Ride the Lightning

Colonial Pipeline Paid Almost $5 Million in Ransomware: DarkSide Says it is Closing Shop

May 18, 2021

As you can imagine, I’ve been reading a LOT of Colonial Pipeline stories over the last few days. By sheer coincidence, John and I had filled up both of our cars before people starting hoarding, the price of gas shot up and gas stations closed because they had no gas. It appears to me that most people now have no confidence in our businesses or our government to stop a ransomware attack, even when the country’s infrastructure is involved. And since Colonial Pipeline provides 45% of fuel to the Eastern Cost, that is truly frightening.

At least they had money. Reportedly insured for $15 million, multiple news sources reported that Colonial paid out nearly $5 million in ransom.

As Brian Krebs reported on May 15, the DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline announced it was shutting down after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.

“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.

“A few hours ago, we lost access to the public part of our infrastructure,” the message continues, explaining the outage affected its victim shaming blog where stolen data is published from victims who refuse to pay a ransom. The outage also took down its payment server and those that supply its distributed denial-of-service feature, which is used to turn up the heat on victims who balk at paying.

“Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address,” the DarkSide admin says.

DarkSide organizers said they were releasing decryption tools for all of the companies that have been ransomed but which haven’t yet paid.

Really nice guys, right?

The DarkSide message includes passages apparently written by a leader of the REvil ransomware-as-a-service platform. Interesting because security experts think that many of DarkSide’s core members are closely tied to the REvil gang.

The REvil representative said its program was introducing new restrictions on the kinds of organizations that its affiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the “social sector” (defined as healthcare and educational institutions) and organizations in the “gov-sector” (state) of any country. Affiliates also will be required to get approval before infecting victims.

The new restrictions began as some Russian cybercrime forums began distancing themselves from ransomware operations altogether. On Thursday, the administrator of the popular Russian forum XSS announced the forum would no longer permit discussion threads about ransomware operations for profit.

“There’s too much publicity,” the XSS administrator explained. “Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”

“However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” Intel 471 wrote in a blog post. “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to ‘wash’ the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the service reported they were unable to access BitMix in the last week.”

My personal take is that the cybercriminals are playing whack-a-mole. Their moves are not likely about their regret for their crimes, but more about trying to avoid being held accountable by law enforcement. They will probably re-emerge somewhere else. The landscape of ransomware operations changes almost daily, but not necessarily the primary players.

If you’re in cybersecurity and have a stellar resume, Colonial Pipeline is now looking for a new cybersecurity manager according to a BGR post. Some wry humor in that . . .

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson