The Darkside ransomware group, which attacked Colonial Pipeline last week, has been on a global crime spree since August 2020.

That’s according to a new report by Mandiant. This week, FireEye confirmed its Mandiant incident response division is investigating the nature and scope of the Colonial Pipeline attack.

Colonial Pipeline is the largest refined products pipeline in the United States. The attack is pushing gas prices higher and disrupting supply in the eastern United States.

In its latest statement, Colonial Pipeline said it continues to make forward progress in its around-the-clock efforts to return its system to service.

“Markets experiencing supply constraints and/​or not serviced by other fuel delivery systems are being prioritized,” it said. “We are collaborating with the Department of Energy (DOE) to evaluate market conditions to support this prioritization.”

Darkside Ransomware Operations

Darkside‘s spree has impacted organizations in more than 15 countries and multiple industry verticals, Mandiant said. Like many of their peers, these actors do multifaceted extortion. They exfiltrate and encrypt data in place. Then they can then demand payment for unlocking and the non-release of stolen data.

Darkside ransomware operates as a ransomware as a service (RaaS). Owners, partners and/or affiliates provide access to organizations and deploy the ransomware. They then share the profits.

Jeremy Kennelly is senior manager of analysis at Mandiant Threat Intelligence.

Mandiant’s Jeremy Kennelly

“The Darkside ransomware operation serves as a front for a variety of criminals, ranging from attackers wielding zero-day exploits to workmanlike intruders using commonly available tools, and well-known tactics, techniques and procedures (TTPs),” he said. “The risk posed by each of these groups will vary dramatically across them. From a malware perspective, Darkside ransomware contains numerous functions used to enable successful file encryption, but currently poses no more risk than the ransomware used by other major operations.”

Most Victims U.S.-Based

Most of the victim organizations were based in the United States and span multiple sectors, Mandiant said. That includes financial services, legal, manufacturing, professional services, retail and technology.

The number of publicly named victims on Darkside’s blog has increased overall since August 2020, with the exception being a significant dip in January 2021. That’s because threat actors using Darkside may have taken a break during the holiday season.

The overall growth in the number of victims demonstrates the increasing use of the Darkside ransomware by multiple affiliates.

“Unless recent scrutiny causes the Darkside ransomware service to halt or pause operations, their affiliates will almost certainly continue to target a broad spectrum of organizations,” Kennelly said. “Even if the Darkside service ceased operations, their affiliates would likely …

… continue to operate, but merely work with a different RaaS operator.”

The Darkside service operators provides a strong incentive for their affiliates to target organizations that are more likely to yield larger ransom payments, he said. However, they refuse to accept business from affiliates impacting organizations in a small number of sectors such as health care, schools, government and nonprofit.

“Recent statements by the Darkside operators suggest that they may no longer collaborate with affiliates wanting to impact critical infrastructure,” Kennelly said.

One of Many Ransomware Brands

Think of Darkside as just one brand of ransomware, Kennelly said. The impacts of these multifaceted extortion operations is more a function of the industry, size and security of victim organizations.

“Organizations with flat network architectures, or in industries that provide critical services or manage industrial control systems, may be more likely to either see major operational impact or to take down their own networks or services as a precaution,” Kennelly said. “We have seen mundane impacts such as ransomware operators encrypting the systems operated by real estate firms and car dealerships, to more significant disruptions such as those seen [in] 911 call centers.”

Totally protecting an organization from ransomware operations is a challenging problem, he said.

“External support from MSSPs and other cybersecurity providers can certainly assist organizations that don’t have internal expertise to develop or execute a strategy to help detect, prevent or mitigate active intrusions,” Kennelly said. “This is certainly not a glamorous problem to solve, and in large part involves following through on implementing many well-known security best practices around monitoring, network segmentation, credential management and host configuration.”

No Reason to Stop

Jerry Ray is SecureAge‘s COO. He said these attacks remain too lucrative and easy for any bad actors to stop any time soon.

SecureAge’s Jerry Ray

“With so many SMBs willing to pay ransoms in order to remain in business, the potential victim pool also remains far too large to ignore,” he said. “But wide-scale, randomized attacks against email lists or public-facing servers are more normal for ransomware attacks. Larger companies like Colonial Pipeline tend to suffer them less than attacks for other specific purposes, such as data theft or system sabotage.”

Colonial Pipeline may have gotten caught up in the cast net of ransomware, Ray said. A staff member may have clicked on an errant email attachment or malicious weblink.

“Equally plausible, Colonial may have been the perfect target as part of a much more complex and far-reaching crime to affect oil or natural gas futures,” he said. “As with any cyberattack, though, the true motivations and scale of the attack operation may never be fully understood.”