Colonial Pipeline Just the Latest Victim in Darkside Ransomware Crime Spree

The Darkside ransomware group, which attacked Colonial Pipeline last week, has been on a global crime spree since August 2020.

That’s according to a new report by Mandiant. This week, FireEye confirmed its Mandiant incident response division is investigating the nature and scope of the Colonial Pipeline attack.

Colonial Pipeline is the largest refined products pipeline in the United States. The attack is pushing gas prices higher and disrupting supply in the eastern United States.

In its latest statement, Colonial Pipeline said it continues to make forward progress in its around-the-clock efforts to return its system to service.

“Markets experiencing supply constraints and/​or not serviced by other fuel delivery systems are being prioritized,” it said. “We are collaborating with the Department of Energy (DOE) to evaluate market conditions to support this prioritization.”

Darkside Ransomware Operations

Darkside‘s spree has impacted organizations in more than 15 countries and multiple industry verticals, Mandiant said. Like many of their peers, these actors do multifaceted extortion. They exfiltrate and encrypt data in place. Then they can then demand payment for unlocking and the non-release of stolen data.

Darkside ransomware operates as a ransomware as a service (RaaS). Owners, partners and/or affiliates provide access to organizations and deploy the ransomware. They then share the profits.

Jeremy Kennelly is senior manager of analysis at Mandiant Threat Intelligence.

Mandiant’s Jeremy Kennelly

“The Darkside ransomware operation serves as a front for a variety of criminals, ranging from attackers wielding zero-day exploits to workmanlike intruders using commonly available tools, and well-known tactics, techniques and procedures (TTPs),” he said. “The risk posed by each of these groups will vary dramatically across them. From a malware perspective, Darkside ransomware contains numerous functions used to enable successful file encryption, but currently poses no more risk than the ransomware used by other major operations.”

Most Victims U.S.-Based

Most of the victim organizations were based in the United States and span multiple sectors, Mandiant said. That includes financial services, legal, manufacturing, professional services, retail and technology.

The number of publicly named victims on Darkside’s blog has increased overall since August 2020, with the exception being a significant dip in January 2021. That’s because threat actors using Darkside may have taken a break during the holiday season.

The overall growth in the number of victims demonstrates the increasing use of the Darkside ransomware by multiple affiliates.

“Unless recent scrutiny causes the Darkside ransomware service to halt or pause operations, their affiliates will almost certainly continue to target a broad spectrum of organizations,” Kennelly said. “Even if the Darkside service ceased operations, their affiliates would likely …