In May 2021, Colonial Pipeline, the largest pipeline operator in the United States, which transports fuel, was hit by DarkSide ransomware attack. It seems that due to this attack, an emergency regime was introduced in a number of states. Thehe attention of law enforcement agencies to ransomware increased, and hacker forums were rushed to ban advertising of ransomware.
Colonial Pipeline Ransomeware Attack
Large companies and organizations have recently become victims of hacker attacks. But some hacker groups promise not to attack the healthcare sector, critical infrastructure and, in general, try not to attract undue attention to themselves, others do not spare anyone and even during the coronavirus pandemic attack the networks of medical institutions.
The attack on Colonial Pipeline, the largest pipeline operator in the United States and transporting fuel, was a high-profile incident. The attack caused problems with the supply of gasoline, diesel fuel, aviation fuel and other refined products in a number of states.
The fact is that the incident forced Colonial Pipeline to temporarily suspend operations, and the company transports oil products between refineries located on the Gulf Coast and markets in the south and east of the United States. The company’s 5,500-mile pipeline carries up to 2,500,000 barrels per day, roughly 45% of all fuel consumed on the US East Coast.
“On May 7, it became known that Colonial Pipeline was the victim of a cyberattack. We have preemptively shut down certain systems to contain a threat that temporarily interrupted our pipeline and affected some IT systems. Upon learning of the problem, we turned to a third-party cybersecurity firm, and they have already begun an investigation into the nature and extent of this incident, which is still ongoing, ”read the Colonial Pipeline’s official statement, made immediately after the incident.
As a result, the FTA under the US Department of Transportation has declared a regional emergency regime affecting 17 states and the District of Columbia. This decision was made to provide assistance to the affected areas in need of immediate supplies of gasoline, diesel fuel, jet fuel and other refined products.
The following states and counties were affected by the emergency: Alabama, Arkansas, Virginia, Delaware, Georgia, Kentucky, District of Columbia, Louisiana, Mississippi, Maryland, New Jersey, New York, Pennsylvania, North Carolina, Tennessee, Texas, Florida and South Caroline.
Colonial Pipeline said it was working with law enforcement and the US Department of Energy to gradually bring pipeline segments back online and bring IT systems back into service as soon as possible.
$ 4.4 million ransom
Shortly after the hack became known, Bloomberg, citing its own anonymous sources, reported that the company had paid the ransomware a ransom of $ 5 million. Although at the same time the Washington Post and Reuters wrote that the company did not intend to negotiate with the attackers, Bloomberg journalists said that this information was not true.
Almost simultaneously with the appearance of these press reports, Colonial Pipeline was indeed able to restore normal operation of its pipeline, and supplies of petroleum products were resumed to normal volumes.
A few days later, Colonial Pipeline CEO Joseph Blount officially confirmed to the Wall Street Journal that the company had paid the attackers $ 4.4 million in bitcoin. According to him, this was necessary in order to recover as quickly as possible from the ransomware attack, which had an impact on critical energy infrastructure. Blount called the ransom payment “the right thing to do” for the country.
“I know this is a very controversial decision. It was not easy for me to do it. I confess, it was uncomfortable to see how money goes to such people, ”said Blount, saying that the ransom was paid back on May 7.
As a result, the company actually received a tool for decrypting data, but it worked so slowly that the company’s specialists were forced to continue the previously started recovery of systems from backups.
It was almost immediately known that the DarkSide ransomware operators were behind the attack on the Colonial Pipeline. The Washington Post was the first to report this, and soon this information was officially confirmed by the FBI.
The group that created the DarkSide malware has been active since August 2020 and operates under the Ransomware as a Service (RaaS) scheme, actively advertising malware on the darknet and collaborating with other hack groups. As a result, DarkSide is a classic “big game hunter”, that is, it mainly attacks large corporate networks, encrypts data, and then demands huge ransoms from the affected companies. If victims refuse to pay, DarkSide members post their stolen data on their site on the darknet.
According to a recent report by blockchain analyst company Elliptic, hackers have so far made about $ 90 million in ransoms.
“In total, just over $ 90 million in Bitcoin has been paid out to DarkSide from 47 different wallets,” the company said in a report.
Since DarkSide worked on the RaaS model, the ransomware developers kept about 25% of the ransom paid, or 10% if the ransom exceeded $ 5 million. Therefore, Elliptic believes that in reality the hackers themselves “earned” about $ 15.5 million, and the rest of the funds remained in the hands of the group’s “partners” (cybercriminals who break into victim networks and deploy malware in them).
Many experts said that by attacking the Colonial Pipeline, the hackers went too far and are now of great interest to US law enforcement agencies.
At the same time, US President Joe Biden said at a press conference that there is no information about the involvement of the Russian government in this attack, but, according to intelligence agencies, the members of the hack group may be on Russian territory. Biden reported that the US authorities intend to interfere with the work of the hack group, and for this, negotiations have already been held with Moscow.
Disappearance Of DarkSide
Since the attack on the Colonial Pipeline attracted the attention of experts, intelligence agencies and the media from around the world, within a few days the hackers rushed to release a statement. While the press tried to attribute the attack to Russian government hackers, a “press release” published on the DarkSide website on May 10 stated that the group was apolitical and pursued exclusively its own goals. Also, the hackers did not seem to be happy about the chaos their actions provoked. They promised to further scrutinize future goals:
“We are apolitical, not connected with geopolitics, and there is no need to connect us with certain governments and look for other motives. Our goal is to make money, not create problems for society.
Starting today, we are introducing moderation and will be checking every company that our clients want to encrypt in order to avoid similar social consequences in the future. “
On May 14, 2021, DarkSide operators released another message stating that they had lost control of their web servers and the ransom funds and were now shutting down.
ProApk on Google News – http://bit.ly/pro-apk-google-news
ProApk on Telegram – http://t.me/proapk_in
ProApk on Twitter – http://twitter.com/xdapirates
ProApk on Facebook – http://bit.ly/pro-apk-facebook