SOCRadar® Cyber Intelligence Inc. | From Fuel Shortages to Gas Hikes: How the Colonial Pipeline Co. Fell Victim to a Ransomware Attack?
Home

Resources

Blog
May 17, 2021
8 Mins Read

From Fuel Shortages to Gas Hikes: How the Colonial Pipeline Co. Fell Victim to a Ransomware Attack?

 On May 7, 2021, Colonial Pipeline suffered a ransomware attack that impacted computerized equipment managing the pipeline. The attack was the largest cyberattack on an oil infrastructure target in the history of the United States.

Who is Colonial Pipeline?

The Colonial Pipeline is the largest pipeline system for refined oil products in the U.S. The pipeline is 8,850 km long and can carry 3 million barrels of fuel per day between Texas and New York. About 45% of all fuel consumed on the East Coast arrives via the pipeline system.

image

Source: https://www.bbc.com/news/technology-57063636
 

What Did Happen? 

image

  • On May 6, 2021 – A hacker group is believed to have stolen 100 gigabytes of data from Colonial Pipeline’s servers the day before the ransomware attack[1].
  • On May 7, 2021 – Colonial Pipeline suffered a ransomware attack that impacted computerized equipment managing the pipeline[2].
  • On May 8, 2021 – Colonial Pipeline paid 75 Bitcoin, or roughly $5 million, to hackers. The Company had begun to restart its operation after a six-day shutdown[3].

image

Source: https://www.bbc.com/news/technology-57063636

  • On May 9, 2021 – President Joe Biden declared a state of emergency. It was the largest cyberattack on an oil infrastructure target in the history of the United States[4].
  • On May 10, 2021 – The FBI confirms that the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks[5].
  • On May 11, 2021 – Colonial Pipeline’s Website Offline[6].
  • On May 12, 2021 – The CSIA and FBI issued a cybersecurity advisory that described DarkSide ransomware and associated risk mitigation strategies[7].
  • On May 13, 2021 – The operators of the DarkSide passed an announcement to its affiliates claiming a public portion of the group’s infrastructure was disrupted by an unspecified law enforcement agency[8].

image

Source: https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime

What is Ransomware?

 

Ransomware is a kind of malware that encrypts files and documents from a single PC to a whole network including a server. Usually, victims have two options, paying ransoms to the adversaries by hoping that a decryption key works or restoring their data from backups.

Ransomware is one of the biggest challenges and security problems on the internet and its costs are forecast to reach a record $20 Billion by 2021. It was predicted by security researchers that in 2021, a ransomware attack will take place every 11 seconds. Following statistics can give a better understanding of how ransomware attacks are getting more dangerous and harmful

  • 51% of businesses have been impacted by ransomware in the last year[9].
  • 90 % of IT pros had clients that suffered ransomware attacks in the past year.
  • 50% of IT professionals don’t believe that their organization is ready to defend against a ransomware attack.
  • 85% of ransomware attacks target Windows systems.

Who is DarkSide?

 

DarkSide[10] is believed to be based in Eastern Europe, likely Russia, but unlike other hacking groups it is not believed to be directly state-sponsored (i.e., operated by Russian intelligence services). DarkSide avoids targeting former Soviet countries; specifically, DarkSide’s ransomware avoids targeting computers for which the default language setting is Russian, Ukrainian, Georgian, or Belarusian. Experts state that the group is one of the many for-profit ransomware groups that have proliferated and thrived in Russia with at least the implicit sanction of the Russian authorities, who allow the activity to occur so long as it attacks foreign targets.