Threat actors behind last week’s Colonial Pipeline ransomware attack that crippled a major U.S. oil pipeline said that financial gain–not political, economic or social disruption–is the goal of their nefarious activities, vowing to choose their targets more carefully in the future.
The statement, which published reports said was posted on the DarkSide ransomware gang’s website, is a rare about-face for a known cybercriminal group, which the FBI deemed responsible for the cyberattack that halted pipeline activities for Colonial Pipeline Co. Cybercriminals are typically a proud and boastful bunch that rarely, if ever, show any type of regret or remorse for their attacks.
However, as the DarkSide gang’s chief aim is to extort money from their clients by collecting ransom, attackers now realize they may have been barking up the wrong tree in attacking a major oil pipeline that supplies the East Coast with roughly 45 percent of its liquid fuels.
“Our goal is to make money, and not creating problems for society,” according to the statement by the DarkSide gang. “From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
The gang asserted in the statement that they are “apolitical” and don’t want to be tied to any government activity or disruptions.
The statement reflects DarkSide’s code of ethics which, like similar Robin Hood wannabes, prohibits attacks against hospitals, hospices, schools, universities, non-profit organizations, and government agencies.
It also seems to suggest that the attack, which prompted the Biden administration to declare a state of emergency across 17 states and Washington D.C., was a mistake on the part of the group.
‘Very Big Oops’
No matter, its consequences will continue to have a colossal effect on the petroleum supply chain in the Eastern United States for some time. Friday’s attack shut down a pipeline that covers Alabama, Arkansas, D.C., Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia. The government is working to keep the supply of gasoline, diesel, jet fuel and other refined petroleum products flowing to those states and the capital.
Calling the attack “a very big ‘oops,'” one security expert said the attack shows how effective the DarkSide group has been in ramping up operations “mostly under the radar” for the last year.
“They were doing a really good job of decimating businesses, including infrastructure — and everyone has been really quiet,” tweeted Lesley Carhart, a principal industrial incident responder with Dragos Inc.
Still, the Colonial Pipeline attack might well have attracted the wrong kind of attention. Danny Jenkins, CEO of ThreatLocker, told Threatpost on Tuesday that the DarkSide gang is probably a wee bit flustered at the notion of how hard the feds are going to make life for them now. It’s just not standard operating procedure to work with this much heat, he said.
“Despite being cybercriminals, DarkSide operates like a fully functional business,” Jenkins noted in an email. “They have employees, costs, profits, and customer support. DarkSide are going after any business they can make money from, while it would be nice if they would stay after from ‘controversial’ targets. The reality, most private companies, including banks, do not disclose ransomware. It only becomes public information when it is required to, either through regulation or their business being crippled. The other consideration is while DarkSide are rising in popularity, they are a small player in the ransomware industry, with many other companies willing to take big risks.”
So far there have been no reports as to how much ransom DarkSide demanded for the Colonial Pipeline attacks, nor does it appear that Colonial Pipeline in negotiations with the cybercriminal group, according to a published report. The group’s ransom demands tend to range between $200,000 to $2,000,000.
New, but Savvy
DarkSide made its first appearance less than a year ago, in August; however, the group is comprised of seasoned cybercriminals and has wasted no time in making a name for itself in a short period of time—and, as Carhart pointed out, seems poised to continue its run of activity.
DarkSide operates on a RaaS (ransomware-as-a-service) model, offering its malware up for lease. CyberReason said last month that the DarkSide team recently announced on Hack Forums that it had upgraded its offering, releasing DarkSide 2.0, with the fastest encryption speed on this underground market, DarkSide claimed. The service includes Windows and Linux versions.
On Monday, CyberReason told Threatpost in an email that its researchers have seen DarkSide launched against targets in English-speaking countries, and that it appears to avoid targets in countries associated with former Soviet-bloc nations.
In addition to its Robin-Hood-like mentality, DarkSide, like other cybercriminal groups, also has a bit of a superhero complex. In October, the group tried to donate around $20,000 in stolen Bitcoin to two international charitable organizations, The Water Project and Children International, in a gimmick that experts said was likely a publicity stunt. The charities refused to accept the funds.
05112021 12:28 UPDATE: Added input from Danny Jenkins.
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.