The ransomware group behind the Colonial Pipeline attack

On May 7th, Colonial Pipeline, a major US fuel pipeline serving the country’s east coast, was the target of a cyber-attack by a hacker group known as DarkSide. The consequential closure of the pipeline caused fuel shortages and panic buying among those living in the affected states. 

The unprecedented attack is part of a troubling rise in ransomware-as-a-service (Raas) groups, illustrating that encryption isn’t always used for good.

What happened?

Colonial Pipeline voluntarily shut down the pipeline soon after discovering the attack to minimize damage and restart services as quickly and safely as possible. Soon after, according to The Associated Press, company leaders decided to give into DarkSide’s demands and pay the ransom of 75 bitcoin (around $4.4m). 

Although the FBI discourages ransomware payments so as not to encourage criminal hackers, many victims choose to pay anyway to ensure that they can recover the stolen data or resume services. This is much the reason why Colonial Pipeline decided to pay the ransom, stating the fact that “tens of millions of Americans rely on Colonial: hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the traveling public” to support their decision.

What is ransomware, and who is DarkSide?

Ransomware is a type of software that employs encryption to stop a target from accessing their own data. Cybercriminals target both large organizations and private individuals with ransomware, holding their information to ransom until they have been paid a demanded amount. In addition, they often threaten to permanently block the data or share it publicly if the victim refuses to pay.

DarkSide is a hacker group that operates on a RaaS model. This means that the group provides the necessary tools and software for performing a ransomware attack while someone else carries out the attack. Such services open up the world of hacking to those who don’t have the technical capabilities needed to orchestrate a cyber-attack by themselves. 

When a ransom is paid, the RaaS group will usually get a percentage of the payment. According to Elliptic, DarkSide receives a 25% cut of ransoms worth less than $500,000, with that percentage decreasing to 10% for ransoms worth over $15m. A blockchain analysis carried out by Elliptic showed that DarkSide’s Bitcoin wallet had received $90 million in Bitcoin from 47 separate wallets to date, more than likely other ransomware victims.

DarkSide tends to target for-profit companies in English-speaking countries. In a statement on their website following the attack, the group claimed that they are a-political and that their goal is to make money and not cause problems for society. Because of this, the group said it would introduce better moderation for the companies they target going forward in order to avoid the same kind of consequences of the Colonial Pipeline attack. 

However, just a few days later, on May 13th, the group announced that they would be shutting down and ceasing operations due to pressure from the US government.

Wrap up

This cyber-attack and the ensuing chaos is a reminder of how crucial good cybersecurity defenses are across the public and private sector, particularly as they become more and more reliant on interconnected digital devices and IT networks to operate critical infrastructure. Hopefully, this leads to more organizations upgrading security measures across the board so as not to repeat such an incident. President Biden’s recent executive order to improve the nation’s cybersecurity is a step in the right direction.

Share on Twitter, Facebook, Google+