The Colonial Pipeline Ransomware Attack: Everything We Know

May 19, 2021

Throughout the week of May 10, 2021, headlines thrived on the havoc a ransomware attack against Colonial Pipelines wrought across the United States. As people rushed to gas stations, some filling plastic bags with gasoline, the federal government declared a state of emergency. As ransomware continues to plague public and private organizations, taking a deep dive into the Colonial Pipeline ransomware attack provides insight into how these attacks work. 

A Timeline of the Colonial Pipeline Attack

May 6, 2021: Malicious actors launch an attack, stealing data, locking computers, and requesting a ransom.

May 7, 2021: Colonial Pipeline pays the $4.4 million ransom.

May 8, 2021: Colonial Pipeline publicly announces attack, then shuts off servers and some pipelines. 

May 9, 2021: Colonial Pipeline makes a second public announcement, discussing its system restart plans. 

May 10, 2021: The FBI confirms DarkSide ransomware caused the attack, and Colonial Pipeline releases two more statements around its restoration process. 

May 11, 2021: Federal agencies release an advisory describing DarkSide ransomware and mitigation strategies while Colonial Pipelines releases a statement around fuel shipping. 

May 12, 2021: Colonial Pipeline restores operations and announces fuel delivery timelines, amidst people “panic buying” gasoline. In less than six days, the US fuel supply turned precarious. 

Aftermath of the Colonial Pipeline Attack

May 12, 2021: President Biden signs an Executive Order that requires all federal agencies to use basic cybersecurity practices, sets new security standards for software providers, and demands mandatory breach reporting.

May 16, 2021: The House of Representatives re-introduces The Pipeline Security Act, a bipartisan bill that clarifies security responsibilities for natural gas and oil pipelines.

May 27, 2021: Department of Homeland Security issues a directive that outlines new cybersecurity requirements for pipeline owners and operators.  

June 3, 2021: Department of Justice announces that it will address ransomware attacks with the same level of priority as terrorism.

A short look at this timeline gives insight into the longer-term impact that a single, well-targeted attack can have. While many people may have grown numb to news reports around corporate ransomware attacks, this particular case shows the social, economic, and political impact that a successful critical infrastructure attack can have.

What is DarkSide?

DarkSide is a type of Ransomware-as-a-Service (RaaS), not a group of attackers. According to the joint Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) release, the RaaS developers receive a share of proceeds whenever a cybercriminal group deploys it. 

“DarkSide actors” or the “DarkSide group” refers to the cybercriminals deploying the ransomware and targeting organizations through phishing attacks or exploiting remotely accessible accounts, systems, and Virtual Desktop Infrastructures.

Although the first instance of DarkSide ransomware appears to have been in November 2020, research indicates that threat actors deploying DarkSide have signatures that can be traced back to April 2019. Additionally, those early attacks indicate an inactive period existed between the initial compromise and the ransomware deployment period. 

Interestingly, the DarkSide actors engage in these exploits purely for commercial purposes. Unlike nation-state actors, they have no geopolitical agenda. Additionally, nation-state actors, aware of the threat of retaliation and the vulnerability of critical infrastructure, typically do not execute attacks against energy resources of other nations. Darkside, as a purely commercial enterprise, does not have that standard – though they do publicly state that they have a code of conduct prohibiting attacks on hospitals and schools. In fact, they have attempted to donate money to charities on several occasions.

How the DarkSide Ransomware Works

From a high level, DarkSide actors leverage an initial compromise stage where they gain access to a device, masquerading as a legitimate user so that they can install the malicious code on the compromised endpoint. Then, they escalate privileges to gain access to sensitive information. Finally, they encrypt business-critical processes, request a ransom, show “proof of life” over the exfiltrated data, and decrypt everything only after the target pays them. 

Initial Attack

The first step in any DarkSide attack is gaining access to the organization’s systems and networks. Research indicates that cybercriminals do this in three ways:

  • Brute force password attack
  • Phishing attacks with malicious links
  • CVE-2021-20016, a SQL-injection vulnerability against an organization’s Virtual Private Network (VPN) infrastructure

Recent emails used to deliver the DarkSide ransomware included:

  • Malicious Google Drive links containing an LNK downloader
  • Dropbox links with ZIP archives that downloaded the backdoor

Gaining Access

To date, researchers have found three unique sets of tactics, techniques, and procedures (TTPs). The attackers establish persistence in systems and networks by:

  • Using a command and control (CS) infrastructure
  • Downloading and using TeamViewer
  • Using a backdoor that supports keylogging, taking screenshots, and executing .NET commands

Threat actors using the backdoor delivered and executed the code when users clicked on the malicious links in phishing emails. 

Once inside the target’s systems, the attackers check the operating system language. The malware only installs on non-Russian devices. 

Installing the DarkSide Ransomware

Now that they have administrative, privileged access, the attackers use PowerShell.exe and CertUtil.exe to download and execute the DarkSide code. They also save a copy of the malware to the compromised device. 

Escalating Privileges

All three types of threat actors escalate privileges to install the ransomware. They do this using:

  • CVE-2020-1472: a vulnerability using Netlogon Remote Protocol (MS-NRPC) that allows them to run an application on a network device
  • Mimikatz: a credential harvesting application
  • Local Security Authority Subsystem Service (LSASS) process memory dumps: memory files containing domain, local usernames, and passwords

Encrypting Files and Exfiltrating Data

Having downloaded the malicious code and gained privileged access, the threat actors start collecting sensitive information and files. 

After collecting the information that they want to hold for ransom, the attackers begin encrypting data by using ransomware copy stored in the shared folder on the initial device. This allows them to create a scheduled task for spreading the malicious code throughout the target organization’s systems. 

Additionally, the DarkSide code stops, deletes, or terminates processes that the organization needs to use. 

Examples of services and processes impacted include:

  • Sql
  • Sophos
  • Veeam
  • Backup
  • Exel
  • MS Access
  • One Note
  • Outlook
  • PowerPoint
  • Steam
  • Word
  • Notepad

After encrypting data, the DarkSide ransomware then sends the ransomware note to the impacted directories. 

Votiro Stops Ransomware Before It Starts

Although CISA has yet to release the attack vector for the Colonial Pipeline DarkSide ransomware attack, threat actors dating back to April 2019 leveraged phishing attacks to distribute DarkSide in target systems. Malicious files and downloads remain a primary cybercriminal tactic for gaining access to systems and networks. 

Ransomware like DarkSide continues to evolve, meaning that predictive technologies can only “guess” at the malicious elements in files. This means that every email or downloadable asset is a risk to an organization’s security. 

Votiro’s Positive Selection® technology doesn’t guess, it knows. Instead of detecting and removing malicious code, which is often inaccurate and can render files unusable, our technology allows through only the safe, known-good elements of the file into an organization.

Positive Selection® works by:

  1. Defining safe, known-good elements of a file
  2. Removing these safe elements from the original file
  3. Placing the elements on a clean file template, without impacting file usability
  4. Delivering the file, in nanoseconds, to the user

This process eliminates the risk associated with files distributed by email while ensuring their usability. This means that recipients get clean templates that include the information they need in the way they need to use it.Interested in learning more? Book a demo with us to learn how our solutions could benefit your organization. Or, to speak with a member of our team directly, contact us today.