DarkSide Goes Too Far with Colonial Pipeline Ransomware Attack

The ransomware attack on the Colonial fuel pipeline that supplies the U.S. East Coast is such a rich story it is hard to know what to discuss in a brief blog post. As anyone who gets news feeds knows, the software that took out Colonial is supplied by a (probably Russia-based) criminal enterprise called DarkSide. DarkSide’s business model is called “Ransomware-as-a-Service” (RaaS). They partner with affiliates who use the software to perform the actual attacks. The affiliates get paid something like 10-25% of the ransom money.

An article by Sophos Labs, a company that fights ransomware, gives details on how these attacks work. Typically, an attacker gets initial access to a company’s system by tricking some employee into revealing passwords or other critical information (“phishing”). The attacker then spends two or three months roaming around inside the systems, building up credentialling to get more and more access. They steal (“exfiltrate”) sensitive information like accounting, personnel, and R&D. This table shows some of the “tools” used in these attacks:

When it’s showtime, they encrypt the information on the company computers, which typically makes operations grind to a halt. They then demand ransom (in the form of Bitcoin). If the ransom is paid, they will send the victim a decryption program to allow them to decrypt their files.  If their demands are not met, they will publicly release the stolen, sensitive information. So this extortion is a double threat, to both operations and information exposure.

Here is an example of (I believe) an actual ransom demand note:

(Sorry, the text is hard to read).  DarkSide is professional in their own way. They assure their victims that they really will get their data restored if the ransom is paid: “…We value our reputation. If we do not do our work and liabilities, no one will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.”   Think of that, a help desk for your ransomware.

DarkSide likes to align themselves with Robin Hood, kind of: “Take from the rich, and give to the poor  keep it”. They claim to be apolitical, just in it for the money, and to not target nonprofits. They even offer to donate money to charities, so we can all feel good about this. (Charities typically refuse to accept stolen money, though).

In most cases, it is far cheaper for the victim to pay the ransom than to tough it out and try to scramble to restart their systems cold and to risk exposure of sensitive information.  DarkSide, after all, has its reputation to protect, so they scale the ransom demands accordingly, but make sure the victims hurt if they do not pay.

Forbes cybersecurity expert Davey Winder explains that with the Colonial hack, however, Darkside (and the affiliate who did the actual hacking) stirred up something of a hornet’s nest.

If you cut off gasoline supplies to the Washington, D.C. area, you better think through the consequences. I am sure that top national security officials were grilled by top top government officials as to “How could this happen?”, and, “You aren’t going to let them get away with this, are you?”. After some days of public waffling on the issue, it seems Colonial did pay DarkSide some $5 million. But..apparently DarkSide did not get to keep the loot, though it is hard to know what is real and what is public theater.

According to Winder,

DarkSide was effectively forced into retreat by alleged law enforcement or unspecified government disruption of the publicity blog and the ransom negotiation dark web site.

The main Russian-language criminal forum that acted as a recruitment post for potential affiliates banned all ransomware groups from advertising. The cryptocurrency wallets used by DarkSide were, it has also been said, found and funds exfiltrated.

You can follow some of the links in the paragraph above for more of the details here. (Most people may not realize the Bitcoin is not as private as imagined. Every transaction is out in public view; although technically the identities of transactors is cloaked behind anonymous user’s ID numbers, sophisticated data analysis programs can be used to trace transactions pretty reliably).

DarkSide has announced some “nicer” guideline for its further extortions. It seems like the good guys at least partially won that battle, but the war goes on. Winder further comments:

The business model will change, just as it has always evolved, but it won’t go away. Why would it when there are so many big corporate targets out there continuing to make the mistakes that let these attackers onto their networks?

If I were king, this is what I might do: Sentence the CEO of any company which is successfully hacked to six months in prison. Overnight, you would see corporate priorities magically realigned, necessary resources allocated, internal security protocols enforced, and so on. I predict the incidence of such hacking would drop by an order of magnitude within three months of such an “executive order”.