skout-blog

Cybersecurity Threat Advisory 0032-21: DarkSide Ransomware Group Strikes Again

Threat Update

The ransomware group responsible for the Colonial Pipeline attack has struck again – this time affecting European subsidiaries of Toshiba. Some of Toshiba’s networks were shut down in response, demonstrating how effective ransomware is becoming as a method for malicious actors to steal revenue from businesses of all sizes. SKOUT recommends that companies keep their networks secure and follow best practices to prevent similar events from happening to them.

Technical Detail & Additional Information

WHAT IS THE THREAT?

On May 14th, the DarkSide ransomware gang launched an attack on Toshiba’s European networks. While customer-related information was not leaked externally, it is possible that the malicious actors from the ransomware group could have leaked some information. Ransomware has become a prevalent attack vector and method for threat actors to make money from cyber-attacks. Essentially, cybercriminals will attempt to encrypt sensitive information or data and require a ransom to recover it.

WHY IS IT NOTEWORTHY?

This is especially noteworthy because most companies store their data digitally. If a malicious actor has access to a network and can encrypt business-essential data, they might cripple the company’s daily operations, resulting in a loss of revenue. Following the first attack on the Colonial Pipeline, organizations should take extra care and solidify their network defenses so that malicious actors have no way into the network.

WHAT IS THE EXPOSURE OR RISK?

Once a malicious actor gains access to your network and deploys ransomware, it may be difficult to recover. Countless hours will be spent on recovering systems and backups – if the backups weren’t affected at all. In worst case scenarios, companies may find themselves spending millions of dollars on top of lost revenue to recover encrypted data. If they do not pay, cyber gangs may post the data on their site, therefore releasing otherwise confidential information to the public.

WHAT ARE THE RECOMMENDATIONS?

It is recommended that companies follow strong security practices including:

  • A strong password policy
    • Do not reuse passwords
    • Have a minimum password history
    • Enforce password strength policies
    • Ensure that passwords are not recycled
  • Keep systems patched with the latest security updates
  • Ensure services such as RDP are not open to the internet
  • Install Endpoint Protection, which stops malicious scripts from running both on disk and in memory.

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.