Colonial Pipeline Ransomware Incident

Ransomware is again making headlines and for all the wrong reasons. Last week this publication covered how using pirated software can leave an organization vulnerable to a ransomware attack. The incident showed how ransomware operators look to exploit poor network and security controls and how the granting of admin privileges should be kept to a minimum. Now, a recent incident shows how damaging a ransomware incident can be, not just to an organization but to society as a whole.

The incident involved the forced shutdown of the largest refined petroleum pipeline in the US. The Colonial Pipeline transports petroleum from the Gulf of Mexico to markets throughout the southern and eastern United States. The company transports 2.5 million barrels per day through its 5,500 mile pipeline and provides 45% of all fuel consumed on the East Coast of the US. The shutdown is expected to negatively impact the price of petroleum for consumption in an already volatile market according to the Wall Street Journal. Reports are already emerging of gas stations typically serviced by the pipeline running dry again impacting consumers negatively.

Following the attack, the Colonial Pipeline company issued a statement stating,

“On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations and affected some of our IT systems. Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have already launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies.

Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.”

Given the extent and seriousness of the incident questions as to who is responsible were immediately asked. Shortly after the incident began to make headlines in the New York Times and other international news outlets it was suggested the those behind the DarkSide ransomware variant. The Washington Post was possibly the first publication to publicly point the finger at the group.

colonial pipeline ransomware incident

This information was given to journalists by a source familiar with the matter. For a few days, this was all the public could go on. On Monday, May 10, the FBI formally stated via Twitter that those behind DarkSide were indeed responsible for the attack, which, at the time of writing, had still left much of the pipeline inoperable.

The attack resulted in the White House calling an emergency meeting in an effort to discover who was responsible and what was the extent of the damage. Both White House officials and Intelligence officials believe the attack was conducted purely for financial gain and did not involve any state-sponsored participation.

DarkSide’s operators are believed to be based in Eastern Europe, with Russia being a strong contender for the country of origin. The attack is significant for several reasons including exposing the vulnerabilities in critical infrastructure. In the last few years, we have seen that hackers have become more brazen regarding attacks against infrastructure, including electric grids, pipelines, hospitals, and water treatment facilities.

Based on preliminary investigations it was proved that the attackers did not go after the pipeline but rather the back-office operations of Colonial Pipeline. Nonetheless, the fear of greater damage forced the company to shut down the system, a move that drove home the huge vulnerabilities in the patched-together network that keeps gas stations, truck stops, and airports running. It was also discovered the Colonial Pipelines security controls left much to be desired according to federal investigators. Colonial Pipelines has not commented on how much it has invested in cybersecurity and has been reluctant to say whether it has or intends to pay the ransom.

Anne Neuberger, the deputy national security adviser for cyber and emerging technology, told reporters at a briefing at the White House stated, “Right now, they’ve [Colonial Pipeline] not asked for cyber support from the federal government.” Asked whether the federal government would advise paying the ransom she declined to answer but said, “companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data.”

DarkSide Responds

Following the FBI’s announcement, those behind DarkSide operations released a “press statement” of sorts stating,

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.
Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

One can imagine that the statement will do little to stop law enforcement from pursuing those involved. The statement does confirm that at least the attack was financially motivated and won’t escalate already tense diplomatic relations between the world powers. However, the action by the hackers has broken several laws and caused severe disruption to services and it will be unlikely that law enforcement will give the group any leniency. The gang behind the ransomware operates as a Ransomware-as-a-Service consisting of two groups. Those groups being the malware's developers and affiliates who deploy the ransomware. It is estimated that the core operators earn approximately 20-30% of any ransom payment, and the rest goes to the affiliate.

Some may find the vetting of targets an interesting notion and show the core operators may have a sense of decency, despite their actions being illegal, to begin with. In an attempt to show goodwill or win the PR battle the group donated 20,000 USD in Bitcoin to a charity, which the charity cannot accept due to the likelihood of the fund being gained via the proceeds of a crime. The charity has acknowledged the donation and that they cannot accept it, so this can probably be chalked up as a failed PR stunt to show remorse.

The Federal Motor Carrier Safety Administration (FMCSA) was forced to declare a regional state of emergency to assist in areas in need of an immediate supply of gasoline, diesel, jet fuel, and other refined petroleum products. The declaration impacts 17 states and the District of Columbia. Those 17 states include Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, and Virginia. The declaration states,

“Direct assistance terminates when a driver or commercial motor vehicle is used in interstate commerce to transport cargo or provide services not in support of emergency relief efforts related to the shortages of gasoline, diesel, jet fuel, and other refined petroleum products due to the shutdown, partial shutdown, and/or manual operation of the Colonial pipeline system in the Affected States, or when the motor carrier dispatches a driver or commercial motor vehicle to another location to begin operations in commerce,”

It is feared that if the pipeline is not restored to full-functionality by the end of the week a larger crisis could emerge. In states that have already run low on fuel, the price of fuel jumped 10c overnight per gallon in some areas. Further, some consumers have resorted to panic buying following the approach of Memorial weekend. To say DarkSide may have gone too far this time may be an understatement.

For some, namely ransomware operators, there is a false belief that ransomware is a victimless crime and insurance companies will cover the losses. This was never the case, even before ransomware gangs began leaking data to further increase pressure on victims to pay the ransom. The incident involving the Colonial Pipeline is impacting the average person on the street and may become worse in the following days. This will place pressure on the government to find those responsible. No matter how many times the group attempts to donate ill-gotten funds to charity, large portions of the American public will be unsympathetic at best to their potential plight.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal