Photo by Tommy van Kessel on Unsplash

Don’t Give Yourself to the Darkside

The gang that hit Colonial Pipeline with ransomware

By Felipe Zárate | May 14, 2021

In this blog, we will not delve into Colonial Pipelines, though we will mention some details about them. Instead, our spotlight will be the self-appointed criminal gang called DarkSide, which was behind the attack. How they operate, who they are, and, more importantly, how can your company avoid becoming a victim of such an attack?

What happened?

The FBI confirmed that on May 7th, the Colonial Pipeline networks were attacked by the DarkSide ransomware gang. After that, the company closed its complete network for some days. In fact, until the date this post is published, the main pipeline is still shut. However, it was known that the company already paid $5 million in cryptocurrency to decrypt locked systems. (Which seems insignificant compared to the $15 million coverage that their cyber-security insurance can cover).

Who are involved?

The Colonial Pipeline network transports almost half of the East Coast’s fuel supply. This is why prices at the pumps increased after the long-lasted cut. In total, the pipeline network is 5,500 miles long, which makes it the longest in the country (see Figure 1).

Figure 1

The pipeline’s primary source is in Texas, the state where, by far, stands the most significant number of refineries. While Texas has more than 20 refineries with a total capacity less than a million barrels a day, the whole East Coast has only seven. Therefore, a disruption in the flow from that state has paralyzed operations in several sectors (including seven of the largest airports in the country and five military bases; see Figure 2).

Figure 2
Figure 2. Pipelines flow.

Let’s talk about DarkSide. It looks like they became public in August of 2020, and they were discovered by MalwareHunterTeam (see Figure 3). DarkSide is perhaps one of the most important exponents of the rising Ransomware-as-a-Corporation (RaaC) trend. They differ from other ransomware criminal groups in their victims' search method. An ordinary criminal uses spoofing, smishing, or phishing, waiting for a victim to take the bait. Instead, DarkSide studies its potential victims carefully by determining its economic activity, income, and expenses. After that, they analyze the attack difficulty, its success probability and inquire about the company’s most vulnerable point to start their attack from there. Unlike well-known criminal groups such as DoppelPaymer, Sodinokibi, Maze, and NetWalker, DarkSide is structured around a "business model." In addition, it is noticeable that they have a code of ethics that prohibits them from attacking hospitals, schools, and government agencies. It is also reported that they look to obtain the most significant profit by attacking big companies. At the same time, they make donations using some of the money received through ransomware. For example, they gave 10 thousand dollars to Children International and another 10 thousand dollars to the Water Project Receipt in October 2020. Both of them were rejected by the NGO’s.

Figure 3
Figure 3. DarkSide leaks.

How did it happen?

DarkSide infiltrated the Colonial Pipeline network by blocking data from their computers and servers. To unblock their data, the company must pay the money criminals asked for. Specifically, they stole 100 gigabytes of data threatening to share it on the web. Besides, though details are not precise, their modus operandi starts with (but is not limited to) a phishing email that tricked an employee. Likewise, by using penetration testing tools, they can perform lateral movements. In addition, it can be assumed that the attack was directed to the commercial area and not the operational one. Apparently, their goal was not to crash down the pipeline but to extort the company to make money (as has been done in previous cases). In this sense, their main attack is not so different from the typical ransomware attack.

DarkSide gets data from their victims' servers, encrypts them, uploads them to their leak-website (which can only be accessed by search engines that allow you to enter the deep web as Tor), and then asks for the money to decrypt them. The encryption is twofold; first, they use a SALSA20 key, one of the fastest encryption on the market, and then use an RSA-1024 key. Then, they withdraw data servers and disable the termination of specific processes. Finally, every file extension changes to .DarkSide and any of them open an executable that redirects to .txt with the following text:

Figure 4
Figure 4. "Welcome to Dark."

The gang lists all types of stolen data and sends a "personal website" URL to their victim. Data is already loaded and expected to be published automatically if the company does not pay before the deadline. If that is not enough, they also threaten to delete that information from the victim’s network. In fact, in a press release posted on a Tor website in August 2020, they announce that.

Figure 5
Figure 5. "If you refuse to pay."

What have we learned?

President Biden himself said he is now very interested in the cyberattack situation. In fact, on Wednesday, May 12th, the White House released an Executive Order in which they declare that the Federal Government is going to: "improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors." The extensive document is clearly motivated by the DarkSide attack, but also by recent ones (surely the hack to Microsoft Exchange Server, the SolarWinds security fiasco, or the Facebook Data Leak).

This means US law enforcement "are likely to be putting significant resources into uncovering" their identity. So, it should not be surprising that Congressman Jim Langevin (D-RI), chair of the House Armed Services Subcommittee on Cybersecurity, Innovative Technologies, and Information Systems has said: "Cybersecurity is the most urgent national security challenge facing our nation, and I applaud President Biden for taking action early in his term to address and eliminate glaring vulnerabilities."

For all this, it seems that DarkSide regrets the social harm caused by their criminal activity. We can assume that not only for their "ethical code" but also because they are now in the limelight. In this respect, what Nicole Perlroth, a New York Times cybercrime reporter, said last Monday turns very interesting:

Figure 6
Figure 6. @nicoleperlroth.

We also learned that ransomware can jeopardize companies and the infrastructure of an entire country. This means, in turn, that companies and governments must reinforce their cybersecurity systems. Because they’re not paying enough attention to these risks: "the ONG (Oil & Natural Gas) industry is unaware of potentially useful technologies that have been developed for ensuring cyber-security of other infrastructure systems, such as the electric grid."

Robert Smallwood was one of the consultants who delivered an 89-page report in January 2018 after conducting a six-month audit. He said last Wednesday that the deficiencies and vulnerabilities in the cybersecurity system were so high that "an eighth-grader could have hacked into that system." All of this resulted in a costly and embarrassing lesson: prevention in terms of cybersecurity risks is very important. Never take it lightly. Otherwise, there will be no guarantee that you will not be attacked by the DarkSide.

For now, we’ll just recommend you what they say throughout the Galaxy: may the force be with you.

If you want to know more about how to protect yourself from cyberattacks, we invite you to review our page.

At Fluid Attacks we are specialized in cybersecurity through Pentesting and Ethical Hacking. For more information, don’t hesitate to contact us!