For the first half of 2021, ransomware groups looked unstoppable. Ransomware gangs were adding victim after victim on their dark web data leak sites, displaying an unprecedented level of technical sophistication and corporate-like organization. On top of that, new ransomware variants were popping up with increasing regularity to capitalize on the immensely lucrative nature of this criminal business.
Things suddenly started to change one year ago, on 07 May 2021, when the DarkSide ransomware group’s affiliates compromised US energy operator Colonial Pipeline, disrupting its operations and the wider oil supply chain in the country. This attack left a lasting mark on the broader threat landscape, prompting a series of energetic changes across different fields, like cybercriminal platforms, law enforcement activity, and intergovernmental cooperation. Many cybercriminal forums were unhappy with Darkside operation—which they deemed as bringing unnecessary attention to cybercriminal activity as a whole—while for law enforcement the attack greatly increased the perception of risk associated with ransomware activity.
This blog will review what happened in the aftermath of this cyber attack and how things have changed across various critical sectors in the past year. In particular, we’ll review the following points:
- How DarkSide conducted this attack;
- What happened to this group after the Colonial Pipeline compromise;
- How cybercriminals adapted to the new environment;
- What changed in the ransomware environment after this attack.
What Happened One Year Ago?
On 07 May 2021, Colonial Pipeline learned that it fell victim of a ransomware attack, as confirmed by an official press release. The attack happened on a Friday, which is a typical day for malicious activity, as cybercriminals aim to exploit the weekend when security teams are not at total capacity. As a result of the ransomware campaign, Colonial was forced to temporarily halt all its activities and began working with security and forensic professionals to restore its IT infrastructure. Various sources highlighted that the attack was primarily targeted at the billing infrastructure of the company; Colonial Pipeline thus halted its operations because of the inability to bill its customers and as a precautionary measure, given that DarkSide could have obtained the information needed to move laterally and carry out further attacks on the pipeline.
The attack was soon attributed by the US Federal Bureau of Investigation (FBI) to the DarkSide ransomware group. On 10 May 2021, DarkSide published a press release on its data leak website claiming that they were not affiliated with any government entity and were solely financially motivated. This statement came after increased allegations that this group operated from Russia, an assessment based on DarkSide’s victims’ pool, and some linguistic peculiarities that suggest that its operators were native Russian speakers.
This attack provided further evidence of the widespread disruptive impact that cyberattacks could have on CNI. Despite this likely being beyond its perpetrators’ intentions, the attack against Colonial Pipeline caused a massive blow to energy and fuel distribution plans across the US East Coast for a few days. The potential fuel shortage further pushed numerous American citizens to panic-stoke on fuel in plastic bags, triggering this all-time classic tweet from the US Consumer Product Safety Commission.
Despite experts always advocating against paying the requested ransom, Colonial Pipeline eventually ended up paying the 75 Bitcoin ransom (roughly $4.5 million, at that time) to DarkSide the day after the compromise was made public. With a twisted sense of humor, the decryptor tool provided by DarkSide proved so slow that the company’s business continuity planning tools were more effective in bringing back operational capacity; there’s probably a lesson in there about the ethics and feasibility of paying cybercriminals.
What Happened to DarkSide Ever Since?
A week after the disclosure of the attack on Colonial Pipeline, on 14 May 2021, DarkSide published a press release on its dark web website announcing that they had lost control of the public-facing side of its online infrastructure, such as its blog and payment server, and that the rest of its public resources would go intentionally offline within 48 hours. In the press release, DarkSide also announced the closure of its affiliate program, i.e. the corporate-like structure that advanced ransomware groups use to carry out their attacks and recruit new members.
On top of this, on 07 Jun 2021, the US Department of Justice (DoJ) issued a press release, stating that it had seized USD 2.3 million in cryptocurrency that was allegedly paid to the DarkSide ransomware group following its attack on Colonial Pipeline. The seizure—which amounted to 63.7 Bitcoin (BTC)—was achieved via the FBI’s review of the public ledger and subsequent identification of the specific address where the BTC was moved to and stored. Additionally, the DoJ stated that the FBI had access to the “private key”, which allowed them to seize the payment.
Problems with law enforcement were not the only concern for DarkSide at this time. The group was also suffering from a terrible reputation in the cybercriminal environment for two main reasons. First, DarkSide tried to blame the attack on Colonial Pipeline to one of its affiliates, in an attempt to de-responsabilite themselves from the subsequent consequences (a sort of #BlameTheIntern move, here). Second, that attack pushed many cybercriminals and ransomware operators into law enforcement’s spotlight, thus causing major issues to a wide variety of threat actors. These two reputational concerns likely pushed DarkSide to disappear from the scene for a while, and potentially come back under a different name.
