Colonial Pipeline Ransomware Attack

Advisory Type Adversary Intelligence
Attack Type Ransomware Attack
Adversary Darkside Ransomware
Target Colonial Pipeline
Country US

Executive Summary

On 07 May 2021, the United States based largest refined product pipeline system company Colonial Pipeline reported a Ransomware attack incident. The incident led to the shut down of its operations. After investigating the incident, the Federal Investigation Bureau (FBI) attributed the attack to Darkside ransomware group. In the mentioned event, around 100GB of data was allegedly stolen and the threat actors have threatened to release the data upon failure to deliver on ransom payment.



Darkside (ref Advisory on Darkside Ransomware) is a RaaS program where the developers of the ransomware advertise their ransomware and hire operators to spread the ransomware and infect their targets.

As per their campaign advertisements, the Darkside gang refrains from targeting the following industries, which circumstantially points to Eastern European for-profit only activities:

  • Medicine (only hospitals, palliative care organizations, nursing homes, companies that develop and participate (largely at the supply chain level) in the distribution of the COVID-19 vaccine).
  • Funeral services (Morgues, crematoria, funeral homes).
  • Education (Universities, schools).
  • Public sector (municipalities, state bodies).
  • Non-profit organizations (charitable foundations, associations).
  • CIS (including Georgia, Ukraine) region

Darkside handles on cyber crime forums have posted the following two threads in November 2020 and May 2021 respectively:

Nov 2020 : The first post regarding the Darkside RaaS appeared on the forum in Nov 2020. The advertisement included the targeted Operating systems along with the encryption algorithms used for each one:

  • OS: Windows | Encryption Algorithm: Salsa20 + RSA 1024
  • OS: Linux | Encryption Algorithm: ChaCha20 + RSA 4096

Mar 2021 : The second post on 10 Mar 2021, advertised an upgraded version of the payload with attributes and characteristics supporting multiple operating systems.

Darkside Affiliate program advertisements

Darkside Leaks Website

On 10 May 2021 the Darkside leaks website carried a statement by the group stating indirectly that the motives behind their attacks are purely financial and not related to any political involvement. This was in the aftermath of Big Tech in the US appealing to the government to treat ransomware attacks as National security issues.

Darkside statement on their motivations

Modus Operandi

Ransomware operators tend to buy their access from IABs (Initial Access Brokers) for ease of exploitation ( ref whitepaper “Rise of Initial Access brokers” ). CloudSEK Threat Intelligence researchers have observed a rising trend in the number of accesses being sought, bought, and sold for specific regions and countries individually, or in bulk. These accesses are then used to engender large-scale ransomware attacks.

Threat actor looking to buy access/ bots (potential ransomware operator)

Observations on access being sold/bought for multiple regions over various cybercrime forums for Q1 2021 are as below.

Region Number of Access
North America 310
Europe 305
Asia Pacific 233
Global 171
Middle East 74
South/ LATAM 51

Region wise accesses being sold / bought for Q1 2021


Colonial Pipeline has not released any official statement either on the breach or requested extortion amount. According to open sources, the US government is working with Colonial Pipeline to mitigate the impact of the ransomware attack. CloudSEK Threat Intelligence will continue tracking this incident as well as updates on Darkside’s activities on cyber crime forums.