Details continue to emerge about the ransomware attack that hit Colonial Pipeline late last week, forcing the major US pipeline operator to take some systems offline and temporarily halt pipeline operations. The FBI has linked ransomware-as-a-service (RaaS) group DarkSide to the attack.
Colonial Pipeline runs a system spanning 5,500 miles between Houston, Texas, and northern New Jersey, delivering about 45% of the fuel for the East Coast, the company says. In an update published May 12, officials reported they had initiated the restart of pipeline operations and note it will take several days for the product delivery supply chain to return to normal.
Since its system was taken offline, Colonial has delivered about 967,000 barrels, or 41 million gallons, to delivery points along the pipeline, the company said in a May 11 update. It prepared for the system reboot with delivery of 2 million more barrels from refineries for deployment upon restarting. It has also boosted aerial patrol of its pipeline and deployed personnel to walk or drive some 5,000 miles of the pipeline daily.
On May 12, the company confirmed to The Washington Post it would not be paying the ransom. Rather, it is working to restore data from backups where possible and rebuild systems for which backups are not available.
Additional updates include an advisory from the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), which warn of the DarkSide ransomware group and provide guidance on strengthening security practices.
A ransomware attack on a utility company is not unusual for DarkSide or the industrial sector. Earlier this year, DarkSide was connected to attacks on Brazilian electric utilities Eletrobras and Copel, which were forced to temporarily stop some operations. But this attack seems to have more reach than the DarkSide operators expected, and shortly after the attack they released a statement to state that "our goal is to make money, and not creating problems for society."
The group went further to say they planned to "introduce moderation and check each company that our partners want to encrypt" to avoid potential social repercussions from future attacks.
"This appears to be a reaction to the spotlight that has now been put on them," says Peter Mackenzie, incident response manager at Sophos, which had been hired to respond to, or intervene in, earlier attacks from the ransomware group. "DarkSide [is] a sophisticated group of attackers responsible for some of the most devastating attacks we see at the moment."
The RaaS group emerged in August 2020. Its operators and partners have targeted organizations across more than 15 countries and several industries, including financial services, legal, manufacturing, professional services, retail, and tech. It doesn't target hospitals, schools, universities, nonprofits, or the public sector, according to a technical writeup from Mandiant, which was reportedly called to help respond to the Colonial Pipeline attack.
DarkSide's owners share profits with affiliates who conduct the attacks, provide access to target organizations, and deploy the ransomware. It's believed the operators are mainly responsible for maintaining the platform their partners use to customize ransomware files, deciding which leaked information goes on their leak site, and handling negotiations, Mackenzie explains. The group's affiliates likely have experience playing the same role for other ransomware syndicates.
"The first attack we investigated we believe was the original threat actor behind DarkSide, as they didn't have much interest in getting paid. They were happy for data to be leaked instead to help make a name for themselves," he says. "The following incidents were likely affiliates, but it is difficult to be sure."
Because of the way DarkSide operates, it's unclear how much control the group's owners have over affiliates who break into networks and launch ransomware, Sophos researchers explain.
This is a big question following the Colonial Pipeline attack: Was this the work of the DarkSide group itself or the work of one of its many partners? Mandiant has identified at least five Russian-speaking attackers who may currently be, or have previously been, DarkSide affiliates. Some attackers who claim to use DarkSide's services have also allegedly partnered with other RaaS affiliate programs, including Babuk and Sodinokibi, or REvil, Mandiant researchers report.
Standing Out from The Pack
DarkSide is one of many advanced groups targeting organizations today. It has many similarities to Ryuk, REvil, DoppelPaymer, and others, Mackenzie says. Most of these groups employ the same general approach of gaining network access, compromising domain admin credentials, creating lists of target servers and infrastructure, and identifying backups and sensitive data.
"Then when they are ready, often days or weeks after first gaining access, they will deploy the ransomware like a normal application that an admin might deploy," he notes. Like many others, DarkSide uses the "double extortion" technique of first exfiltrating large amounts of data and then encrypting the network before threatening to publish the data if the ransom demand isn't met.
In some ways, DarkSide is different. The group not only attacks Windows machines; it deploys Executable and Link Format (ELF) binaries to target data on Linux devices as well. The Linux version of its ransomware specifically targets VMDK files, Sophos reports, noting these are virtual hard disk drives to be used in virtual machines, including VMware and VirtualBox.
What Organizations Can Do
Are these attacks happening more often, or are we simply hearing about them more often? Marty Edwards, vice president of OT security at Tenable, says "it is a little bit of both."
Data supports his point: New research from Check Point reveals a 102% increase in ransomware attacks this year compared with early 2020, with healthcare and utilities topping the most targeted sectors since the beginning of April 2021. Last year, it is estimated ransomware cost global businesses some $20 billion – nearly 75% more than the cost in 2019.
"Organizations are to be applauded for their increased transparency during incidents such as these and, as a result, we are hearing about them more often," Edwards says. "Most experts tend to agree that the tempo is also increasing, meaning that there are more and more of these attacks happening every single day."
While this attack affected Colonial's enterprise network, it underscores how businesses must consider the interconnected nature of OT operations. While many organizations feel they have highly segmented OT networks to include industrial control systems, ICS security firm Dragos notes this is often not the case.
"It is common to hear about pending IT-OT convergence, but in reality much of that convergence took place a decade ago, and the preventative controls, such as segmentation, that the organizations had in place have atrophied over time through misconfigurations, additional devices, or just the nature of needing increased connectivity for the business," Dragos experts wrote in a blog post.
Monitoring the crown jewels of an organization should be a top priority, they said. Security teams should also know what the most relevant logs are, where they are kept, and how long they are available – a must-have when responding to an attack like this one. Experts also advise installing network monitoring across internal OT networks for visibility into IT/OT connections.