSX ATP. Enterprise security for modern networks requires solutions that interconnect, leveraging the infrastructure to provide authoritative context from distributed security services that have connected control points to disrupt threats already in your network. Learn more about VMware NSX ATP.

Incident Response Partners


Whether your incident is the result of a malicious hacker or accidental exposure by an employee, Kroll can help. The global network of certified security and digital forensic experts can deploy remote solutions quickly and/or be onsite within hours to help organization contain the situation and determine next steps. Kroll is a leading provider of end-to-end cybersecurity, digital forensics and breach response services, and will help you make informed decisions at every stage, from proactive preparation to consumer notification and remediation.


Accenture’s The Cyber Incident Response Service guides affected companies through each stage of a cyber incident claim, from the initial reporting of the attack to the Accenture Cyber Incident Response team to containing the breach and restoring the business. Accenture also provides access to legal support, IT forensics and crisis communications advice as well as other relevant value add services.

Red Canary

Gain a partner in the fight against cyberattacks. Red Canary helps organizations mature your security operations with a team of highly skilled security experts deliver top-quality threat intelligence, detection engineering, investigation, and response.