Cyber attacks have occurred since the early days of the Internet. They can be extremely unpredictable. Learn about the dangers and unintended consequences!
In 1988, a Harvard graduate began an experiment to see how many computers were connected to the Internet. 24 hours later, 10% of all computers around the world had been taken down and the damages soared into the millions. Robert Tappan Morris had inadvertently created the first ever computer worm.
Once Morris realized the speed at which his program was replicating, he tried to send instructions to the victims to dismantle the worm and curb the attack. But it was too late. He was indicted one year later and faced fines of over $10,000.
Fast forward to the present day, and we’re facing the most recent example of a cyber-threat miscalculation, or a criminal group that simply did not understand the full impact their attack would have. The DarkSide ransomware group most likely only intended to hit the IT system and corporate business operations of Colonial Pipeline and underestimated the full impact the malware would have. The consequences were disastrous, halting the supply of fuel across the East Coast, leading to gas shortages, hoarding, and spikes in gasoline prices around the world.
In an apparent show of social responsibility, the DarkSide group issued a seemingly heartfelt apology for the attack on social media:
We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.
The motivation behind this statement is clear: self-preservation. The aftermath of the attack affected not only Colonial Pipeline but the DarkSide group themselves. They fell into the direct firing line of the full force of the US government, as well as becoming pariahs among other criminal groups for the attention they have drawn. It also appears they lost whatever formal or informal state supervision or protection they may have held.
As a result of the blowback and possible direct actions against them and their operating infrastructure, in less than a week, DarkSide announced that they would close their operations for good. They could however resurface under a different name, or join another group, if allowed in.
Misjudging the impact and collateral damage of a cyber-attack can lead to a range of unintended ramifications, from a cyber-crime group feeling increased heat from law enforcement to a nation state escalating a conflict greater than they intended.
It is for this reason that many ransomware groups historically have tended to keep their affairs under the radar. Over 70% of ransomware attacks target SMBs. Unfortunately, while many cyber-crime groups pledge to avoid larger bodies like hospitals and critical infrastructure, the allure of fast payouts for record-breaking ransoms has led to the healthcare sector, even vaccine efforts, being a heavy target for ransomware actors.
Following the incident at Colonial Pipeline, and no doubt in the fear of moving up the FBI’s Most Wanted list, a major Ransomware-as-a-Service (RaaS) group, REvil, announced the following policy:
Work in the social sector (health care, educational institutions) is prohibited;
It is forbidden to work on the gov-sector (state) of any country.
Organized cyber-crime groups often stress that they are apolitical and motivated solely by financial gain.
But when the boat is pushed too far, attacks can easily spill over into geopolitical tensions, encouraging governments to issue executive orders and pushing cyber-threats into the headlines – all bad business for criminal groups. And if a threat actor gets in over their head, they either need to lay low and rebrand in what is known as an ‘exit scam’, as ransomware groups such as Maze and Jokeroo have done in the past, or they’re shut down completely, as seen in the disruption of the Emotet botnet at the beginning of this year.
The effects of a cyber-attack are becoming increasingly difficult to predict and control. The reason for this is twofold. The first is this idea of interconnectivity. We live in a digitized world which is so interlinked that an attack on one server can have global consequences, whether that’s reverberations down the supply chain, IT converging with OT, or a cyber-threat against one country affecting the world.
More isolated than federal bodies, the private sector will most often take the brunt of this collateral damage. Just take NotPetya – where a targeted attack against Ukrainian infrastructure went into the wild paralyzing factories across the globe and costing shipping company Maersk $300 million.
The second reason is easier access to more sophisticated tools. The commercialization of cyber-crime has enabled less advanced actors to rent state-of-the-art malware and launch campaigns with speed and with ease. In fact, the Colonial Pipeline attack was likely orchestrated by an affiliate who had paid for the DarkSide malware. This makes it far more challenging to monitor who is being targeted. When it comes to RaaS, even the developers probably do not know for certain how their malware will be used.
When preparing any kind of cyber-attack, the intelligence that an actor has going into the target environment is rarely 100%. If the intention is to impact a single component of a bank, for example, but the attacker fails to realize that a nearby hospital relies on that same electrical grid, the situation can escalate very quickly. And when it’s a low-skilled attacker with little regard or understanding of what a high-powered tool can do, miscalculations become alarmingly easy.
