Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
For the first half of 2021, ransomware groups looked unstoppable. Ransomware gangs were adding victim after victim on their dark web data leak sites, displaying an unprecedented level of technical sophistication and corporate-like organization. On top of that, new ransomware variants were popping up with increasing regularity to capitalize on the immensely lucrative nature of this criminal business.
Things suddenly started to change one year ago, on 07 May 2021, when the DarkSide ransomware group’s affiliates compromised US energy operator Colonial Pipeline, disrupting its operations and the wider oil supply chain in the country. This attack left a lasting mark on the broader threat landscape, prompting a series of energetic changes across different fields, like cybercriminal platforms, law enforcement activity, and intergovernmental cooperation. Many cybercriminal forums were unhappy with Darkside operation—which they deemed as bringing unnecessary attention to cybercriminal activity as a whole—while for law enforcement the attack greatly increased the perception of risk associated with ransomware activity.
This blog will review what happened in the aftermath of this cyber attack and how things have changed across various critical sectors in the past year. In particular, we’ll review the following points:
On 07 May 2021, Colonial Pipeline learned that it fell victim of a ransomware attack, as confirmed by an official press release. The attack happened on a Friday, which is a typical day for malicious activity, as cybercriminals aim to exploit the weekend when security teams are not at total capacity. As a result of the ransomware campaign, Colonial was forced to temporarily halt all its activities and began working with security and forensic professionals to restore its IT infrastructure. Various sources highlighted that the attack was primarily targeted at the billing infrastructure of the company; Colonial Pipeline thus halted its operations because of the inability to bill its customers and as a precautionary measure, given that DarkSide could have obtained the information needed to move laterally and carry out further attacks on the pipeline.
The attack was soon attributed by the US Federal Bureau of Investigation (FBI) to the DarkSide ransomware group. On 10 May 2021, DarkSide published a press release on its data leak website claiming that they were not affiliated with any government entity and were solely financially motivated. This statement came after increased allegations that this group operated from Russia, an assessment based on DarkSide’s victims’ pool, and some linguistic peculiarities that suggest that its operators were native Russian speakers.
This attack provided further evidence of the widespread disruptive impact that cyberattacks could have on CNI. Despite this likely being beyond its perpetrators’ intentions, the attack against Colonial Pipeline caused a massive blow to energy and fuel distribution plans across the US East Coast for a few days. The potential fuel shortage further pushed numerous American citizens to panic-stoke on fuel in plastic bags, triggering this all-time classic tweet from the US Consumer Product Safety Commission.
Despite experts always advocating against paying the requested ransom, Colonial Pipeline eventually ended up paying the 75 Bitcoin ransom (roughly $4.5 million, at that time) to DarkSide the day after the compromise was made public. With a twisted sense of humor, the decryptor tool provided by DarkSide proved so slow that the company’s business continuity planning tools were more effective in bringing back operational capacity; there’s probably a lesson in there about the ethics and feasibility of paying cybercriminals.
A week after the disclosure of the attack on Colonial Pipeline, on 14 May 2021, DarkSide published a press release on its dark web website announcing that they had lost control of the public-facing side of its online infrastructure, such as its blog and payment server, and that the rest of its public resources would go intentionally offline within 48 hours. In the press release, DarkSide also announced the closure of its affiliate program, i.e. the corporate-like structure that advanced ransomware groups use to carry out their attacks and recruit new members.
On top of this, on 07 Jun 2021, the US Department of Justice (DoJ) issued a press release, stating that it had seized USD 2.3 million in cryptocurrency that was allegedly paid to the DarkSide ransomware group following its attack on Colonial Pipeline. The seizure—which amounted to 63.7 Bitcoin (BTC)—was achieved via the FBI’s review of the public ledger and subsequent identification of the specific address where the BTC was moved to and stored. Additionally, the DoJ stated that the FBI had access to the “private key”, which allowed them to seize the payment.
Problems with law enforcement were not the only concern for DarkSide at this time. The group was also suffering from a terrible reputation in the cybercriminal environment for two main reasons. First, DarkSide tried to blame the attack on Colonial Pipeline to one of its affiliates, in an attempt to de-responsabilite themselves from the subsequent consequences (a sort of #BlameTheIntern move, here). Second, that attack pushed many cybercriminals and ransomware operators into law enforcement’s spotlight, thus causing major issues to a wide variety of threat actors. These two reputational concerns likely pushed DarkSide to disappear from the scene for a while, and potentially come back under a different name.
