The DarkSide gang, supplier of the ransomware used in the ongoing Colonial Pipeline cyberattack, has appeared to distance itself from the operation, saying it will in future “check each company that our partners want to encrypt to avoid social consequences”.
The gang has also said that its “goal is to make money and not creating problems for society” after the attack shut down a major US fuel conduit, sparking a federal investigation and White House condemnation.
In a statement posted on Monday, cybercriminal group DarkSide said it was “apolitical”. The FBI officially confirmed that “the DarkSide ransomware” is responsible for the pipeline shutdown and said it would “continue to work with [Colonial Pipeline] and our government partners on the investigation”.
Colonial Pipeline took its IT systems offline on Friday to contain the file-encrypting ransomware, and this shutdown halted the flow of fuel along its lines up and down the US East Coast. The pipeline system is one of the largest in the US, carrying 45% of the East Coast’s diesel, petrol and jet fuel. This can amount to 2.5 million barrels of fuel moved per day.
US President Joe Biden said on Monday that “so far there is no evidence, based on our intelligence people, that Russia is involved”.
He added that “there’s evidence that the actors’ ransomware is in Russia – they have some responsibility to deal with this”.
DarkSide is a ransomware-as-service group that rents out its software and infrastructure to other cybercriminals, taking a cut of their earnings. Its ransomware does not target systems where the language is set to Russian and it avoids attacking former Soviet states.
According to cybersecurity researchers, DarkSide has been operating its affiliate ransomware programme since at least November 2020. The gang has become a well-oiled operation that provides slick customer service operations to help encourage victims to pay.
In its statement, DarkSide appeared to pin the blame for the Colonial Pipeline attack on one of its affiliates: “From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
The criminal operation has previously made efforts to improve its public image, claiming to not target certain sectors such as healthcare.
“It’s my opinion that they got a bit overwhelmed by the media coverage and all the attention it brings to Russian cyber-offensive,” said Andrey Yakovlev, security researcher at threat intelligence company IntSights in a blog post.
On Tuesday Colonial Pipeline’s website went offline, but it is unclear if this is part of the attack or part of the company’s rebuilding process. A server used by DarkSide was shut down by US law enforcement over the weekend, Reuters reported.
The cybercriminals also stole 100 gigabytes of data and threatened to leak it if payment was not made. It is not publicly known what ransom fee was demanded. White House officials said on Monday they have not given advice on whether to pay it because it is “a private-sector decision”.
Cybersecurity professionals typically advise against paying ransom demands because there is no guarantee the files will be unlocked, it funds criminal activity and can make organisations a target for future ransomware attacks.
Experts have speculated whether remote access software was the entry point for installing the ransomware.
“This incident is not the first and will definitely not be the last, as US critical infrastructure spans across an entire continent and relies on engineers in remote places to log in and perform maintenance when needed,” said Bogdan Botezatu, director of threat research and reporting at cybersecurity firm Bitdefender. “It is common for ransomware operators to probe networks for such points of entry or even to buy phished credentials to remote desktop instances that they can use to mount an attack.”
Will fuel prices rise?
Colonial Pipeline said it hopes to restore full service to the 5,500 mile-long pipe by the end of the week. Some of its smaller lines are already back online. The US government used emergency measures to relax rules on fuel being transported by road to help prevent interruptions to supply.
But experts warned delays of more than a few days to restore the pipeline could lead to rises in fuel prices. The pipeline also provides fuel to several US airports, leading to concerns over disruption to flights. US gasoline futures jumped more than 3% to $2.217 a gallon.
“Unless they sort it out by Tuesday, they’re in big trouble,” independent oil market analyst Gaurav Sharma told the BBC. “The first areas to be hit would be Atlanta and Tennessee, then the domino effect goes up to New York.”