Russian DarkSide Ransomware Shuts Down Biggest Gas Pipeline in the U.S. (update)

The DarkSide ransomware group is usually classified as an Eastern European hacking group. This is done on the basis of the attackers stopping any attack if certain Eastern European languages are detected on the targeted device. Generally, these languages are Russian, Kazakh, Ukrainian, and Belarusian. However, the most recent version of their malware seems to block only devices using Russian. Here is part of a comprehensive analysis of the ransomware code that shows this.

Of course, you can never fully discount the possibility of a false flag. Coveware, the ransomware negotiation firm, recently attributed DarkSide to Iran, since they claimed to have found its servers there. This infuriated the hackers. Why? Because if this was an Iranian group, Coveware could not negotiate with them due to sanctions and the DarkSide group wouldn’t get any money. They posted this warning on their deep web site a few weeks ago.

“For recovery companies.


Some companies (for example, coveware) warned their customers about our fictional link with Iran.

It was a mistake and led to the rupture of our relationship. If you tell your customers the same thing and we will find out about it – we will add you to the black list that is displayed on the payment page.

Do not repeat the stupid and emotional mistakes of other companies.

We are a large group and you should not quarrel with us. We also remind of registration and communicating from your personal accounts. So you will get a much better result in the negotiations.

Data storage in Iran is not possible for the following reasons:

It makes no sense to violate the US sanctions legislation and do so that no one pays us πŸ™‚

We store company data on the Tor network, why do we need to use
some kind dangerous locations? Nobody has been able to delete data from
our tor cdn servers.”

Buying server with a 10 terabyte disk in Iran is a problem πŸ™‚

They then declared they will no longer do business with Coveware

Before publishing press release, we tried, to find a hosting provider
who provides such servers for rent, but could not.

Once again, we declare that we do not cooperate with the coveware, if you have problems with payment – write to us and we will give many other recovery companies that can help you recover your data.”

It seemed somewhat strange to me that Colonial Pipeline so quickly shut down all of its operations due to a ransomware attack. But DarkSide ransomware is designed to work its way through network connections, encrypting everything as it goes along. Colonial Pipeline may have seen this propagation in real time and the easiest way to stop it was simply to shut everything down. It’s a bit drastic but it would probably work.

It appears that Colonial Pipeline has employed cybersecurity firm, FireEye, to sort this out, but I’m not sure what they can do if the company has no air-gapped backups. Any backups stored on devices would be encrypted or destroyed. Possibly, they can get some of the basic infrastructure back up but I doubt it. Bloomberg reported that the attackers stole 100GB of data from the Atlanta office on Thursday before launching their ransomware attack. This seems to fit the pattern of double-tap attacks that has become so common in the ransomware community.

The DarkSide group will determine how much the ransom will be based on how much the company earns (they usually do this by looking at the accounting information they’ve stolen). They, then, will make some outlandish demand before negotiating a lower price. We’re probably talking about something in the tens of millions range here. If the company pays, they are promised the decryption key, but, and here’s the rub, the attackers will still have their data. Later, the attackers return and tell the company that, if they don’t pay additional money, they will release their files on their deep web website. This ransomware-extortion model is now in common use among ransomware groups.

It’s possible that, for ‘national security reasons’, the U.S. government may pay the ransom. Otherwise, gas prices will soar, long lines will form at gas stations, people will be angry, and the Democrats could lose the midterm elections, to put it bluntly. But doing so, could put the company, and the government for that matter, on what the hackers call a ‘suckers’ list’, meaning that they will be more likely to be attacked again in the future, possibly by other ransomware groups.

I don’t see this problem as being remedied quickly. It then must be seen what Biden and the intelligence community will do in response. Based on what they’ve done in the past, as a response for the SolarWinds hack, for example, I expect a lot of threats and bluster and not much more. In any event, this really puts the U.S. cyber attack response policy to the test and important decisions will need to be made.

But for now, fill up your gas tanks before lines get long and prices go dramatically higher.

Update: Here is what the group just published on their deep web site.

This makes me think they inadvertently got in over their heads. It’s possible they will look for an exit strategy. If they do, it will be under the guise of not wanting to harm people. They don’t have to worry about extradition from Russia as the U.S. has no extradition treaty with Russia. However, some of the group’s members may live in other countries where they could be subject to criminal prosecution. In addition, the U.S. could pressure the Russian government to take action, so it may be better to get out while they can. We’ll just have to see how far DarkSide is willing to go.

4 thoughts on “Russian DarkSide Ransomware Shuts Down Biggest Gas Pipeline in the U.S. (update)

  1. I’m just wondering something: If you have a hardware firewall that blocks all incoming connections that aren’t responses to requests from hosts inside the network, does that effectively protect you from ransomware attacks? I assume the reason companies are vulnerable is because they have servers with open ports and the attackers can exploit known vulnerabilities in their server software to do privilege escalation and things like that.


    1. That’s certainly one angle they use because they do explore the system before designing the attack. Often, they use the information they find to compose a valid-looking spearphishing email. Actually, I’m looking into this now.

      Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s