Ransomware Gang Behind Colonial Pipeline Attack Claims Another Major Victim

ransomware gang colonial pipeline attack another victim news
In May of last year, Colonial Pipeline was struck by a ransomware attack, prompting the Colonial Pipeline Company to take certain systems offline in an attempt to contain the attack. As a result, all pipeline operations were temporarily halted, shutting off the flow of fuel to the eastern seaboard. Shortly thereafter, the FBI confirmed that the Russian ransomware gang DarkSide had perpetrated the attack.

The ransomware attack drew significant national and international attention as a significant infrastructure cyberattack. Fuel shortages developed in certain areas along the East Coast as concerned drivers flocked to gas stations to fill up their tanks based on the worry that gas station supply might run dry. The ransomware group responsible for the attack responded to the widespread attention by posting a statement to its website claiming that the group was implementing new checks to ensure that its attacks would “avoid social consequences in the future.” We later found out that that the group had received $5 million in ransom money from the Colonial Pipeline Company just hours after the attack began. However, the ransom was paid in Bitcoin, so a DOJ task force was able to trace the movement of the cryptocurrency on the blockchain and recover the money.

Having evoked the ire and attention of state actors, DarkSide publicly shut down its operations only to reappear under the name BlackMatter. However, BlackMatter eventually shut down as well. Since the ransomware group disappeared from the scene, a new ransomware group known as BlackCat or ALPHV has arisen. This “new” ransomware group is believed to be run by the same threat actors behind DarkSide and BlackMatter. If the threat actors are indeed the same, it seems that the ransomware group’s days of attacking fuel pipelines are not yet behind it.

ransomware gang colonial pipeline attack another victim dls news
ALPHV’s dedicated leak site publicizing the new pipeline attack

The Encevo Group announced (PDF) last Monday that a cyberattack struck its two subsidiaries, Creos and Enovos. Three days later, Encevo published a further press release (PDF) stating the attackers exfiltrated data during the attack. Then, on Friday, ALPHV added Creos as a new victim to its dedicated leak site. The ransomware group claims to have exfiltrated 150GB of data from Creos’ computer systems. The 180,000 stolen files purportedly include contracts, agreements, passports, bills, and emails. The ransomware group posted images showing what appear to be legitimate documents as evidence of the data exfiltration. ALPHV threatened to release all the stolen data this Monday, but Monday has come and gone and the group still hasn’t published the data to its website. This delay could be an indicator that ALPHV is in negotiations with Encevo, but neither party has indicated that to be the case.

Creos maintains electrical grids and pipelines that provide energy and natural gas to five countries in the European Union. Fortunately, unlike the Colonial Pipeline attack, this new attack seems not to have disrupted the supply of electricity and gas, which is a relief for those who receive energy and natural gas from Creos. Encevo says that it is still investigating the attack and does not yet have the requisite information to inform everyone who may have been affected. However, the company has created a webpage where it will post any updates on the situation.