The cyber attack which crippled Colonial Pipeline, the largest pipeline system for refined oil products in the US, resulted in fuel shortages across the eastern seaboard and states of emergency in four states.
The attack afforded Americans an unwanted glimpse into the Wild West world of ransomware.
Experts warn that ransomware attacks – which are part-ransom, part-blackmail, part-invocation of squatters’ rights – are becoming more frequent, while the mostly Russia-based hackers are growing more sophisticated with their methods.
They have hit solar power firms, federal and local government agencies, water treatment plants and even police departments across the US.
As the nation’s eyes were focused on the pipeline attack this week, another hacker group was busy targeting Washington DC police – striking at law enforcement in the American capital.
But it was the pipeline attack that had the most impact, emerging from the dark web and sending tens of thousands of Americans to panic-buy gas for their cars.
The 5,500 mile-long pipeline, which carries 45% of the east coast’s fuel supplies, announced on Saturday it had been forced to shut down after attackers used the Internet to seize control of the fuel-pumping operation.
On Wednesday, Colonial Pipeline said it had “initiated the restart” of operations, reportedly after paying a $5mn ransom fee.
But that didn’t stop hours-long lines continuing to form at gas stations in the south-east US, as fuel began to dry up and the price of gas hit its highest point in years.
A group of cyber criminals called Darkside has taken responsibility for the ransomware attack, which works by hacking into a company, or government’s, network, and scrambling the data.
The hacker then posts a note in the system demanding payment.
If the organisation pays up, the hacker hands back control.
“The analogy would be I break into your house, and once I get access to your house, I change all of the locks, and lock you out of your own house,” said Eric Cole, author of the book Cyber Crisis and founder of the Secure Anchor cybersecurity company.
“And then I say: ‘Hey, unless you give me money, I’m not going to give you the keys to your house.’”
The Colonial Pipeline debacle is merely the latest in a spate of ransomware attacks, which include the targeting of a water treatment plant in Florida, and the Texas-based SolarWinds IT company.
US police forces have also been a focus.
The Babuk group, another Russian cyber gang, is currently holding up the Washington DC police department, threatening to release stolen data unless law enforcement cough up an unspecified amount of money.
As the number of attacks rise, Darkside has become one of the more prominent groups, and Cole said it has managed to “commercialise cyber crime”.
“They’ve been in operation for over three years, they started around 2018, and they typically focus on lower end ransoms,” he said. “The average Darkside attack would ask for anywhere from $80,000 to $100,000 ransom, and they would typically do eight to 10 of these attacks a month, so they were bringing in about $12mn a year.
“But we’ve noticed in the last couple of months they started targeting and going after bigger organisations.
Colonial really shows their change in business model – where now instead of going after 12 small entities they go after one big one.”
The Washington Post reported that 26 government agencies have been hit by ransomware since the beginning of the year.
The FBI and other security experts say Darkside is made up of a group of criminals based in Russia, but little is known beyond that.
Groups like Darkside don’t just profit from their attacks.
Frequently they will also sell ransomware software to would-be cyber attackers on the dark web, meaning the number of attacks is likely to increase.
As Colonial Pipeline scrambles to regain control of its systems, and as the name Darkside reverberates around the US, one theory among cyber security watchers is that this could even be a promotional effort by the cyber criminal group.
“This is a good bit of marketing for them. If you’re in the business of selling ransomware this is a really good way to go to the world and say: ‘Look, our stuff’s cool, and it works,’” an expert warned.