In fact, on 21 July 2021, a new ransomware gang named BlackMatter launched its own affiliate program and claimed links to other ransomware groups, such as REvil, DarkSide, and LockBit. BlackMatter had significant overlaps with the DarkSide operation, including similarities in its malware code, public code of conduct, and affiliate structure. Ransomware rebrands aren’t novel. As the timeline below shows, ransomware groups have been changing it up since 2018. What’s interesting now is that a lot of groups have rebranded at the same time.
Ultimately, on 03 Nov 2021, the operators of the “BlackMatter” ransomware confirmed via their ransomware-as-a-service (RaaS) website that they would be shutting down their operation, citing “unsolvable circumstances associated with pressure from local authorities” as the reason. BlackMatter’s post did, however, indicate that their RaaS site will allow affiliates to receive decryptors for existing victims so that they can continue extorting victims on their own. The reaction to BlackMatter reportedly being forced to retire their program received a mixed response from those in the cybercriminal community – many were unsympathetic, claiming that “some do not learn or want to learn”.
The cybercriminal world is a tightly intertwined one, where important developments on one side of the house can have significant repercussions on the other side. That’s why when DarkSide attracted so much attention to the ransomware environment following the Colonial Pipeline attack, many cybercriminals attempted to reduce their own profile in order to avoid potential repercussions.
For example, on 13 May 2021, the administrator of the high-profile Russian-language cybercriminal forum XSS announced a permanent ban on all things ransomware including ransomware sales, ransomware rental, and ransomware affiliate programs. On top of the ban on future ransomware trade, XSS has also deleted all content meeting those criteria from the forum.
According to the XSS administrator’s statement, ransomware had become “dangerous and toxic” and represented a problem for the cybercriminal community at large. Not only did hosting ransomware content increase the likelihood of law enforcement actions against the forum, but the business was apparently not central to XSS’s survival.
Within several hours of the XSS decision, the administrator of the high-profile Russian language cybercriminal forum Exploit had announced they were also banning ransomware partner programs and deleting “all topics related to ransomware.” The administrator cited they were not happy with the unwanted attention that affiliate programs were bringing to the forum. Darkside’s representative on Exploit even expressed that the administrator’s decision was the right one.
One of the unintended consequences of the DarkSide ransomware attack on Colonial Pipeline is that it put the spotlight on the complex relationship between ransomware affiliates and their developers. Evidence gathered around this latest attack seems to suggest that a rogue affiliate conducted the attack on Colonial Pipeline, thus causing a chain of unforeseen consequences that irreversibly changed the broader ransomware landscape.
The vetting of affiliates within Darkside’s program was insufficient, and the attack also demonstrated that ransomware attacks can often have unforeseen or unintended consequences. This was also demonstrated by the Conti attack in November 2021 against jewler provider Graff. Conti were forced to issue a groveling apology after breaching data associated with several high profile individuals within royal families in the Middle-east. With ransomware groups breaching huge amounts of data and routinely turning over multiple targets, it’s likely that they often have insufficient time to analyze exactly what data they have stolen before it goes live on their DLS.
Many ransomware operators have since publicly reviewed their affiliate programs in order to exert tighter control on them and avoid further dangerous consequences. For example, REvil/Sodinokibi had also updated their thread on Exploit with new rules for their affiliate program, including a ban on targeting governments or the social sector and a requirement to obtain approval for targets prior to attacks. Affiliates who violate these rules would be “kicked” off the program and their victims’ decryption keys given out for free. Up to this day, most of these restrictions appear to be still in place.
Despite these claims following the attack, the cybercriminals’ platforms’ ban on all things ransomware hasn’t exactly been enforced thoroughly. For example, ransomware gangs have now been observed publishing recruitment posts for “pentesters & access brokers”, thus bypassing the current rules on most cybercriminal platforms. The same thing happens for initial access brokers that have been observed looking for “long-term partners” on these platforms. Based on what we noticed, posts are banned only when explicitly referring to ransomware; thus excluding all the posts that circumvent that specific word.
With respect to DarkSide’s takedown, the ransomware threat landscape hasn’t changed enormously. The cybercriminal underground is used to criminal groups emerging and disappearing soon after; affiliates previously working with DarkSide have likely moved to other ongoing ransomware operations.
Despite all the chaos following the attack on Colonial Pipeline, ransomware still remains the most pressing cyber threat for organizations across various industry verticals and geographies. The relative ease with which this malware can be deployed on targeted organizations, along with the potential high payouts associated with a successful attack, make this cyber threat a persistent and pernicious risk.
As always, Digital Shadows (now ReliaQuest) will continue to monitor the ransomware threat landscape and provide updates as the scene develops. In the meantime, you can read about how to track ransomware within Search Light (now ReliaQuest GreyMatter Digital Risk Protection). If that piques your interest, you can access most of our intelligence on ransomware actors and variants in Test Drive, which is free to try for seven days.