Inside the DarkSide Ransomware Attack on Colonial Pipeline

May 10, 2021 | 4 minute read

On May 8, the Colonial Pipeline Company announced that it had fallen victim to a ransomware attack a day earlier. The pipeline operations include transporting 100 million gallons of fuel daily to meet the needs of consumers across the entire eastern seaboard of the U.S. from Texas to New York, according to the website of the refined products pipeline company.

“In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems,” Colonial Pipeline said in a web statement.

This attack has further blurred lines between nation-state sponsored APT attacks and cybercrime, as attacks of this magnitude are not like the “spray and pray” ransomware attacks of the past. These are RansomOps that are highly targeted and more akin to an APT-style operation.]]

Considering the potential impact of this shutdown, the Federal Motor Carrier Safety Administration (FMCSA) issued an emergency declaration in which it exempted 17 states and the District of Columbia from certain restrictions relating to the transportation of refined petroleum products by motor carriers and drivers.

Colonial Pipeline also used the web statement to share some details about its response thus far: “Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies.”

It went on to say that restoring its service was its primary focus. With that in mind, the company released an update on May 9 in which it disclosed its work to develop a service restart plan. Its strategy included getting smaller lines operational while some of its main lines remain offline.

All this in service of the goal of “substantially restoring operational service by the end of the week,” reported ZDNet.

Who Was Responsible?

The FBI confirmed on May 10 that the DarkSide ransomware gang was responsible for the attack. DarkSide is a relatively new ransomware strain associated with a new threat actor that Cybereason has been tracking since August 2020. In fact, the security firm has helped more than 10 of its customers to fight the group in the past few months.

Those responsible for DarkSide are very organized, and they have a mature Ransomware as a Service (RaaS) business model and affiliate program. The group has a phone number and even a help desk to facilitate negotiations with and collect information about its victims—not just technical information regarding their environment but also more general details relating to the company itself like the organization’s size and estimated revenue.

DarkSide appears to focus on targeting organizations in English-speaking countries while avoiding those in countries associated with former Soviet Bloc nations. This gang appears to have a code of conduct that prohibits attacks against hospitals, hospices, schools, universities, non-profit organizations and government agencies. No doubt that code of conduct is an effort to establish a level of trust and confidence in victims to enhance the likelihood that they’ll pay.

DarkSide follows the double extortion trend, where the threat actors first exfiltrates sensitive information stored on a victim’s systems before launching the encryption routine. After the ransomware encrypts the target’s data and issues the ransom demand for payment in exchange for the decryption key, the threat actors make the additional threat of publishing the exfiltrated data online should the target refuse to make the ransom payment. 

This means the target is still faced with the prospect of having to pay the ransom regardless of whether or not they employed data backups as a precautionary measure. Ultimately, the DarkSide gang demands between $200,000 and $2 million from its victims based on data from previous attacks.

Key Aspects of DarkSide:

  • Emerging Threat: In a short amount of time, the DarkSide group has established a reputation for being a very “professional” and “organized” group that has potentially generated millions of dollars in profits from the ransomware.
  • High Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of the attacks.
  • Human Operated Attack: Prior to the deployment of the ransomware, the attackers attempt to infiltrate and move laterally throughout the organization, carrying out a fully-developed attack operation.
  • Aiming Towards the DC: The DarkSide group is targeting domain controllers (DCs), which puts targets and the whole network environment at great risk. These types of techniques allow attackers to move laterally across the network, and they make it possible to encrypt more data/systems more quickly.

What makes this possible is the amount of work that generally goes into learning about a target beforehand. That’s what makes the Colonial Pipeline attack so peculiar. Lior Div, CEO and co-founder of Cybereason, elaborated on this point for Reuters:

They know who is the manager, they know who they're speaking with, they know where the money is, they know who is the decision maker…. It’s not good for business for them when the U.S. government becomes involved, when the FBI becomes involved. It's the last thing they need.

No surprise, therefore, that the DarkSide gang issued a press release on its “DarkSide Leaks” website on May 10 in which it seemed to suggest that one of its “partners” had been behind the attack against Colonial Pipeline. It said that it would screen its affiliates’ attacks going forward:

Screenshot of DarkSide’s press release. (Source: Cybereason)

What Organizations Should Do to Defend Themselves

Lengthy detection, investigation and response periods following a successful ransomware attack are simply too little, too late. They risk putting themselves in a situation where they must pay one (or more) ransoms. Prevention is key to defending against ransomware attacks.

In those situations, there is no guarantee that they will get their data/systems restored by the attackers, that there won’t be data corruption, that their stolen information will be deleted from the attackers’ servers or that those responsible won’t follow up with another attack and ransom demand in the future.

Organizations need to detect the attack at the earliest stages and block the threat outright. That’s why prevention is the key to defending against ransomware like DarkSide. This takes a future-ready, multi-layered operation-centric approach where Indicators of Behavior (IOBs) are leveraged to detect earlier and remediate faster than attackers can adapt their tactics.

Register for our upcoming webinar, Cybereason vs. DarkSide Ransomware, for a deeper dive or talk to a Cybereason defender to learn more.

David Bisson
About the Author

David Bisson

David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.

All Posts by David Bisson