In fact, on 21 July 2021, a new ransomware gang named BlackMatter launched its own affiliate program and claimed links to other ransomware groups, such as REvil, DarkSide, and LockBit. BlackMatter had significant overlaps with the DarkSide operation, including similarities in its malware code, public code of conduct, and affiliate structure. Ransomware rebrands aren’t novel. As the timeline below shows, ransomware groups have been changing it up since 2018. What’s interesting now is that a lot of groups have rebranded at the same time.
Ultimately, on 03 Nov 2021, the operators of the “BlackMatter” ransomware confirmed via their ransomware-as-a-service (RaaS) website that they would be shutting down their operation, citing “unsolvable circumstances associated with pressure from local authorities” as the reason. BlackMatter’s post did, however, indicate that their RaaS site will allow affiliates to receive decryptors for existing victims so that they can continue extorting victims on their own. The reaction to BlackMatter reportedly being forced to retire their program received a mixed response from those in the cybercriminal community – many were unsympathetic, claiming that “some do not learn or want to learn”.
How Did the Cybercriminal Community React?
The cybercriminal world is a tightly intertwined one, where important developments on one side of the house can have significant repercussions on the other side. That’s why when DarkSide attracted so much attention to the ransomware environment following the Colonial Pipeline attack, many cybercriminals attempted to reduce their own profile in order to avoid potential repercussions.
For example, on 13 May 2021, the administrator of the high-profile Russian-language cybercriminal forum XSS announced a permanent ban on all things ransomware including ransomware sales, ransomware rental, and ransomware affiliate programs. On top of the ban on future ransomware trade, XSS has also deleted all content meeting those criteria from the forum.
According to the XSS administrator’s statement, ransomware had become “dangerous and toxic” and represented a problem for the cybercriminal community at large. Not only did hosting ransomware content increase the likelihood of law enforcement actions against the forum, but the business was apparently not central to XSS’s survival.
Within several hours of the XSS decision, the administrator of the high-profile Russian language cybercriminal forum Exploit had announced they were also banning ransomware partner programs and deleting “all topics related to ransomware.” The administrator cited they were not happy with the unwanted attention that affiliate programs were bringing to the forum. Darkside’s representative on Exploit even expressed that the administrator’s decision was the right one.
What’s Been the Impact on the Ransomware Threat Landscape?
One of the unintended consequences of the DarkSide ransomware attack on Colonial Pipeline is that it put the spotlight on the complex relationship between ransomware affiliates and their developers. Evidence gathered around this latest attack seems to suggest that a rogue affiliate conducted the attack on Colonial Pipeline, thus causing a chain of unforeseen consequences that irreversibly changed the broader ransomware landscape.
The vetting of affiliates within Darkside’s program was insufficient, and the attack also demonstrated that ransomware attacks can often have unforeseen or unintended consequences. This was also demonstrated by the Conti attack in November 2021 against jewler provider Graff. Conti were forced to issue a groveling apology after breaching data associated with several high profile individuals within royal families in the Middle-east. With ransomware groups breaching huge amounts of data and routinely turning over multiple targets, it’s likely that they often have insufficient time to analyze exactly what data they have stolen before it goes live on their DLS.
Many ransomware operators have since publicly reviewed their affiliate programs in order to exert tighter control on them and avoid further dangerous consequences. For example, REvil/Sodinokibi had also updated their thread on Exploit with new rules for their affiliate program, including a ban on targeting governments or the social sector and a requirement to obtain approval for targets prior to attacks. Affiliates who violate these rules would be “kicked” off the program and their victims’ decryption keys given out for free. Up to this day, most of these restrictions appear to be still in place.
Despite these claims following the attack, the cybercriminals’ platforms’ ban on all things ransomware hasn’t exactly been enforced thoroughly. For example, ransomware gangs have now been observed publishing recruitment posts for “pentesters & access brokers”, thus bypassing the current rules on most cybercriminal platforms. The same thing happens for initial access brokers that have been observed looking for “long-term partners” on these platforms. Based on what we noticed, posts are banned only when explicitly referring to ransomware; thus excluding all the posts that circumvent that specific word.
With respect to DarkSide’s takedown, the ransomware threat landscape hasn’t changed enormously. The cybercriminal underground is used to criminal groups emerging and disappearing soon after; affiliates previously working with DarkSide have likely moved to other ongoing ransomware operations.
Despite all the chaos following the attack on Colonial Pipeline, ransomware still remains the most pressing cyber threat for organizations across various industry verticals and geographies. The relative ease with which this malware can be deployed on targeted organizations, along with the potential high payouts associated with a successful attack, make this cyber threat a persistent and pernicious risk.
As always, Digital Shadows will continue to monitor the ransomware threat landscape and provide updates as the scene develops. In the meantime, you can read about how to track ransomware within SearchLight. If that piques your interest, you can access most of our intelligence on ransomware actors and variants in Test Drive, which is free to try for seven days.