As far as we know, DarkSide itself was not a state-sponsored APT, merely a private criminal franchise. Yet they advertised their ransomware as the fastest in the world and managed to pull off one of the most disruptive critical infrastructure cyber-attacks of all time. As history has shown, from the Morris worm to Colonial Pipeline, when malware is fast and designed to propagate, it is unpredictable. It is nearly impossible to put a highly destructive genie back in the bottle.
As automation and AI-powered attacks become a reality, these trends will increase exponentially and transform the threat landscape. Ransomware is no longer a human-scalable problem. Organizational resilience depends not on throwing more people into the mix, or even upskilling existing teams – machine-speed attacks need a machine-speed response which can adapt as fast as an attack propagates. Thwarting ransomware is both a board-level issue and a national security concern. As such, self-learning AI technology proves critical in tackling the unpredictability and speed of the threats of today, and of tomorrow.
Thanks to Lucas Marsden-Smedley for his contributions.
Oops! Something went wrong while submitting the form.
Newsletter
Enjoying the blog?
Sign up to receive the latest news and insights from the Darktrace newsletter – delivered directly to your inbox
Thanks for signing up!
Look out for your first newsletter, coming soon.
Oops! Something went wrong while submitting the form.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Marcus Fowler
CEO of Darktrace Federal and SVP of Strategic Engagements and Threats
Marcus Fowler is the CEO of Darktrace Federal, working to help defend the U.S. Department of Defense (DoD), the Intelligence Community (IC), and Federal Civilian Agencies against cyber disruption and strengthen their defenses with complete AI-powered cybersecurity solutions. Marcus is a seasoned cybersecurity professional, with expertise on emerging and next generation cyber threats, trends, and conflicts. Marcus also serves as the SVP of Strategic Engagements and Threats at Darktrace, working closely with senior security leaders across industries on innovative cybersecurity strategy and business resilience.
Previously, Marcus spent 15 years at the Central Intelligence Agency developing global cyber operations and technical strategies, leading cyber efforts with various US Intelligence Community elements and global partners. Prior to serving at the CIA, Marcus was an officer in the United States Marine Corps. Marcus has an engineering degree from the United States Naval Academy and a master's degree in international security studies from The Fletcher School. He also completed Harvard Business School’s Executive Education Advanced Management Program.
Bytesize Security: Insider Threats in Google Workspace
What is an insider threat?
An insider threat is a cyber risk originating from within an organization. These threats can involve actions such as an employee inadvertently clicking on a malicious link (e.g., a phishing email) or an employee with malicious intent conducting data exfiltration for corporate sabotage.
Insiders often exploit their knowledge and access to legitimate corporate tools, presenting a continuous risk to organizations. Defenders must protect their digital estate against threats from both within and outside the organization.
For example, in the summer of 2024, Darktrace / IDENTITY successfully detected a user in a customer environment attempting to steal sensitive data from a trusted Google Workspace service. Despite the use of a legitimate and compliant corporate tool, Darktrace identified anomalies in the user’s behavior that indicated malicious intent.
Attack overview: Insider threat
In June 2024, Darktrace detected unusual activity involving the Software-as-a-Service (SaaS) account of a former employee from a customer organization. This individual, who had recently left the company, was observed downloading a significant amount of data in the form of a “.INDD” file (an Adobe InDesign document typically used to create page layouts [1]) from Google Drive.
While the use of Google Drive and other Google Workspace platforms was not unexpected for this employee, Darktrace identified that the user had logged in from an unfamiliar and suspicious IPv6 address before initiating the download. This anomaly triggered a model alert in Darktrace / IDENTITY, flagging the activity as potentially malicious.
Figure 1: A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.
Following this detection, the customer reached out to Darktrace’s Security Operations Center (SOC) team via the Security Operations Support service for assistance in triaging and investigating the incident further. Darktrace’s SOC team conducted an in-depth investigation, enabling the customer to identify the exact moment of the file download, as well as the contents of the stolen documents. The customer later confirmed that the downloaded files contained sensitive corporate data, including customer details and payment information, likely intended for reuse or sharing with a new employer.
