<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p style="text-align: justify; font-size: 16px;">This week our Security Research team noticed loads of blocked traffic between ThreatSTOP customer machines and domains recently associated with DarkSide ransomware - the malware behind the Colonial Pipeline shutdown that forced the company to pay $5 million in ransom. The domains - <span style="font-weight: bold;">fotoeuropa[.]ro and catsdegree[.]com</span> – logged an accumulative 3.8 million blocked communication attempts in our systems over the last week alone. Almost nothing makes us happier than potential victims saved from malicious threat actors and cyberattack disasters.&nbsp;</p> <p style="text-align: justify; font-size: 12px;"><!--more--><span style="font-weight: bold; font-size: 16px;">Who is the DarkSide gang?</span></p> <p style="text-align: justify; font-size: 12px;"><span style="font-size: 16px;">DarkSide is a cybercriminal gang believed to be based in Russia that has been active since August 2020. In less than a year, these threat actors have launched multiple global cyber campaigns affecting multiple industries and organizations in over 15 countries. The DarkSide ransomware is offered as ransomware-as-a-service (RaaS), meaning that the threat actors provide DarkSide to various affiliates who infect victim networks and, in return, share the profits from the attack with the creators.</span></p> <p style="text-align: justify; font-size: 12px;"><span style="font-size: 16px;">Since the ransomware is used by various hackers, the infection vectors also vary. Some use commercially available tools to breach victim networks, while others have used zero day vulnerabilities. Once the victims have been infected, the ransomware not only encrypts their data but also exfiltrates it, gaining more leverage for ransom payment demands.</span></p> <p style="text-align: justify; font-size: 12px;"><span style="font-size: 16px;">The crypto-analytics company <a href="https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin" rel="noopener">Elliptic identified </a>that in just 9 months DarkSide and its affiliates cashed in at least $90 million in bitcoin ransom payments from 47 different victims. Doing some simple math we can say – holy cow that’s a lot of ransom money from each victim. Of the whole amount, the DarkSide creators raked in $15.5 million while the affiliates made a whopping $74.7M.</span></p> <p style="text-align: justify; font-size: 12px;"><img src="https://info.threatstop.com/hubfs/image-png-May-27-2021-01-07-15-73-PM.png" loading="lazy" style="margin-left: auto; margin-right: auto; display: block; width: 481px;" width="481" alt="ransom-payments"></p> <p style="text-align: center; font-size: 12px;"><em>DarkSide Ransom Payments Oct. 20 - May 21. <span style="color: #222222;">Image: elliptic.co.</span></em></p> <p style="text-align: center; font-size: 16px;">&nbsp;</p> <p style="vertical-align: baseline; font-size: 16px;"><strong><span style="color: #222222;">The Colonial Pipeline Attack</span></strong></p> <p style="text-align: justify; font-size: 16px;"><span style="color: #222222;">On May 7, the Colonial Pipeline Company, which supplies 45% of the East Coast's fuel, discovered a ransomware breach in the company network, which forced the halt of all pipeline operations because the billing systems were affected. By far the most well-known DarkSide attack, this incident caused loads of media buzz. The DarkSide gang obtained a payment of $5 million from the victim – over twice the average ransom payment for this malware.</span></p> <p style="text-align: justify; font-size: 16px;"><span style="color: #222222;"><img src="https://www.zdnet.com/a/hub/i/r/2021/05/08/a9ec5ed0-d186-4ef4-b8aa-af02d1a0901c/resize/1200xauto/b2bd88d06e246c597c8a6aac9a141b93/colonial-pipeline-system-map.jpg" alt="colonial-pipeline" loading="lazy" style="margin-left: auto; margin-right: auto; display: block; width: 488px;" width="488"></span></p> <p style="vertical-align: baseline; margin-top: 0in; margin-right: 0in; margin-bottom: 12pt; padding-left: 0in; text-align: center; font-size: 12px;"><em><span style="color: #666666;">5,500 miles of fuel pipe shut down after to ransomware attack. Image: colpipe.com</span></em></p> <p style="vertical-align: baseline; margin-top: 0in; margin-right: 0in; margin-bottom: 12pt; padding-left: 0in; text-align: center; font-size: 12px;">&nbsp;</p> <p style="vertical-align: baseline; text-align: justify;"><span style="font-size: 16px;"><strong><span style="color: #222222;">Protecting Your Network from Threats Like This</span></strong></span></p> <p style="vertical-align: baseline; font-weight: normal; text-align: justify;"><span style="font-size: 16px;">It is still unknown what has become of the DarkSide threat actors. They claim to have disbanded, though some experts believe that they have pretended to call it quits to avoid scrutiny. Whether they are still active under a different name, or are using the same malicious infrastructure for other destructive targeted attacks, it is very clear that the domains they were using are still active. In additio</span>n to catsdegree[.]com and fotoeuropa[.]ro, there many other IOCs related to DarkSide activity. For example, our systems logged almost 200K connection attempts from the DarkSide TOR domain darksidfqzcuhtk2[.]onion over the last 7 days. We recommend blocking all inbound and outbound traffic to IOCs related to DarkSide (see list below). If the attackers somehow manage to breach your network don't let their malware exfiltrate your data. Blocking outbound traffic is an extremely important layer of defense against cyber attacks.</p> <p style="vertical-align: baseline; font-weight: normal; text-align: justify;">Another way to block threat activity like DarkSide's is blocking <span>anonymizer services and TOR</span><span>. In their attack on the Colonial Pipeline company, DarkSide used TOR relays which could have been blocked. Blacklisting the IPs of these anonymous services protects users from suspicious and potentially malicious traffic, and could have protected the victims of this attack. ThreatSTOP customers are protected by our <span style="font-style: italic;">Tor Exit Nodes - IPs</span> target, which blocks access to the TOR network, and our <a href="https://blog.threatstop.com/vpn-and-tor-traffic-to-bypass-corporate-security" rel="noopener" target="_blank" style="font-style: italic;">Anonymous VPN Services Exit – IPs target</a>&nbsp;which blocks traffic from anonymous VPN providers.