The Consequences Of The Colonial Pipeline Ransomware Attack And The Effect It Had On DarkSide Hacking Group

The Consequences Of The Colonial Pipeline Ransomware Attack And The Effect It Had On DarkSide Hacking Group

DarkSide might have chosen the wrong business entity to target as they seemed to have lost more than what they had aimed to gain as ransom. It has caused the DarkSide hacking group to wind down its operations and go underground. Is it going to be a sign of more dangerous threats to emerge in the future?

The recent cyberattack on Colonial Pipeline has brought out the darker side of the malicious actors behind it. DarkSide, the alleged threat organization behind the attack, demanded a ransom of 75 Bitcoin (approximately $4.4 million) to share the decryption tools necessary for neutralizing the ransomware. Colonial Pipeline decided to pay the ransom in the better interests of the nation.

The Colonial Pipeline attack was not an isolated one. Toshiba, the Japanese conglomerate, claimed that someone compromised its European unit while a similar ransomware attack hit Ireland’s health service. DarkSide was reportedly behind all these attacks.

(Image Source –

What Does DarkSide Do?

DarkSide hacking group operates as a unique “Ransomware as a Service” (RaaS) business model where it develops ransomware tools and sells them to malicious actors who carry out such malicious attacks. Ransomware as a cyberattack can have dangerous consequences. While capable of crippling information network systems, it can set back the target’s finances because the ransom amount can run into millions of dollars (usually paid in Bitcoin). Furthermore, as per Sophos, DarkSide employs a ‘double-extortion method,’ i.e., besides encrypting the organization’s critical information, it will have exfiltrated the data beforehand to expose it to the public when the victim does not pay the ransom.

The Aftermath Of The Attack

Elliptic, a London-based blockchain analytics organization, claimed to have identified the crypto wallet used by DarkSide for collecting such ransom payments. It revealed that DarkSide and its affiliates had collected around $90 million as ransom money from 47 victims over the past nine months. DarkSide’s share of the loot was approximately $15.5 million, with the remaining $74.7 million shared among the affiliates.

The Colonial Pipeline incident reenergized the US Federal Government agencies’ resolve to crack down on the perpetrators of such crime with an iron hand. President Joe Biden initiated strict action by signing an executive order to strengthen the nation’s cybersecurity defenses.

The nationwide negative attention created by the Colonial Pipeline attack forced DarkSide to announce that they were abandoning ransomware altogether. They also immediately ceased operations of the DarkSide Ransomware-as-a-Service program. It also declared the draining of its cryptocurrency wallets of $5.3 million. Speculation was rife that the US Government seized the cryptocurrency balances, which was a significant achievement.

Perhaps, DarkSide touched a raw nerve when they targeted a critical infrastructure service provider. The chain of events that followed the attack put DarkSide and the entire “Ransomware as a Service” provider community in hot water. XSS Forum announced that it was banning all ransomware activities on the forum. It included ransomware affiliate programs, the sale of ransomware software, and ransomware for rent. XSS Forum is an underground Russian-language cybercrime platform renowned for providing a haven for such ransomware groups.

What Is ‘Ransomware As A Service (RaaS)?’

“Ransomware as a Service” or RaaS is a similar concept to “Software as a Service,” except that the software in RaaS is a malicious one. It is a subscription-based model developed and marketed by cyber adversaries. RaaS enables affiliates to use readymade ransomware tools to launch ransomware attacks. Using RaaS also does not usually require many technical requirements. Besides, the returns are high, with some affiliates earning up to 80% of the ransom payments.

However, developing a RaaS model requires much skill. Skill operators like REvil and DarkSide compel affiliates to sign up for these services and distribute their malware. These software solutions have a high penetration rate with low chances of discovery.

RaaS affiliates use tactics like phishing to deliver their ransomware. Once a target unwittingly opens the mail and clicks on the link, it activates the threat. The ransomware wades through the system, disabling all antivirus software and firewalls. It catches hold of an endpoint device to open a gateway to the entire internal information network system.

Once the attack is complete, the extortion game begins. The target receives a ransom note instructing the victim to pay the ransom in exchange for the decryption key. The Colonial Pipeline attack is similar in many ways.

Was DarkSide Behind The Colonial Pipeline Attack?

Though DarkSide is not directly involved in the attack, suspicious fingers point towards one of its affiliates to have carried out the data breach that occurred a day earlier. Besides, Elliptic discovered the cryptocurrency wallet, supposedly belonging to DarkSide, to collect the ransom amount of $4.4 million in Bitcoins. DarkSide categorically states that it does not attack government installations and not-for-profit organizations.

FBI suspects that the Russian Government could be behind the attack, but President Joe Biden has clarified that he has no reason to believe the Russian Government’s involvement. However, he does not rule out a Russian connection because DarkSide has an active base in Russia.

What Happened To DarkSide After The Colonial Pipeline Attack?

