Ransomware attack on the US pipeline – the house is burning

Sicherheit (Pexels, allgemeine Nutzung)[German]Last week, there was a ransomware attack on the operator of a pipeline on the US East Coast, as a result of which the pipeline had to be shut down. Now, figuratively speaking, everywhere is on fire. The U.S. president has declared a local state of emergency. And the consequences are stirring up so much dust that the DarkSide gang has announced extraordinary steps. In addition, it has just come to light that the insurance company AXA will no longer reimburse ransomware ransom payments.


State of emergency after ransomware attack on U.S. pipeline

Thursday, May 6, 2021, there was a successful ransomware attack by the DarkSide group on the largest U.S. pipeline operator Colonial Pipeline. The attack did not affect the actual control systems for the pipeline. But as a result of this attack, the operator had to stop operating the pipeline. I had gathered some information in the blog post Ransomware attack on US pipeline operator (May 2021)

Since this pipeline supplies 45% of the fuel needed on the U.S. East Coast, problems were foreseeable if pipeline operations were halted for an extended period of time. Meanwhile, the Federal Motor Carrier Safety Administration (FMCSA) has issued a regional emergency declaration affecting 17 states and the District of Columbia. The declaration is aimed at assisting areas in need of immediate supplies of gasoline, diesel, jet fuel and other refined petroleum products. Colleagues at Bleeping Computer have compiled some information on this.

The ransomware group had also siphoned off data before encrypting it and planned to blackmail the operator with its release. However, in my opinion, the whole thing has taken on the dimension of "smoking in an open fuel tank" and is likely to blow up in the face of the DarkSide ransomware gang. Because of the pipline failure, fuel prices are rising in the regions on the East Coast. The Americans can't take a joke and the consequential damages are also going up.

Ransomware Attack on  Colonial Pipeline

The US intelligence services and law enforcement agencies will thus do everything in their power to investigate and apprehend the members of the Darkside gang. In this context, it is interesting to note the above tweet, that the U.S. administration has already committed itself early on that there would be no evidence of Russian intelligence involvement. It is probably simply criminals operating from Russian territory and so the indication in the above tweet is to be interpreted that Russia has some responsibility to deal with this case. So there's a fire, figuratively speaking, in that direction as well.


Actually, not a day goes by without a ransomware infection being reported somewhere. The latest case is the ransomware infection of the US city of Tulsa in Oklahoma, as reported here.

Darkside gang wants to pick targets better

DarkSide is an organized group of hackers that operates on the "ransomware as a service" business model. They develop ransomware and sell their power and infrastructure to other criminals. These then carry out the attacks in exchange for profit sharing. The attack on the U.S. pipeline has now raised so much dust, however, that the group published a statement of sorts on its website that CNBC picked up on in this article.  

In the statement, the DarkSide group states that they are not acting politically, but simply want to make money from the ransomware, but without causing problems for society. "We are apolitical, we do not participate in geopolitics, we do not need to associate ourselves with any particular government and look for our motives," the statement said. "Our goal is to make money, not to create problems for society. Starting today, we are implementing moderation and reviewing any company our partners want to encrypt to avoid social consequences in the future."

Security vendor Cybereason, which made the announcement public to CNBC, reports that DarkSide has a perverse desire to appear ethical. The gang has even published its own code of conduct for its customers, telling them who and what targets are vulnerable to attack. Among the protected organizations that may not be attacked are hospitals, hospices, schools, universities, non-profit organizations, and government agencies. Also protected, apparently, are organizations based in former Soviet countries. Fair game, then, are all for-profit companies in English-speaking countries.

DarkSide also claims that it will donate a portion of its profits to charities, although some of the charities have declined contributions. To that end, it says, "No matter how bad you think our work is, we're happy to know that we've helped change someone's life. Today we sent out the first donations [sic]." According to Cybereason, the ransomware group operates in a highly professional manner, with a strong division of labor. There is a help desk and a call-in phone number for victims.

The group has already released confidential data of more than 40 victims. To that end, the group maintains a website called "DarkSide Leaks," modeled after WikiLeaks, where the hackers publish captured private data from companies. The goal is to increase pressure on victims to pay a ransom after all.

Ransom demands typically range from $200,000 to $20 million. The hackers gather detailed information about their victims and then calculate ransom amounts based on company size and revenue. However, I expect that there will now be a lot of investigative pressure on the group. In recent years, law enforcement has repeatedly succeeded in identifying and apprehending hackers. Tracking cryptocurrency payment flows, while difficult, also does not appear to be impossible.

The Hacker News reports here that 25% of Tor exit nodes were monitored for darknet activity. An unknown actor managed to control more than 27% of the total Tor network exit capacity in early February 2021. This was revealed by a new study on dark web infrastructure.

AXA stops reimbursement for ransomware

Until now, cyber insurance companies have been paying for ransomware sums paid. In the U.S., therefore, they are trying to stop the flow of money by making the payment of ransomware subject to approval (see my German post Empfehlungen des US-Finanzministeriums zu Ransomware-Forderungen). I note from this post that one of Europe's largest insurers, AXA, has stopped reimbursing French ransomware victims. The policies in question, which are supposed to reimburse ransomware victims for payments, are suspended to do so. An official confirmation from AXA is still not available.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *