Colonial Pipeline Hack and the Changing Landscape of Ransomware

By now, I’m sure you’ve all heard about the ransomware attack on Colonial Pipeline and the subsequent shutdown of a major oil pipeline in the US. You’ve probably also seen the memes of people stockpiling fuel in unapproved containers, such as the car with a half dozen clear plastic trash bags in the trunk.

First, I want to point out that nothing new or spectacular really happened. A company was targeted by ransomware, which those of us in the industry already know is a significant threat that we face every day. What this incident has done is put more of a public spotlight on the existing ransomware threat. It also brought it more into the public eye, changing how ransomware-as-a-service (RAAS) operates.

Regarding this specific incident, I think it is also important to point out that based on currently available information released by Colonial Pipeline, the infrastructure that controls the pipeline was not directly targeted or ever in the control of bad actors. According to various sources, it was Colonial’s billing system that was affected by the ransomware attack. The pipeline was shut down as a precaution to prevent the possibility that the ransomware spread to the OT network controlling it. So, while there was never truly a gas shortage, delays in delivery did impact many on the US Eastcoast.

And while this is perhaps one of the most public ransomware attacks, and Colonial Pipeline paid a $4.4 million ransom, it is not by any means the largest payout or the most impactful attack in recent history. Some reports from 2020 suggest payouts as large as $10 million, and ransom demands as high as $30 million.

More recently, we’ve seen major vulnerabilities (such as the recent Exchange vulns, Accellion FTA, and PulseSecure) being used to target tens of thousands of organizations around the world within a short time. And then there’s the SolarWinds supply chain attack that we’re still seeing new information about, such as an update this week from the SolarWinds CEO that the attack dates back to at least January 2019. The US suggested in January that Russian state actors were behind the attack, and President Biden imposed new sanctions against Russia in April in response. Meanwhile, Russia’s foreign intelligence service this week made unsubstantiated claims that the US and UK were actually behind the hack.

In response to all of the above, Biden released an executive order on May 12 dictating new guidelines and regulations for government contractors as well as companies that provide IT and OT services. If you’re interested in learning more about how the executive order will impact MSPs, check out this webinar.

Also, there were five bi-partisan cybersecurity bills submitted in the House this week alone.

The five bipartisan bills introduced in House on Monday include:

It’s not only the government responding to recent events. Two major cybercrime forums (XSS and Exploit) that have been used by RaaS groups to recruit affiliates have banned ransomware ads. The admins of the Exploit forum state the recent attention that the indiscriminate targeting of recent ransomware attacks has caused as the source for their decision to ban ransomware ads and the removal of all topics related to ransomware operations and all affiliate programs. The full statement is as follows:

Good day,

We are glad to see pentesters, malware specialists, coders, but we are not happy with lockers - they attract a lot of attention. This type of activity is not good to us in view of the fact that networks are locked indiscriminately we do not consider it appropriate for RaaS partner programs to be present on our forum.

It was decided to remove all affiliate programs and prohibit them as a type of activity on our forum.

All topics related to lockers will be deleted.

The Colonial Pipeline attack has been attributed to the RaaS gang known as DarkSide. Since the attack, DarkSide released a statement stating that they will now vet targets and forbid their affiliates from targeting certain companies. The press release issued by DarkSide states:

We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.

Our goal is to make money, and not creating problems for society.

From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” - DarkSide gang.

However, soon after this press release, DarkSide reported that several servers in their control were shut down “at the request of law enforcement agencies,” and a significant portion of their cryptocurrency was transferred to an unknown wallet. Then, DarkSide sent the following message to their affiliates (provided by Intel471):

Starting from version one, we promised to speak about problems honestly and openly. A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the


payment server

CDN servers

At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked.

The hosting support service doesn’t provide any information except “at the request of law enforcement authorities.” In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.

The following actions will be taken to solve the current issue: You will be given decryption tools for all the companies that haven’t paid yet.

After that, you will be free to communicate with them wherever you want in any way you want. Contact the support service. We will withdraw the deposit to resolve the issues with all the affected users.

The approximate date of compensation is May 23 (due to the fact that the deposit is to be put on hold for 10 days on XSS).

In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck.

The landing page, servers, and other resources will be taken down within 48 hours.

On the same day, another RaaS group, Babuk, made a similar announcement claiming they were handing over their ransomware source code to another group, and they would focus only on data leaks. Since then, REvil and Avaddon released coordinated statements regarding amendments to the rules of their organizations, barring affiliates from targeting government, healthcare, educational, and charity organizations and that any other targets must be pre-approved.

Despite all these changes, ransomware is still going strong and still represents a significant threat to all types of businesses. On the same day of REvil’s and Avaddon’s announcement, Ireland’s health service, the HSE, was hit by the Conti ransomware gang which led to widespread disruption. After five days, however, the Conti group released a free decryptor for the HSE that can be used to recover files, but they warned that they will still be selling or publishing stolen private data if the $19,999,000 ransom isn’t paid.

Overall, it seems the Colonial Pipeline ransomware attack has changed the RaaS landscape. RaaS groups have become too noisy, drawing too much attention, and are trying to deal with the backlash. But the money is just too good, so ransomware isn’t going away anytime soon.

  • Bryson Medlock, the Dungeon Master