People always ask me if law enforcement is having any luck in combatting cyber criminals. Let me be clear: it is a very tough job to take down cyber criminals located in other countries or sponsored by foreign nations. Our government is focusing on cyber criminals more than I have ever seen before, and the effort is promising.

Not only did the Department of Justice (DOJ) lead an effort to recoup ransomware paid by Colonial Pipeline, but it also just took down (I love that term), with the help of international law enforcement, an online marketplace, Slilpp, that was selling stolen login credentials for banking and online payment platforms.

An unsealed affidavit for a warrant requested by the DOJ states that victims have reported over $200 million in losses in the U.S. The Slilpp marketplace sold login credentials for more than 1,400 account providers before law enforcement took them down.

According to the DOJ: “[W]ith today’s coordinated disruption of the Slilpp marketplace, the FBI and our international partners sent a clear message to those who, as alleged, would steal and traffic in stolen identities: we will not allow cyber threats to go unchecked…. We applaud the efforts of the FBI and our international partners who contributed to the effort to mitigate this global threat.”

The FBI and DOJ are tirelessly chasing cyber criminals and their efforts are paying off for all of us. They deserve huge credit for their persistence and efforts.

After the attacks on JBS and Colonial Pipeline, the U.S. Treasury Department will likely consider increasing its enforcement of anti-money-laundering laws and adopt new reporting requirements for cryptocurrency transactions.

In ransomware attacks, hackers demand payments after locking victims out of their computer networks; de-anonymizing payments could create a disincentive for these hackers to continue pushing such ransomware extortion schemes. Currently, hackers use digital currencies as a way to avoid regulations within the traditional financial system. If the Treasury Department applies many of the same anti-money-laundering laws to cryptocurrency transactions, it could assist in identifying the cyber criminals (and perhaps lessen the number of attacks).

What would help make these regulations effective? Well, requiring disclosure of who is using the digital wallet and where the crypto-currency ransom is being sent would be a start. Lawmakers may also want to consider oversight of the exchange of cryptocurrencies for other currencies (such as the U.S. dollar). The problem? U.S. regulations of cryptocurrency would not reach overseas, which is often where cyber criminals cash out their funds. Of course, U.S. authorities could use sanctions to prevent exchanges from transacting in U.S. dollars unless all participants agree to utilize a crypto-reporting system.

Of course, this is not the first time that this oversight has been discussed. Late last year, the Treasury Department proposed a rule to require banks and exchanges to report transactions over $10,000 using digital wallets NOT hosted by a financial institution. This is similar to the existing rules for cash withdrawals over that amount. This type of reporting rule would assist law enforcement in tracking money flows for cyber crime.

Crypto exchanges already have to report on customers’ suspicious transactions. The proposed rule would add reporting for when unhosted wallets are involved, regardless of whether the transaction is considered suspicious. Unhosted wallets are similar to anonymous bank accounts.

This proposed rule came after U.S. companies were warned that paying ransoms to hackers could violate U.S. sanctions. That warning encouraged companies to cooperate with law enforcement in order to protect themselves from liability for erroneously paying a ransom to an entity on the sanction list.

A Treasury Department spokeswoman said that the proposed rule for reporting crypto- transactions “is actively moving through the rulemaking process” after receiving thousands of comments in response.

When cyber-attacks on large businesses like JBS and Colonial Pipeline affect consumers’ gas prices and the availability of meat at the grocery store, it likely will lead to increased public scrutiny and a call for action on cryptocurrency and other issues tied to ransomware.

Of course, the underlying issue in these ransomware attacks is the lax (or lack of) security safeguards to protect data housed at these companies that have been (and will be) under attack. Businesses should focus on security and prevention to stop these attacks from happening, and from having to negotiate and pay a ransom at all.

It has been reported by Bloomberg Law that the Colonial Pipeline ransomware attack was caused by a “single compromised password.” The Colonial Pipeline ransomware attack had consumers hoarding gasoline and disrupted distribution of gas along the east coast. One single compromised password.

Colonial Pipeline paid $4.4 million in ransom following the attack, although the Department of Justice (DOJ) was able to recover $2.3 million of that payment  by seizing the crypto wallet used by the attackers. A payment of $4.4 million because of one single compromised password.

What is worse is that the account the password was connected to was not an active account, but could still be used to access the network. I am surmising, but this usually happens when someone leaves the company and the account and access is not terminated. The initial user may have used the password across platforms, the password was compromised and obtained by DarkSide on the dark web, and presto!, they can go into Colonial’s system with the valid password undetected.

We constantly are told how important passwords are. I like to use long passphrases. We are told not to use the same passwords across platforms. We are told not to use passwords that are related to anything we post on social media or online platforms. We are told all of this for a reason. Because one compromised password can cause a gas shortage, a meat shortage, contaminated water, millions of dollars paid in ransom, and disruption to our lives. Do your part and focus on password management for yourself personally, as well as for your employer.

Since the Colonial Pipeline and JBS meat manufacturing security incidents, attention is finally being paid to the cybersecurity vulnerabilities of critical infrastructure in the U.S. and in particular, the potential effect on day to day life and national security if large and significant manufacturers’ production are disrupted. In the wake of these recent incidents in the manufacturing sector, Unit 42 of Palo Alto Networks has published research that may be considered a warning to the manufacturing sector and is worth notice. The warning is about the activities of Prometheus, “a new player in the ransomware world that uses similar malware and tactics to ransomware veteran Thanos.”

According to the Executive Summary, Unit 42 “has spent the past four months following the activities of Prometheus” which “leverages double-extortion tactics and hosts a leak site, where it names new victims and posts stolen data available for purchase.” Prometheus claims to be part of REvil, but Unit 42 says it has “seen no indication that these two ransomware groups are related in any way.” Unit 42 further states that Prometheus claims to have victimized 30 organizations in different industries, in more than a dozen countries, including the U.S.

Prometheus came on the scene in February 2021 as a new variant of the strain Thanos. Unit 42 is unable to provide information on how the Prometheus ransomware is being delivered, but surmise that it is through typical means, such as “buying access to certain networks, brute-forcing credentials or spear phishing for initial access.” It then first kills backups and security processes and enables the encryption process. It then “drops two ransom notes” that contain the same information about the fact that the network has been hacked and important files encrypted and instructions of how to recover them. If the ransom demand is not met, the data will be published on a shaming site and publishes the “leak status” of each victim. According to Unit 42 “[M]anufacturing was the most impacted industry among the victim organizations we observed, closely followed by the transportation and logistics industry.”

What we have seen in the past is that when ransomware groups are successful in one industry, they use the information learned from initial attacks to target other companies in that sector. They leverage the knowledge from one attack to future attacks assuming that since the first one was successful, subsequent attacks will be successful as well. Since industry specific networks are similar, it is seamless to attack one victim, learn from it, then leverage that knowledge to attack similarly situated victims.

With threat attackers’ focus on the manufacturing sector right now, we anticipate seeing more attacks against manufacturers from groups such as Prometheus.

Colonial Pipeline was hit with a proposed class action suit this week by a resident of North Carolina who alleges that he had to purchase gasoline at inflated prices due to the “unlawfully deficient data security” of Colonial, which allowed a ransomware attack to shut a pipeline down.

According to allegations in the suit, the cyber attack was “catastrophic” to consumers and the attack injured millions of individuals with gas shortages and higher prices. The suit alleges that the pipeline management should have foreseen a cyber-attack as attacks against critical infrastructure are a known risk.

The Complaint alleges negligence and seeks a declaratory judgment, monetary damages, punitive damages, restitution, and disgorgement of revenue.

