FAQ: DarkSide Ransomware Group and Colonial Pipeline

With the attack on Colonial Pipeline by a ransomware group causing panic buying and shortages of gasoline on the US East Coast, many are left with more questions than answers to what exactly is going on. We have provided a short FAQ to the most common technical questions that are being raised, in an effort to shine light on some of what we already know. What is Ransomware? What is the Ransomware Industry? What is DarkSide? What exactly happened last Friday? Why did they target Colonial Pipeline? What can I do to defend myself against ransomware? What is Ransomware? Ransomware is a combination word of “ransom”—holding stolen property to extort money for its return or release; and “malware”—malicious software installed on a machine. The principle is simple: the malware encrypts the victim’s files so that they can no longer use them and demands payment from the victim before decrypting them. Most often, ransomware uses a vulnerability to infect a system or network and encrypt files to deny the owner access to those files. The key to decrypt the files is possessed by a third party—the extortionist—who then (usually through a piece of text left on the desktop or other obvious means) communicates instructions to the victim on how to pay them in exchange for the decryption key or program. Most modern ransomware uses a combination of public-key encryption and symmetric encryption in order to lock out the victim from their files. Since the decryption and encryption key are separate in public-key encryption, the extortionist can guarantee that the decryption key is never (not even briefly, during the execution of the ransomware code) transmitted to the victim before payment. Extortionists in ransomware attacks are mainly motivated by the prospects of payment. Other forms of cyberattack are most often used by hackers motivated by political or personal factors. What is the Ransomware Industry? Although ransomware has existed since the late 1980s, its use has expanded exponentially in recent years. This is partly due to the effectiveness of cryptocurrencies in facilitating payments to anonymous, remote recipients. An extortionist can demand payment in the form of bitcoin in exchange for decryption keys, rather than relying on older, much more regulated financial exchanges. This has driven the growth of a $1.4 billion ransomware industry in the US, based solely on locking out users and companies from their files. Average payments to extortionists are increasing as well. A report by Coveware shows a 31% growth in the average payment between Q2 and Q3 of 2020. The WannaCry attack in 2017 was one of the largest ransomware incidents to date. Using a leaked NSA exploit dubbed “EternalBlue,” WannaCry spread to more than 200,000 machines across the world, demanding payment from operators of unpatched Windows systems. Displaying a message with a bitcoin address to send payment to, the attack cost hundreds of millions to billions of dollars. An investigation of WannaCry code by a number of information security firms and the FBI pointed to the hacking group behind the attack having connections to the North Korean state apparatus. What is DarkSide? The FBI revealed on Monday that the hacking group DarkSide is behind the latest ransomware attack on Colonial Pipeline. DarkSide is a relatively new ransomware group, only appearing on the scene in August 2020 in Russian-language hacking forums. They have poised themselves as a new type of ransomware-as-a-service business, attempting to inculcate “trust” and a sense of reliability between themselves and their victims. In order to ensure payment, DarkSide has found it useful to establish a reputation which ensures that when the victims deliver the ransom, they are guaranteed to receive a decryption key for their files. In this vein, the group has established a modern, polished website called DarkSide Leaks, aimed at reaching out to journalists and establishing a public face. They say that they solely target well-funded individuals and corporations which are able to pay the ransom asked for, and have a code of conduct claiming not to target hospitals, schools, or non-profits. They have also attempted to burnish their image with token donations to charity. Darkside, who reportedly typically asks for ransoms that range between $200,000 to $2,000,000, produced receipts showing a total of $20,000 in donations to charities Children International and The Water Project. The charities refused to accept the money. DarkSide claims that they are not affiliated with any government, and that their motives are purely financial gain—a claim that has been assessed most likely to be true by cybersecurity firm Flashpoint. However, DarkSide code analyzed by the firm Cyberreason has been shown to check the systems language settings as a very first step, and halt the attack if the result is a language “associated with former Soviet Bloc nations.” This has fuelled speculation in the US that Russia may be aff

FAQ: DarkSide Ransomware Group and Colonial Pipeline

With the attack on Colonial Pipeline by a ransomware group causing panic buying and shortages of gasoline on the US East Coast, many are left with more questions than answers to what exactly is going on. We have provided a short FAQ to the most common technical questions that are being raised, in an effort to shine light on some of what we already know.

What is Ransomware?

Ransomware is a combination word of “ransom”—holding stolen property to extort money for its return or release; and “malware”—malicious software installed on a machine. The principle is simple: the malware encrypts the victim’s files so that they can no longer use them and demands payment from the victim before decrypting them.

Most often, ransomware uses a vulnerability to infect a system or network and encrypt files to deny the owner access to those files. The key to decrypt the files is possessed by a third party—the extortionist—who then (usually through a piece of text left on the desktop or other obvious means) communicates instructions to the victim on how to pay them in exchange for the decryption key or program.

Most modern ransomware uses a combination of public-key encryption and symmetric encryption in order to lock out the victim from their files. Since the decryption and encryption key are separate in public-key encryption, the extortionist can guarantee that the decryption key is never (not even briefly, during the execution of the ransomware code) transmitted to the victim before payment.

Extortionists in ransomware attacks are mainly motivated by the prospects of payment. Other forms of cyberattack are most often used by hackers motivated by political or personal factors.

What is the Ransomware Industry?

Although ransomware has existed since the late 1980s, its use has expanded exponentially in recent years. This is partly due to the effectiveness of cryptocurrencies in facilitating payments to anonymous, remote recipients. An extortionist can demand payment in the form of bitcoin in exchange for decryption keys, rather than relying on older, much more regulated financial exchanges. This has driven the growth of a $1.4 billion ransomware industry in the US, based solely on locking out users and companies from their files. Average payments to extortionists are increasing as well. A report by Coveware shows a 31% growth in the average payment between Q2 and Q3 of 2020.

The WannaCry attack in 2017 was one of the largest ransomware incidents to date. Using a leaked NSA exploit dubbed “EternalBlue,” WannaCry spread to more than 200,000 machines across the world, demanding payment from operators of unpatched Windows systems. Displaying a message with a bitcoin address to send payment to, the attack cost hundreds of millions to billions of dollars. An investigation of WannaCry code by a number of information security firms and the FBI pointed to the hacking group behind the attack having connections to the North Korean state apparatus.

What is DarkSide?

The FBI revealed on Monday that the hacking group DarkSide is behind the latest ransomware attack on Colonial Pipeline. DarkSide is a relatively new ransomware group, only appearing on the scene in August 2020 in Russian-language hacking forums. They have poised themselves as a new type of ransomware-as-a-service business, attempting to inculcate “trust” and a sense of reliability between themselves and their victims. In order to ensure payment, DarkSide has found it useful to establish a reputation which ensures that when the victims deliver the ransom, they are guaranteed to receive a decryption key for their files. In this vein, the group has established a modern, polished website called DarkSide Leaks, aimed at reaching out to journalists and establishing a public face. They say that they solely target well-funded individuals and corporations which are able to pay the ransom asked for, and have a code of conduct claiming not to target hospitals, schools, or non-profits. They have also attempted to burnish their image with token donations to charity. Darkside, who reportedly typically asks for ransoms that range between $200,000 to $2,000,000, produced receipts showing a total of $20,000 in donations to charities Children International and The Water Project. The charities refused to accept the money.

DarkSide claims that they are not affiliated with any government, and that their motives are purely financial gain—a claim that has been assessed most likely to be true by cybersecurity firm Flashpoint. However, DarkSide code analyzed by the firm Cyberreason has been shown to check the systems language settings as a very first step, and halt the attack if the result is a language “associated with former Soviet Bloc nations.” This has fuelled speculation in the US that Russia may be affording the group special protection, or at least turning a blind eye to their misdeeds.

The result has been profitable for the cyber-extortion group. In mid-April, the group obtained $11 million from a high-profile victim. Bloomberg reports that Colonial Pipeline paid $5 million to the group.

What exactly happened last Friday?

Colonial Pipeline has operated continuously since the early 1960s, supplying 45% of the US East Coast gasoline supply, in addition to diesel and jet fuel. On Friday, May 8th, it shut down 5,500 miles of its pipeline infrastructure in response to a cyber-extortion attempt. The pipeline restarted on May 12th. Though the incident is still under investigation, the FBI confirmed on Monday what was already speculated: DarkSide was behind the attack.

In an apparent response to—though not an admission of involvement in—the attack, DarkSide released a statement on their website stating that they would introduce “moderation” to “avoid social consequences in the future.”

Why did they target Colonial Pipeline?

If patterns are any indication, DarkSide chose Colonial as a “big game” target due to the deep pockets of the firm, worth about $8 billion. Still, many suspect that DarkSide is now feeling a dawning sense of dread as the lateral effects of their attack are playing out: panic buying, gas shortages, and involvement by federal investigators as well as an executive order by President Biden intending to bolster America’s cyberdefenses as a response. Escalated to the level of an international incident, DarkSide may see the independence and latitude they are reported to enjoy dissipate under geopolitical pressure.

What can I do to defend myself against ransomware?

Frequently backing up your data to an external hard drive or cloud storage provider will ensure you are able to retrieve it later. If you already have a backup, do not plug the external hard drive into your computer after it is infected: the ransomware will likely target any new device that is recognized. You may need to reinstall your operating system, replace your hard drive, or bring it to a specialist to ensure complete removal of any infection.

You can also follow our guide to keeping your data safe. The Cybersecurity and Infrastructure Security Agency (CISA) has also provided a detailed guide on protecting yourself from ransomware. Note that it’s much easier to defend yourself against malware than to remove it once you’re infected, so it is always advisable to take proactive steps to defend yourself.