The attackers stole nearly 100 gigabytes of data and threatened to release it virtually.
It is the end of year, and we are looking back at some of the major cyberattacks taking place in 2021. During the month of December, we dedicate one blogpost a week to update you on a specific attack and what made it so significant. This week we are focusing on a ransomware attack that most of us remember, the attack forcing the US to declare state of emergency.
The Colonial Pipeline cyberattack
In May this year one of the biggest pipeline systems in the world stopped all its operations due to a ransomware cyberattack. Today, the Colonial pipeline attack is listed as one of the cybercrimes with most impact taking place in 2021.
The Colonial pipeline compromises more than 5,500 miles of pipe and is one of the largest and most vital oil pipelines in the US. The construction starts in Texas and moves all the way up through New Jersey, providing almost half of the total fuel used for the East Coast.
The cyberattack infected some of the pipeline’s digital systems and made them shut down for several days. The billing system was compromised and according to CNN sources in the company, the main reasons for pausing the pipeline operation was the failure to bill the customers and the concerns that the hackers might had obtained information enabling them to proceed with additional attacks on the pipeline.
Consumers and airlines along the whole East Coast were affected by the shutdown. The hack was considered a national security threat, as the pipeline moves oil from refineries to industry markets. Due to this background, President Joe Biden decided to declare state of emergency, according to The Denver Post.
Except from shutting down the operations, The New York Times states that the cybercriminals stole nearly 100 gigabytes of data and threatened to release it virtually if a ransom was not paid. In order to protect themselves, the company with help from the FBI, paid the hackers a ransom of nearly 5 million dollars (75 bitcoins). After the ransom was paid, the hackers provided the company with a decryption tool to restore the network. A decryption toll which in the end operated so slow that Colonials own backups were used to bring the system back online.
The pipeline was completely shut down for six days and first on the 15 of May, the company reported having all their operations back on track.
The cybercriminals behind
The attackers were identified as a group known as DarkSide, which first entered the spotlight in 2020. The group targets victims using ransomware and extortion and is believed to be based in Eastern Europe. According to Charles Carmakal, CTO at cybersecurity firm Mandiant, the attackers accessed the Colonial Pipeline network through an exposed password for a VPN account, according to CRN. The group is sometimes described as an enterprise because of its professional looking webpage and its try to collaborate with journalists and decryption companies.
DarkSide has publicly stated that they prefer to target organization with the capability to pay large ransoms instead of hospitals, schools, non-profits organizations and governments. The group is considered to aim at creating a “robin hood” image, by sometimes posting receipts of donations to charity organizations. Over the last year, 90 million in bitcoin ransom payments were made to DarkSide or their affiliates, originating from 47 distinct wallets, according to the blockchain analytics firm Elliptic.
Facts about ransomware
Ransomware is as a type of malicious software threatening to block access to a victim’s data or publish it if a ransom is not paid. There are different types of ransomwares, advanced and simple once. The simple once tend to lock the system in a manner that is easily reversible meanwhile more advanced malware uses a technique called crypto-viral extortion. With this technique the victims’ files are encrypted, making them inaccessible unless a ransom is paid in order to decrypt them. In a well implemented ransomware extortion attack, it is often difficult to recover files with out the decryption tool. Additionally, it is also difficult to trace digital currencies such as Bitcoin, which is used for ransom transactions.
The annual share of ransomware attacks experienced worldwide by organizations has been on the rise since 2018, peaking at 68.5 percent in 2021, according to Statista.