In this particular instance, Darktrace’s Autonomous Response capability was not active, allowing the malicious insider to successfully exfiltrate the files. If Autonomous Response had been enabled, Darktrace would have immediately acted upon detecting the login from an unusual (in this case 100% rare) location by logging out and disabling the SaaS user. This would have provided the customer with the necessary time to review the activity and verify whether the user was authorized to access their SaaS environments.
Conclusion
Insider threats pose a significant challenge for traditional security tools as they involve internal users who are expected to access SaaS platforms. These insiders have preexisting knowledge of the environment, sensitive data, and how to make their activities appear normal, as seen in this case with the use of Google Workspace. This familiarity allows them to avoid having to use more easily detectable intrusion methods like phishing campaigns.
Darktrace’s anomaly detection capabilities, which focus on identifying unusual activity rather than relying on specific rules and signatures, enable it to effectively detect deviations from a user’s expected behavior. For instance, an unusual login from a new location, as in this example, can be flagged even if the subsequent malicious activity appears innocuous due to the use of a trusted application like Google Drive.
Credit to Vivek Rajan (Cyber Analyst) and Ryan Traill (Analyst Content Lead)
Appendices
Darktrace Model Detections
SaaS / Resource::Unusual Download Of Externally Shared Google Workspace File
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal
What is ShadowSyndicate?
ShadowSyndicate, also known as Infra Storm, is a threat actor reportedly active since July 2022, working with various ransomware groups and affiliates of ransomware programs, such as Quantum, Nokoyawa, and ALPHV. This threat actor employs tools like Cobalt Strike, Sliver, IcedID, and Matanbuchus malware in its attacks. ShadowSyndicate utilizes the same SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d) on many of their servers—85 as of September 2023. At least 52 of these servers have been linked to the Cobalt Strike command and control (C2) framework [1].
What is RansomHub?
First observed following the FBI's takedown of ALPHV/BlackCat in December 2023, RansomHub quickly gained notoriety as a Ransomware-as-a-Service (RaaS) operator. RansomHub capitalized on the law enforcement’s disruption of the LockBit group’s operations in February 2024 to market themselves to potential affiliates who had previously relied on LockBit’s encryptors. RansomHub's success can be largely attributed to their aggressive recruitment on underground forums, leading to the absorption of ex-ALPHV and ex-LockBit affiliates. They were one of the most active ransomware operators in 2024, with approximately 500 victims reported since February, according to their Dedicated Leak Site (DLS) [2].
ShadowSyndicate and RansomHub
External researchers have reported that ShadowSyndicate had as many as seven different ransomware families in their arsenal between July 2022, and September 2023. Now, ShadowSyndicate appears to have added RansomHub’s their formidable stockpile, becoming an affiliate of the RaaS provider [1].
Darktrace’s analysis of ShadowSyndicate across its customer base indicates that the group has been leveraging RansomHub ransomware in multiple attacks in September and October 2024. ShadowSyndicate likely shifted to using RansomHub due to the lucrative rates offered by this RaaS provider, with affiliates receiving up to 90% of the ransom—significantly higher than the general market rate of 70-80% [3].
In many instances where encryption was observed, ransom notes with the naming pattern “README_[a-zA-Z0-9]{6}.txt” were written to affected devices. The content of these ransom notes threatened to release stolen confidential data via RansomHub’s DLS unless a ransom was paid. During these attacks, data exfiltration activity to external endpoints using the SSH protocol was observed. The external endpoints to which the data was transferred were found to coincide with servers previously associated with ShadowSyndicate activity.
Darktrace’s coverage of ShadowSyndicate and RansomHub
Darktrace’s Threat Research team identified high-confidence indicators of compromise (IoCs) linked to the ShadowSyndicate group deploying RansomHub. The investigation revealed four separate incidents impacting Darktrace customers across various sectors, including education, manufacturing, and social services. In the investigated cases, multiple stages of the kill chain were observed, starting with initial internal reconnaissance and leading to eventual file encryption and data exfiltration.
Attack Overview
Internal Reconnaissance
The first observed stage of ShadowSyndicate attacks involved devices making multiple internal connection attempts to other internal devices over key ports, suggesting network scanning and enumeration activity. In this initial phase of the attack, the threat actor gathers critical details and information by scanning the network for open ports that might be potentially exploitable. In cases observed by Darktrace affected devices were typically seen attempting to connect to other internal locations over TCP ports including 22, 445 and 3389.