DarkSide hacking group had built up a reputation of not attacking non-profit and Government infrastructure. The mounting pressure from the US Government and the massive negative attention from the community dented its reputation. The statement by Russia’s XSS Hacking Forum denouncing support to all RaaS solution providers played a crucial role in DarkSide announcing the shutting down of its servers.

Meanwhile, Elliptic managed to trace DarkSide’s cryptocurrency wallet used to receive the ransom from its victims. The seizure of its servers led to DarkSide losing its access to the public part of its infrastructure. The pressure created by the US Federal Government led to other criminal forums like the Russian language forum, Exploit, announcing the banning of ransomware partner programs. The REvil group also stated that its affiliates would now have to seek its permission before targeting a specific organization.

These developments led to DarkSide shutting shop and issuing decrypting tools to its affiliates, enabling them to deal directly with the victims and settle all financial obligations. However, no one can rule out DarkSide reemerging in the future with a new identity.

Is DarkSide Different From The Competition?

In a way, DarkSide is unlike other RaaS solution providers because they maintain a stand of not attacking critical Government infrastructure projects and non-profit organizations. DarkSide has issued a press release that they will not target vulnerable entities like schools and hospitals. They follow a policy of stealing from the rich, a deviation from how most of their competitors work.

On the operations side, DarkSide is not different from other notorious names like Sodinokibi, NetWalker, Maze, or DoppelPaymer. However, DarkSide hacking group has an exciting side to its operational methods because of its following three specific characteristics.

  • DarkSide employs a highly targeted approach when scouting for its victims.
  • They prepare customized ransomware executables for each target.
  • They use a corporate-like communication channel throughout their attacks.

The Strategy Employed By DarkSide’s Peers

With cybercrime platforms like the XSS Forum and Exploit announcing that they would ban all ransomware activities on their forums, most RaaS solution providers like REvil, DarkSide, and Babuk went underground. The panels took a particular stand because they were not happy with the unwanted attention that these affiliate programs were bringing to the forum. The ideological differences between the ransomware operators and these forums also contributed to this decision.

Intel 471 says that ransomware operators often take such stands and retreat from the spotlight when the issues become serious. They tend to operate within their close-knit groups and resurface under new names with updated ransomware variants.

Incidents Similar To The Colonial Pipeline Ransomware Attack

Ransomware attacks are witnessing an increasing trend. The Colonial Pipeline attack might be the latest significant attack but is not the last. Before the Colonial Pipeline incident, ransomware attacks such as the SolarWinds attack, the Florida water treatment plant attack, and others had occurred.

Babuk, a gang similar to DarkSide, held the Washington DC Police Department on tenterhooks by threatening to release stolen information unless they paid the ransom. Another similar example is the cyberattack on the Presque Isle Police department resulting in the leaking of critical police files, including witness phone numbers and suspect addresses.

The Baltimore attack in May 2019 is another example of ransomware. While Baltimore did not pay the ransom of 13 Bitcoins (around $91,000 at that time), it ended up spending nearly $18 million on recovery. Sometimes, paying the ransom seems to be a wiser option.

The general assumption is that large conglomerates should worry more about ransomware attacks than small businesses, say, comprising 100-150 members. However, it is far from reality today as ransomware continues to target large and small organizations alike.

Final Words

Ransomware attacks are becoming common today, irrespective of the organization’s size and reputation. Just as the massive infrastructure service providers should be wary of such attacks, the small businesses are at equal risk. Even DarkSide hacking group has stated that its primary aim is to make money. It is the same with every other RaaS developer and their affiliates. The scale of damage could be different, but the impact would approximately be the same. The above discussion opens a little window into how threat actors think. For instance, the parties scrutinized here only maintain that they wouldn’t attack Government and non-profit organizations. There is no scruple in their minds about attacking private enterprises, regardless of whether it is large or small. All private organizations and enterprises are under the shadow of destructive ransomware every minute, which makes it all the more crucial to have robust security measures in place.


  1. Kost, E. (2021, May 21). What Is Ransomware As A Service (RaaS)? The Dangerous Threat To World Security. UpGuard.

  2. Novinson, M. (2021, May 13). Colonial Pipeline Paid $5M to DarkSide Hours After Attack: Report. CRN.

  3. Whitney, L. (2021, May 18). DarkSide Ransomware Group Suffers Setbacks Following Colonial Pipeline Attack. TechRepublic.

  4. Browne, R. (2021, May 18). Hackers Behind Colonial Pipeline Attack Reportedly Received $90 Million In Bitcoin Before Shutting Down. CNBC.

  5. Saarinen, J. (2021, May 15). DarkSide Ransomware Crims Quit As Colonial Pipeline Attack Backfires. IT News.

  6. Gabbatt, A. (2021, May 14). How The Colonial Pipeline Hack Is Part Of A Growing Ransomware Trend In The US? The Guardian.

  7. Tomaselli, K. (2021, May 04). Extortionists Give Presque Isle Police More Time To Pay Ransom. Bangor Daily News.