Colonial Pipeline paid hackers a ransom of $4.4 million in bitcoin soon after discovering a cybersecurity hack on its systems that began on May 6.  The company’s acknowledgement comes after days of speculation about whether a ransom was paid to the hackers.  The company’s CEO defended the “difficult” decision to pay the ransom, maintaining he was trying to avoid widespread fuel shortages for the East Coast. Even with the ransom payment, Colonial’s pipeline was shut down  for days, resulting in price spikes and shortages at gasoline stations in the Southeastern U.S. In addition to the ransom payment, Colonial also revealed it would be spending tens of millions of dollars over the next several months to restore its systems.

Meanwhile, the hacker, identified by the FBI as Darkside, a group out of Eastern Europe, lost access to its IT infrastructure and cryptocurrency funds.  Many believe that law enforcement seized the group’s assets, given that it occurred on the same day President Biden announced the U.S. would “pursue a measure to disrupt” Darkside.

There are no mandatory federal cybersecurity requirements for U.S. critical infrastructure, including the energy sector. To date, federal government agencies have issued cybersecurity guidelines for the energy sector, but since most operations are privately owned, they are not obligated to follow them.  President Biden is trying to provide funding to harden security systems in U.S. critical infrastructure.  His proposed American Jobs Plan includes $20 billion for cities and towns to strengthen energy cybersecurity and $2 billion in grants for energy grids in high-risk areas. In the interim, Biden’s recently issued Executive Order on Improving the Nation’s Cybersecurity controls how security incidents are managed and how hardware and software is used by federal government agencies. For vendors and developers who want to do business with the federal government, this means focusing on improving product security in order to win new contracts from a very large customer.

In this episode of the podcast (#214), Brandon Hoffman, the CISO of Intel 471 joins us to discuss the recent ransomware attack on the Georgia-based Colonial Pipeline, and the suspected group behind it: DarkSide a ransomware for hire cybercrime outfit.


It was just a week ago, May 7th, 2021, that a successful cyberattack against one of the largest U.S. oil and gas pipelines, operated by the Colonial Pipeline Company, forced it to shut down and plunged the U.S. government into an unanticipated crisis. Within days, there were reports of consumers panic-buying petrol leading to gas shortages in the southeastern United States.

Do Cities deserve Federal Disaster Aid after Cyber Attacks?

Then, almost as suddenly as the crisis appeared it was over. Colonial, which was reported to have paid the Darkside group a $5 million ransom to regain access to their servers, announced that it would restore pipeline operations by the end of the week. And, in a message to a private forum on Thursday captured by the firm Intel 471, the ransomware group credited with the attack, known as “Darkside,” said that it was shutting down after its blog, payment server and Internet infrastructure were seized by law enforcement and cryptocurrency from a Darkside controlled payment server was diverted to what was described as an “unknown account.” 

An image of the message posted by the Darkside group ceasing operations. (Image courtesy of intel 471.)

Other news reports suggests the cyber criminal underground was getting skittish about ransomware groups, now that the full force of the U.S. government appears to be focused on rooting them out. Reports out Friday claim that the Russian cyber hacking forum XSS has banned all topics related to ransomware

Episode 169: Ransomware comes to the Enterprise with PureLocker

What happened? And who – or what – is the Darkside group responsible for the Colonial pipeline attack? We invited Brandon Hoffman, CISO at the firm Intel 471 back into the studio to talk about Darkside, which Intel 471 has followed and profiled in depth since it emerged last summer.

“They (DarkSide) don’t necessarily want to have their affiliates attack Critical Infrastructure or the government.”

-Brandon Hoffman, CISO Intel 471

The quick collapse seen in recent days may be a case of Darkside biting off more than it can chew by attacking a target that managed to put it in the cross hairs of the U.S. government. But, as we discuss, the Colonial Pipeline hack also raises a number of questions regarding the state of America’s Critical Infrastructure, and whether it is secure enough to withstand both directed and opportunistic attacks. “Ransomware is no longer a cybercrime problem, it’s really a national security issue,” Brandon tells me.

Report: Critical Infrastructure Cyber Attacks A Global Crisis

In this conversation, Brandon briefs us on DarkSide and outlines the group’s motivations and processes when it works with affiliates and targets victims. The attack on Colonial will almost certainly prompt changes by attackers, which will be wary of inviting retaliation from nations like the U.S.

Carolynn van Arsdale (@Carolynn_VA) contributed to this story.


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.

President Joe Biden signed an Executive Order on Wednesday, May 12, 2021, on the heels of the cyber-attack against Colonial Pipeline Co., which suffered a major ransomware attack late last week that has caused supply chain issues in the Southeast. 

The Order is intended to show that the federal government is taking a leadership role on cybersecurity defense by improving the cyber defense of the government and its subcontractors, including software vendors who do business with the federal government.

The Order requires that all software sold to the federal government follow prescribed cybersecurity standards within nine months and that software developers share their security data publicly.

It also requires the government to deploy encryption and multifactor authentication and establishes a government-wide endpoint detection and response system so federal agencies can share cyber-threat information, and a “playbook” on incident response. Vendors that do business with the federal government are required to report security incidents to the government to increase the availability of threat intelligence.

Colonial Pipeline, a company that transports more than 100 million gallons of gasoline and other fuel daily across 14 states from Houston to New York Harbor, shut down the pipeline last Friday after discovering ransomware on its computer systems.  The FBI has blamed the attack on a ransomware group called DarkSide.

The hack reportedly began last Thursday when hackers stole about 100 gigabytes of data as part of a double extortion scheme.  After stealing the data, the hackers then locked Colonial’s computers. Darkside threatened to publish the stolen data online and to keep the computers locked unless Colonial paid an unknown ransom amount.

Colonial Pipeline notified the FBI of the attack on Friday morning and is cooperating with the investigation. The FBI also brought into the investigation the Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies that regulate energy and infrastructure.  The FBI and other government agencies are still awaiting access to the company’s security protocols to determine how hackers pulled off the crippling ransomware attack.

U.S. critical infrastructure has been the target of an increasing number of cyberattacks. Earlier this year, an unknown hacker breached the access controls at the Oldsmar, Florida, water treatment plant, in an attempt to poison the city’s water supply with lye. In 2020, an unnamed natural gas compressor facility was shut down for two days due to a cyberattack.  Several natural gas pipeline operators had service interruptions in 2018, when a technology vendor that facilitated electronic communications between the operators was hacked.

Many members of Congress and the Biden Administration agree that making cybersecurity improvements is essential for the nation’s critical infrastructure, including our electric grid, local energy and utility companies, water treatment plants, and wastewater facilities. All of these operators face significant challenges to make such improvements, including sufficient funding, staffing and training.  In addition, even though the federal government adopted cybersecurity requirements for certain infrastructure operators, funding shortages can result in very little oversight and inspection to make sure operators are complying with the requirements. Some states, like Connecticut, have adopted requirements for certain infrastructure as well as provided funding to make sure operators in the state are complying.

In addition, it is recognized that our cybersecurity standards need updating.  The Biden Administration has proposed significant funding for the National Institute of Standards and Technology (NIST) to work with industry, science, and government to evaluate and improve the standards for our critical infrastructure.

It is being reported late on May 12, 2021, that Colonial Pipeline is returning to full operations following a devastating ransomware attack that was discovered on May 7, 2021. Colonial took its systems offline that day following the attack, which caused supply chain issues particularly in the Southeast.

Colonial Pipeline, the largest gasoline pipeline in the U.S. under normal circumstances, has the capacity to ship approximately 2.5 million barrels of gas from Houston, Texas, to various locations, including across the Southeast, the East Coast, the New York area and New England.

Even though Colonial Pipeline is resuming operations, it is estimated that it will take a full two weeks for the transport of gasoline to get back to normal.