</span></p> <p style="vertical-align: baseline;">Protect against this threat by adding the indicators below to your network perimeter access rules and to your protective DNS rules. Preventing communication with these IP addresses and domains, and identifying the machines trying to for remediation will prevent damage and losses from this ransomware. ThreatSTOP automates this for companies and security teams like yours. If you are a ThreatSTOP customer, you are already and automatically protected from Darkside and other threats like this.</p> <p style="vertical-align: baseline; text-align: center;"><em>Ready to try ThreatSTOP in your network ? Want an expert-led demo to see how it works?</em></p> <p style="vertical-align: baseline; text-align: center;"><em></em></p> <p style="vertical-align: baseline; font-weight: bold; text-align: center;"><span style="text-decoration: underline;">DarkSide Indicators of Compromise:</span></p> <table width="514" style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; height: 1285px; border: 1px solid #99acc2;" height="1285"> <tbody> <tr style="height: 42.7969px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;"><strong>IPs</strong></td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;"><strong>Domains</strong></td> </tr> <tr style="height: 42.7812px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">104[.]193[.]252[.]197</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">athaliaoriginals[.]com</td> </tr> <tr style="height: 42.7812px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">108[.]62[.]118[.]232</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">auth[.]athaliaoriginals[.]com</td> </tr> <tr style="height: 71.2812px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 71px;">159[.]65[.]225[.]72</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 71px;">baa[.]stage[.]8886370[.]pop[.]athaliaoriginals[.]com</td> </tr> <tr style="height: 71.2969px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 71px;">162[.]244[.]34[.]152</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 71px;">caa[.]stage[.]8886370[.]pop[.]athaliaoriginals[.]com</td> </tr> <tr style="height: 71.2969px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 71px;">162[.]244[.]81[.]253</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 71px;">iaa[.]stage[.]8886370[.]pop[.]athaliaoriginals[.]com</td> </tr> <tr style="height: 42.7656px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">176[.]123[.]2[.]216</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">imap[.]athaliaoriginals[.]com</td> </tr> <tr style="height: 42.7656px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">185[.]105[.]109[.]19</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">baroquetees[.]com</td> </tr> <tr style="height: 42.75px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">185[.]180[.]197[.]86</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">catsdegree[.]com</td> </tr> <tr style="height: 42.7344px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">185[.]203[.]116[.]28</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">ctxinit[.]azureedge[.]net</td> </tr> <tr style="height: 42.7188px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">185[.]203[.]116[.]7</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">darksidedxcftmqa[.]onion</td> </tr> <tr style="height: 42.7031px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">185[.]203[.]117[.]159</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">darksidfqzcuhtk2[.]onion</td> </tr> <tr style="height: 42.6875px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">185[.]243[.]214[.]107</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">fotoeuropa[.]ro</td> </tr> <tr style="height: 42.6719px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">185[.]92[.]151[.]150</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">gosleepaddict[.]com</td> </tr> <tr style="height: 42.6406px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">192[.]3[.]141[.]157</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">ironnetworks[.]xyz</td> </tr> <tr style="height: 42.625px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">198[.]54[.]117[.]197</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">kgtwiakkdooplnihvali[.]com</td> </tr> <tr style="height: 42.5938px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">198[.]54[.]117[.]199</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">koliz[.]xyz</td> </tr> <tr style="height: 42.5469px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">212[.]109[.]221[.]205</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">lagrom[.]com</td> </tr> <tr style="height: 42.5px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 43px;">213[.]252[.]247[.]18</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 43px;">los-web[.]xyz</td> </tr> <tr style="height: 42.4531px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 42px;">23[.]95[.]85[.]176</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 42px;">openmsdn[.]xyz</td> </tr> <tr style="height: 42.4531px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 42px;">45[.]14[.]12[.]108</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 42px;">rumahsia[.]com</td> </tr> <tr style="height: 42.4531px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 42px;">45[.]147[.]197[.]220</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 42px;">securebestapp20[.]com</td> </tr> <tr style="height: 42.4688px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 42px;">45[.]61[.]138[.]171</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 42px;">skolibri13[.]azureedge[.]net</td> </tr> <tr style="height: 42.4688px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 42px;">45[.]84[.]0[.]127</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 42px;">sol-doc[.]xyz</td> </tr> <tr style="height: 42.4688px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 42px;">46[.]166[.]128[.]144</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 42px;">yeeterracing[.]com</td> </tr> <tr style="height: 42.4688px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 42px;">51[.]210[.]138[.]71</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 42px;">7cats[.]ch</td> </tr> <tr style="height: 42.4688px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 42px;">80[.]209[.]241[.]4</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 42px;">&nbsp;</td> </tr> <tr style="height: 42.4844px;"> <td style="width: 171px; padding: 4px; border: 1px solid #99acc2; height: 42px;">81[.]91[.]177[.]54</td> <td style="width: 342px; padding: 4px; border: 1px solid #99acc2; height: 42px;">&nbsp;</td> </tr> </tbody> </table> <p style="vertical-align: baseline; text-align: center;">&nbsp;</p></span>