What We Know About Colonial Pipeline Ransomware Attack

It was reported late last week that one of the largest U.S. fuel suppliers Colonial Pipeline was hit with a ransomware attack. This attack shutdown 5,500 miles of pipe, causing growing concerns over future gas supply and prices,  as Colonial Pipeline delivers about 45% of the fuel used along the U.S. East Coast.

The FBI has since confirmed that the ransomware group known as DarkSide was responsible for the attack.

On May 8th, Colonial Pipeline issued a public statement that the organization “learned it was the victim of a cybersecurity attack. [And] have since determined that this incident involves ransomware.” In response, the Company took specific systems offline to contain the damage, halting pipeline operations in the process. According to the BBC, DarkSide took almost 100 gigabytes of data hostage, and threatened to leak that information onto the internet if an undisclosed ransom was not paid. Colonial Pipeline Co. said in an update that the pipeline is coming back to operational status. However, it could take days to resume full operational status, which means that even though they have resolved the ransomware issue, there is still lingering effects both for the consumers and the company itself.

According to Krebs on Security, DarkSide first surfaced on Russian language hacking forums in August 2020. The group has been identified as a ransomware-as-a-service platform which vetted cybercriminals use to infect companies with ransomware and carry out negotiations and payments with victims. The group touts that it only targets large, established organizations, and will not attack certain industries (healthcare, education, etc.) due to its purported ethical code.

According to Vice, as quick as the attack was reported, the group also issued an apology via its dark web site. It said:

We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.

Our goal is to make money and not creating problems for society.

Ransomware has been on the rise over the last several years. A study from last year reported that 51% of surveyed organizations were hit by ransomware in 2020. ZDnet also reported that ransomware gangs made at least $350M in 2020, a 311% increase over ransomware payments previously recorded in 2019.

Ransomware-as-a-service (RaaS) is making it very easy for cybercriminals to benefit from these types of attacks. RaaS is a business model used by malware developers who sell or lease malware and to cybercriminals on the dark web. This service provides criminals who lack the ability to execute cyberattacks the ability to distribute and manage ransomware campaigns. Via this model, the developer benefits by receiving a cut of each victim’s ransom paid for the decryption key.

In lieu of some of these high-profile ransomware attacks, President Biden signed an Executive Order to help improve the nation’s cybersecurity efforts and to protect federal government networks. While this is a good first step, it is likely not going to materially change the threat landscape. In fact, nearly all of America’s critical infrastructure is privately owned and operated. While this Executive Order sets the stage, it is mostly focused on federal networks. If America’s national security interests are to truly be protected, we will need regulatory requirements across all sectors of critical infrastructure.

Paul Martini, iboss CEO, commented, “Ransomware attacks have spiked over the course of the pandemic, so while it’s not shocking to hear about another high-profile attack, the rapid contrition from the attackers is peculiar. We’ve seen massive attacks against some of the largest organizations, yet organized threat actors – previously motivated strictly by financial gain – may now see a need to differentiate themselves from other criminals and nation-state cyber-espionage groups. Despite this ‘apology’, no organization, from small independent businesses to Fortunes 500, should let their guard down. Prioritizing a strong network security posture is the only defense against constantly evolving threats.”

 Hear what Jim Gogolinski, iboss VP of Threat Intelligence and Research, has to say about the impact of ransomware-as-a-service: