On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline.
In response, Colonial Pipeline Company halted all of the pipeline’s operations to contain the attack. The pipeline shutdown caused fuel shortages at Charlotte Douglas International Airport due to which the atleast two American Airlines changed flight schedules were changed temporarily. Fuel shortages began to occur at filling stations amid panic buying as the pipeline shutdown entered its fourth day. The attackers also stole nearly 100 gigabytes of data and threatened to release it on the internet if the ransom was not paid.
Bloomberg on 13 May reported that within hours of being attacked by ransomware on 7 May, Colonial Pipeline had paid nearly USD 4.4 million in Bitcoin to DarkSide, contradicting earlier statements made by the company. The hackers then sent Colonial Pipeline a software application to restore their network, but it operated very slowly.
On the same day, Toshiba announced in a public statement that its European subsidiaries had also become victims of a ransomware attack by DarkSide. Toshiba’s spokesperson later informed media outlets that it was attacked on 4 May and the company had not paid any ransom.
On May 9, US President Joe Biden declared a state of emergency enabling the removal of limits regarding the transport of fuels by road, in an attempt to alleviate any potential shortages.
The Russian Connection
Joe Biden on May 10 said that, though there was no evidence that the Russian government was responsible for the attack, there was evidence that the DarkSide group is in Russia, and that thus, Russian authorities “have some responsibility to deal with this”.
Independent cybersecurity researchers have also stated the hacking group is Russian as their malware avoids encrypting files in a system where the language is set to Russian.
DarkSide released a statement on May 9 that did not directly mention the attack, but claimed that “our goal is to make money, and not creating problems for society”.
Rise of ransomware attacks
Joseph Blount, CEO of Colonial Pipeline Co., told The Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back. It is such desperation that ransomware pushes companies to, and due to which there has been an unprecedented rise in ransomware attacks across the world.
Ransomware is a type of malware that encrypts data in a victim’s system and requires a private key (which the hacker has) to decrypt the data. In order to get the private key, victims are forced to pay a ransom. In 2016 alone, the number of ransomware created increased by 752 per cent compared to the previous year; 2016 also marked the advent of ransomware-as-a-service as Advanced Persistent Threats began selling ransomware via affiliate programmes.
This new business model incentivized and increased ransomware attacks, making them even more lucrative and successful. The ongoing pandemic has witnessed a 150 per cent increase in ransomware attacks since many businesses had to operate remotely. Cryptocurrency tracker Chain analysis reported that the ransoms paid to cybercriminals in 2020 alone amounted to USD 370 million.
Growing influence of APTs
Advanced Persistent Threats (APTs) are highly sophisticated groups of cybercriminals who engage in cyberterrorism, cyberespionage, cybercrimes and hacktivism. These groups are usually state-sponsored due to their scale of operations and precise targets. Each APT has its own agenda. DarkSide, for instance, was outspoken about its apolitical nature, the goal of gaining more money, and habit of giving a portion to charity. The rise in APT activity could also be directly tied to the pandemic.
The cybersecurity measures of numerous companies could not guarantee safe and secure remote working conditions for employees. The recent trend amongst APTs is their ability to form cartels or disperse into newer groups. DarkSide, for example, is considered to be an offshoot of another prominent, persistent threat actor called REvil. This is one reason why cybersecurity experts find it hard to believe that groups like DarkSide would just shut down their operations. In reality, when APTs feel pressure from law enforcement agencies, they usually stay dormant for a while or disband the group to form another.
Influence of cryptocurrency in ransomware attacks
Cryptocurrencies have been used as the go-to form of ransomware demands and payments since 2015. Cryptocurrencies such as Bitcoin were created to form a decentralized financial system that would not require any singular entity to control the transactions. The opaque transaction processes embedded within cryptocurrencies like Monero have made it a favourite of ransomware operators. Popular currencies such as Bitcoin, on the other hand, make it easier for hackers to legitimize and circulate the illegal ransom. This has been one of the main reasons why governments are critical of cryptocurrencies. Once the ransom is paid, it becomes very hard for law enforcement agencies to trace and retrieve it.
The reign of ransomware and APTs such as DarkSide will continue as long as victims such as Colonial Pipeline are ready to pay a ransom. Law enforcement agencies have strongly advised individuals and businesses not to pay ransom to cybercriminals. But, the fear of personal or confidential data being leaked or deleted pushes most of the victims to pay. Businesses should follow good cybersecurity practices such as proper maintenance of system logs and multiple data backups to minimize the impact of ransomware attacks.