Colonial Pipeline, which was forced to shut down operations due to a ransomware attack, paid the hacker group nearly $5 million to restart its fuel pipeline, according to a Bloomberg report.
Colonial Pipeline, which operates the largest gasoline pipeline in the U.S., paid the ransom in cryptocurrency just hours after the attack, which has since been confirmed by several media outlets. The ransom group DarkSide is believed to be responsible for the hack and has been thrust into the international spotlight.
On May 10, 2021, the FBI announced that the attack on Colonial's pipeline was caused by a variant of the DarkSide ransomware, which forced the company to halt operations on the pipeline so that Colonial could conduct a full investigation into the incident. While the general public may be hearing DarkSide's name for the first time, threat intelligence firm Intel 471 has been tracking those associated with the hacking group since it first announced its product to the cybercrime underground last year.
Although spotted in the wild back in August 2020, DarkSide's developer "debuted" the ransomware in November 2020 on the popular Russian-language hacking forum XSS, touting that he was looking for partners in an attempt to adopt an affiliate "as a service " model. Soon after, the ransomware was found to be behind numerous attacks, including several incidents targeting manufacturers and law firms in Europe and the United States.
Some of the attack techniques, technologies and procedures analyzed by Intel 471 came from the DarkSide family, and there were similarities in the attacks, first by using vulnerable software such as Citrix, Remote Desktop Network (RDWeb) or Remote Desktop Protocol (RDP) to gain initial network access, make lateral moves and steal sensitive data, and eventually deploy ransomware; or in underground forums Purchase access credentials, perform brute-force cracking, use spam campaigns to spread malware or purchase popular botnets such as Dridex, TrickBot and ZLoader, use PowerShell backdoors for reconnaissance and persistence in corporate networks, with an arsenal that often includes Cobalt Strike and Metasploit frameworks, the Mimikatz and BloodHound.
The DarkSide organization has not claimed responsibility for the Colonial Pipeline attack, nor has it publicly compromised any data belonging to the company. However, on May 10, 2021, the organization issued an announcement suggesting that it may have been involved in the attack. In the announcement, the operator promised that they would introduce "moderation" in the future, scrutinizing each DarkSide affiliate that wanted to encrypt "to avoid future social consequences." The operator also claims that the organization is strictly money-driven and not affiliated with any government agency.
This is not the first time the DarkSide operators have attempted a public relations campaign for their actions; in October, the organization announced on its blog that it would donate a portion of the ransom money collected to Children International, a non-profit child sponsorship organization dedicated to fighting poverty, and the Water Project, a non-profit organization that aims to provide clean water to countries in sub-Saharan Africa.
"We think it's fair that some of the money they pay will go to charity," the post on the blog site reads." No matter how bad you think our work is, we'd love to know that we've helped change some people's lives."
It is not yet known if DarkSide continues to fund charities beyond the initial donation.
The combination of the popularity and growing sophistication of ransomware and the aging of energy control systems is a complex issue. As hackers become successful with ransomware operations, more cybercriminals may want to get in on the action, as the cybersecurity industry is booming and the rewards are higher compared to other crimes (i.e., targeting bank accounts). Companies responsible for critical infrastructure must understand that insecure systems are a tempting extortion target for underground cybercriminals, and that proactive defenses will go a long way toward preventing future incidents like Colonial Pipeline.