DarkSide Ransomware Attack Cripples Top U.S. Fuel Provider Colonial Pipeline Causing a Major Fuel Crisis in America
Early in May of 2020, a monumental ransomware attack severely disrupted the fuel distribution within the U.S., shutting down Colonial Pipeline – the biggest U.S. gasoline pipeline which supplies over 40 percent of the east coast with gasoline, diesel, and jet fuel.
The attack, perpetrated against Colonial Pipeline and executed by the DarkSide ransomware gang, interrupted the supply chain for fossil fuel in the U.S. and drove up the overall energy costs that have already been rising as a result of other global economic circumstances. Although the Biden administration attempted to respond to the attack, at a May 10th White House press briefing, officials disclosed Colonial Pipeline was not interested in the government’s help at the time.
It was later revealed that Colonial Pipeline paid a $5 million ransom to DarkSide trying to retrieve almost 100GB of data taken hostage by the criminal group. The move caused an alarm among the U.S. intelligence community and politicians, who feel that paying such a ransom will only inspire more attacks against critical American infrastructure.
Although Colonial Pipeline started distributing fuel at close to typical levels, the fuel supply hasn’t been restored 100%. According to Newsweek, on May 13th, 73 percent of gas stations in the U.S. Capitol of Washington DC were still out of gas. In North Carolina, almost 70 percent of all gas stations were still closed at the time of reporting, while Georgia, Virginia, and South Carolina all suffered severe shortages. CNBC reported that the hack also led to the national average gas price rising to $3.028 a gallon, reaching its newest heights since 2014.
The hackers behind the brazen attack, the DarkSide ransomware gang, are thought to operate the ransomware-as-a-service business model. Simply put, this means that they are leasing their malicious code to cybercriminals who look to extort ransom payments from potential victims but are not skilled enough at coding malware to develop their own proprietary strain. Based on a number of reports, DarkSide receives as much as 25% of the collected ransom payments from their affiliates if the overall ransom payments are less than $500,000. If the affiliates collect more than $5 million, the DarkSide cut is 10%.
DarkSide is just one of many cybercrime gangs currently leasing or selling their codes. They also participate in the cybercrime model of employing “double extortion,” which includes both file encryption and threats of releasing stolen data via “dark network” leak sites, to compel victims into paying.
Typically, hacker groups like Darkside provide victims a ransom note and then demand payment in Bitcoin or other cryptocurrencies. If the payment request is ignored, files remain encrypted and inaccessible. The Darkside gang supposedly publishes some of the stolen data in an attempt to embarrass the victim and force them to pay. It also serves as a tactic to intimidate potential future victims into believing that refusal to cooperate will lead to the same unfortunate fate.
Although the gang is thought to be based in Russia, the Kremlin is believed not to have permitted or authorized the attack. Suspicions were raised because the infection does not infect systems that are set to Russian, Ukrainian, and Armenian. However, any nation-funded attack claims were debunked. In response to the widespread attention that the Colonial Pipeline attack was receiving, the DarkSide gang attempted to allay fears of future widespread infrastructure attacks.
“We are apolitical, we do not participate in geopolitics, we do not have to affiliate with any particular government and seek other motives,” the gang said on its dark web data leak website. “Our goal is to make money and not cause problems for society. Starting today, we are introducing moderation and reviewing each company that our partners wish to encrypt to avoid future social consequences.”
DarkSide ransomware attacks usually aim at large companies, and the gang does not allow its affiliates to use the ransomware on a variety of industries, including education, health care, funeral homes, and non-profit organizations. So far, five such affiliates who employ DarkSide Ransomware in ongoing attacks have been identified by security researchers.