The hacker group responsible for the ransomware attack say they don’t want to be “creating problems for society.”
As we reported yesterday, Colonial Pipeline last Friday took many of its systems offline in the wake of a ransomware attack. Acting “out of an abundance of caution”, the company took its systems and its pipeline offline to contain the threat. The Colonial Pipeline system delivers approximately 45 percent of the East Coast’s fuel, including gasoline, diesel fuel, and jet fuel.
While some accusations of cyber-sabotage were raised early on, the truth of the situation seems to point elsewhere. Colonial Pipeline decided to shut down their pipeline operations themselves. They were not forced to shut them down, nor wore the systems themselves under direct cyber attack.
The group that issued the ransom demands specializes not in cyber attacks but in exfiltrating internal corporate information and holding it hostage. They do not threaten to shut down a business or cripple its operations. Rather, they threaten to reveal “sensitive information” like HR records, business plans, financial records and so on if the victim company does not pay up.
Using ransomware as a business model
The group behind the attack is called DarkSide, believed to be based in Russia. Unlike many hacker groups, however, DarkSide appears to be very “business-like” in their demeanor and their actions. London-based security firm Digital Shadows said in September that DarkSide operates like a business.
For example, when they first started their RaaC (Ransomware as a Corportation) business back in August 2020, they published a press release stating their business code of ethics. They claim that the DarkSide operation will never target critical and vulnerable bodies such as schools, hospitals, or even governments.
Moreover, they say they carefully choose their victims, and they do not demand more money than their corporate target can afford to pay. In other words, the ransom price is modeled around the victim organization’s net income.
Digital Shadows notes that it is unclear from where DarkSide sources their organizational finance information. That said, they believe that the group acts like many other ransomware operators. They may leverage relevant details from ZoomInfo.
DarkSide’s operators customize the ransomware executable for the specific company they are attacking, according to Digital Shadows. This indicates that they customize each attack for maximum effectiveness.
The Colonial Pipeline’s response, however, seems to have come as a surprise to DarkSide. They have now issued a statement saying that in the future they would “check each company that our partners want to encrypt” to avoid “social consequences”.