Colonial Pipeline Disrupted by Now-Defunct DarkSide Operation

The Colonial Pipeline Company fell victim to DarkSide, a ransomware operation which closed shop after its attack made international headlines and attracted the attention of the FBI.

A Look at What Happened at Colonial Pipeline

On May 8, the Colonial Pipeline Company disclosed that it had suffered a digital attack involving ransomware a day earlier.

The Company responded by suspending its pipeline operations, which according to its website consists of transporting 100 million gallons of fuel each day to customers located between Houston, Texas and New York Harbor.

It also said that it was working with a third-party digital security firm to investigate what happened and that it was in contact with law enforcement as well as federal authorities.

The next day, Colonial Pipeline issued an update in which it said that it was in the process of restoring service to some of its smaller lateral pipelines while mainlines 1-4 remained offline.

The Company clarified that these steps were part of “an incremental process that will facilitate a return to service in a phased approach... [with] the goal of substantially restoring operational service by the end of the week.”

It was five days later when the Colonial Pipeline Company announced that it had restarted its entire market and that it had resumed service of all its markets.

DarkSide Behind the Attack

On May 11, the FBI along with the U.S. Cybersecurity and Infrastructure Security Agency

 (CISA) confirmed that DarkSide was responsible for the Colonial Pipeline attack.

The DarkSide Ransomware-as-a-Service (RaaS) operation first started up in mid-August 2020, according to Bleeping Computer.

Those responsible for the threat made a name for themselves by claiming to spare organizations in the healthcare, education, not-for-profit and government sectors from attack. The fact that DarkSide handlers also embraced double extortion as one of the techniques and began demanding ransoms as high as $2 million only helped their notoriety grow.

This backfired in the case of Colonial Pipeline. Yes, attackers associated with the RaaS apparently collected a ransom payment of $5 million from the Company in exchange for a decryption key, per ZDNet. But DarkSide still ended up in the crosshairs of the FBI and CISA—something which no digital threat operation ever really wants.

It’s no wonder, therefore, that the attackers adopted a conciliatory tone on their data leaks site after the Colonial Pipeline incident made news. They used their platform to assert that they “do not participate in geopolitics,” noted Cybereason. They also promised to “check each company that our partners want to encrypt to avoid social consequences in the future,” a statement which seems to suggest that one of their affiliates was responsible for the Colonial Pipeline attack.

The End of DarkSide

Those assurances weren’t enough for someone familiar with DarkSide’s infrastructure. On May 14, KrebsonSecurity reported that DarkSide decided to shutter its doors after suffering a security incident of its own.

A message posted on the program’s Telegram channel (and at least partially written by a representative of the REvil RaaS operation) indicated that someone had seized control of the attackers’ data leaks site, payment server and DOS servers, according to KrebsonSecurity. Shortly thereafter, the gang found that those servers weren’t available via SSH and that the hosting panels were blocked.

They also observed that someone had withdrawn the funds from their payment server and transferred them to an unknown location. This action prevented the attackers from paying their affiliates for the attacks that they had already completed.

A Shifting Threat Landscape

DarkSide might now be gone, but the ransomware landscape is still shifting in the aftermath of the Colonial Pipeline attack. In the farewell message cited above, for instance, the REvil representative said that their own operation would thenceforth prohibit affiliates from targeting the same types of organizations deemed by DarkSide as out of bounds. They also said that affiliates would now need to gain permission before launching their attacks.

The Colonial Pipeline attack could have an even longer-lasting effect on how REvil and other ransomware operations conduct their business. That’s because many Russian digital crime forums are now preventing members from posting about ransomware. Those web locations include XSS, an underground forum whose admin recently announced that members could no longer discuss “Ransomware affiliate programs,” “Ransomware rental” or the “sale of lockers (ransomware software),” according to Heimdal Security.

“There’s too much publicity,” the XSS administrator explained, as quoted by KrebsOnSecurity. “Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”

It’s unclear whether this decision will have an impact on ransomware actors’ ability to recruit new affiliates and/or on how ransomware attackers conduct themselves more generally.

The Legacy of the Colonial Pipeline Attack

Troy Gill, manager of security research at Zix | AppRiver, recognizes that the Colonial Pipeline attack reflects the reality of the growing ransomware threat.

“The recent attack on the Colonial Pipeline highlights the risk ransomware can pose not only to businesses but to critical national industrial infrastructure,” he said. “The attack also showcases that the trend of ‘ransomware as service’ is prolific in today’s world in addition to seeing the growing trend of more joint involvement from both private companies and government agencies to help halt the impact as quickly as possible. Similar to the FBI stepping in and removing Microsoft Exchange web shells to help safeguard organizations, I believe this involvement by the FBI and other government agencies have become critical to assist and prevent further damage with the Colonial Pipeline attack.” 

From a broader perspective, DarkSide’s targeting of the Colonial Pipeline also underscores the need for organizations in every sector to strengthen their defenses against ransomware. One of the ways they can do that is by investing in an email threat protection solution that scans for disallowed IP addresses, campaign patterns and other indicators of potential threats such as ransomware. Such a solution should perform this type of analysis in real time so that legitimate business correspondence can reach its intended destination within the organization, all while preventing a ransomware infection from occurring in the first place.

Organizations also need to make sure they’re covered if they suffer a ransomware attack. Specifically, they need to maintain backups of their data.

Anne Neuberger, national security adviser for cyber and emerging technologies at the White House, said the same thing to MSNBC.

Companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data.

That said, not just any old backup utility will do. They need a comprehensive backup and recovery solution that protects critical data not only on-premises but also in SaaS applications like Dropbox, Google Workplace and more. It’s this type of tool that will help them achieve compliance with GDPR and other data protection regulations as well as perform point-in-time recovery should ransomware infect their systems.  

Both email threat protection as well as backup and recovery are needed as part of a corporate resilience plan to ransomware. Not many companies offer both. But Zix does.

Strengthen your organization’s ransomware defense strategy with Zix today.