C2 Communication and Data Exfiltration
In most of the RansomHub cases investigated by Darktrace, unusual connections to endpoints associated with Splashtop, a remote desktop access software, were observed briefly before outbound SSH connections were identified.
Following this, Darktrace detected outbound SSH connections to the external IP address 46.161.27[.]151 using WinSCP, an open-source SSH client for Windows used for secure file transfer. The Cybersecurity and Infrastructure Security Agency (CISA) identified this IP address as malicious and associated it with ShadowSyndicate’s C2 infrastructure [4]. During connections to this IP, multiple gigabytes of data were exfiltrated from customer networks via SSH.
Data exfiltration attempts were consistent across investigated cases; however, the method of egress varied from one attack to another, as one would expect with a RaaS strain being employed by different affiliates. In addition to transfers to ShadowSyndicate’s infrastructure, threat actors were also observed transferring data to the cloud storage and file transfer service, MEGA, via HTTP connections using the ‘rclone’ user agent – a command-line program used to manage files on cloud storage. In another case, data exfiltration activity occurred over port 443, utilizing SSL connections.
Lateral Movement
In investigated incidents, lateral movement activity began shortly after C2 communications were established. In one case, Darktrace identified the unusual use of a new administrative credential which was quickly followed up with multiple suspicious executable file writes to other internal devices on the network.
The filenames for this executable followed the regex naming convention “[a-zA-Z]{6}.exe”, with two observed examples being “bWqQUx.exe” and “sdtMfs.exe”.
Figure 1: Cyber AI Analyst Investigation Process for the SMB Writes of Suspicious Files to Multiple Devices' incident.
Additionally, script files such as “Defeat-Defender2.bat”, “Share.bat”, and “def.bat” were also seen written over SMB, suggesting that threat actors were trying to evade network defenses and detection by antivirus software like Microsoft Defender.
File Encryption
Among the three cases where file encryption activity was observed, file names were changed by adding an extension following the regex format “.[a-zA-Z0-9]{6}”. Ransom notes with a similar naming convention, “README_[a-zA-Z0-9]{6}.txt”, were written to each share. While the content of the ransom notes differed slightly in each case, most contained similar text. Clear indicators in the body of the ransom notes pointed to the use of RansomHub ransomware in these attacks. As is increasingly the case, threat actors employed double extortion tactics, threatening to leak confidential data if the ransom was not paid. Like most ransomware, RansomHub included TOR site links for communication between its "customer service team" and the target.
Figure 2: The graph shows the behavior of a device with encryption activity, using the “SMB Sustained Mimetype Conversion” and “Unusual Activity Events” metrics over three weeks.
Since Darktrace’s Autonomous Response capability was not enabled during the compromise, the ransomware attack succeeded in its objective. However, Darktrace’s Cyber AI Analyst provided comprehensive coverage of the kill chain, enabling the customer to quickly identify affected devices and initiate remediation.
Figure 3: Cyber AI Analyst panel showing the critical incidents of the affected device from one of the cases investigated.
In lieu of Autonomous Response being active on the networks, Darktrace was able to suggest a variety of manual response actions intended to contain the compromise and prevent further malicious activity. Had Autonomous Response been enabled at the time of the attack, these actions would have been quickly applied without any human interaction, potentially halting the ransomware attack earlier in the kill chain.
Figure 4: A list of suggested Autonomous Response actions on the affected devices."
Conclusion
The Darktrace Threat Research team has noted a surge in attacks by the ShadowSyndicate group using RansomHub’s RaaS of late. RaaS has become increasingly popular across the threat landscape due to its ease of access to malware and script execution. As more individual threat actors adopt RaaS, security teams are struggling to defend against the increasing number of opportunistic attacks.
For customers subscribed to Darktrace’s Security Operations Center (SOC) services, the Analyst team promptly investigated detections of the aforementioned unusual and anomalous activities in the initial infection phases. Multiple alerts were raised via Darktrace’s Managed Threat Detection to warn customers of active ransomware incidents. By emphasizing anomaly-based detection and response, Darktrace can effectively identify devices affected by ransomware and take action against emerging activity, minimizing disruption and impact on customer networks.
Credit to Kwa Qing Hong (Senior Cyber Analyst and Deputy Analyst Team Lead, Singapore) and Signe Zahark (Principal Cyber Analyst, Japan)
