Advisory – Darkside Ransomware | Information Security and Enterprise Architecture

May 10, 2021

You may have heard some news today on something calling “Darkside” Ransomware because of its impact on US fuel prices.

What is Darkside and why should you care?

DarkSide is a new group that started to offer “Ransomware-as-as-Services” at the beginning of August 2020. They have become known for their professional operations and large ransoms. According to the known incidents, the ransom demanded falls in the range of between $200,000 and $2,000,000 (US). A ransomware attack is a demand for money in return for normal systems operations or the non- release of stolen data.
Darkside has successfully perpetrated an attack on May 7th against Colonial Pipeline, which is the largest artery for refined fuels in the United States. Ordinarily the pipes carry 2.5m barrels a day, 45% of the east coast’s supply; fuel prices jumped 4% on Sunday.

What is U of T’s risk related to Darkside?

Darkside state they do not attack hospitals, schools, non-profits, and governments, but rather big organizations that can afford to pay large ransoms
- However, they have attacked data belonging to schoolkids
- U of T may be non-profit, but it is a large university and may be regarded as a big organization that can pay ransoms.
Darkside leverages a significant amount of tools that are targeted to compromise user accounts or end points devices (e.g. computer, laptops, servers). U of T has done some good progress on protecting user accounts with MFA, but few robust protections at the end point.
Although we have strong network protections in place, any person who has obtained a compromised credential set from one of our students or staff/faculty may be able to by-pass our protections, attack systems internally with limited ability for quick detection at the end point.

What are we doing about it?

We are working with CanSSOC to provide some protections on the network that will help us protect and detect known malicious traffic from Darkside.
We are rolling out MFA across the University. To date, we have achieved close to 70% adoption for Staff members, but we need to do much more to provide better protection.
We are enhancing our overall network protections as part of the Edge Security program.
We are making a business case for better protections for endpoints. An RFP is target for the end of the calendar year if we can secure funding.
We have enabled Microsoft Defender (ATP) to many high level leadership roles across the University.