DarkSide Ransomware Hit the US’s Largest Pipeline

Published in

Spin.AI Ransomware Protection

4 min readMay 13, 2021

A hacker group called DarkSide is responsible for a ransomware cyberattack on the US’s largest pipeline operator, the Colonial Pipeline. Experts say that as this attack unfolds, US fuel prices are likely to rise 2–3% starting May 10, but the impact will intensify as long as the pipeline is shut down.

Colonial Pipeline supplies gasoline, diesel, and jet fuel from Gulf Coast refineries to the eastern and southern United States. The company pumps 100 million gallons of fuel a day through its system, which is 45% of all fuel consumed on the East Coast and supplies fuel to 50 million Americans.

The attack began on May 6. The media noted that the attackers stole approximately 100 GB of data, blocked computers, and demanded a ransom. The ransom amount is not known yet. The Bloomberg sources report that the hackers used a double scheme of extortion — they threaten that they will leak the received confidential information to the Internet, and the encrypted computers on the company’s network will remain blocked if the ransom is not paid.

The company representatives in their statement said:

“On May 7, Colonial Pipeline Company learned it was the victim of a cybersecurity attack. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”

Currently, the pipeline is gradually being restored, and the authorities are organizing the delivery of fuel and oil products in tank trucks.

According to the recent Bloomberg’s publication, Colonial Pipeline already paid nearly $5 million as a ransom in cryptocurrency to attackers a week ago. However, the provided decryptor turned out to be too slow that the company decided to use their own backups to speed up restoring the pipeline system.

FireEye’s incident response division called Mandiant had been assisting with the investigation and recently published the DarkSide ransomware report where they explained tactics and techniques used in the ransomware attack as well as provided Indicators-of-Compromise (IoCs).

Actually, this attack is similar to the attacks of other ransomware, when hackers try to gain access to administrator and Windows domain rights through distribution over the network in search of login credentials. By spreading horizontally across the network, attackers gain access to the victim’s unencrypted data through their servers. The stolen information is sent to the data extraction site and after that, the victim is obliged to pay a ransom. To prevent the victim from recovering their files, attackers use the PowerShell command which deletes shadow copies of files on the system.

Both Windows and Linux operating systems can be attacked, as well as virtual machines whose data is encrypted on their hard drives.

During its existence, starting in August 2020, DarkSide has already carried out a number of attacks on large companies, including CompuCom, Discount Car and Truck Rentals, Brookfield Residential, and the Brazilian Companhia Paranaense de Energia (Copel). The DarkSide ransomware acts as ransomware as a service (RaaS), sharing the profits from the attack among all the participants in the crime.

DarkSide members stated at their data leak site that they are apolitical and target organizations that have the ability to pay, including financial services, legal, manufacturing, professional services, retail, and technology. Such areas as medicine, educational institutions, non-profit organizations, and the public sector are out of the risk zone. American sources suggest that the DarkSide ransomware group is composed of Russian hackers.