Few days ago, Colonial Pipeline’s networks in the United States were hit by a ransomware attack that created an unprecedented chaos. Following the devastating incident, the U.S. Federal Motor Carrier Safety Administration, shortly known as FMCSA issued a regional emergency declaration in 17 states, including the District of Columbia (D.C.).
FMCSA Issues a Regional Emergency Declaration
In accordance with the provisions of 49 CFR § 390.23, the Regional Field Administrators for the Federal Motor Carrier Safety Administration’s (FMCSA) Eastern, Southern, and Western Service Centers hereby declares that an emergency exists that warrants issuance of a Regional Emergency Declaration and an exemption from Parts 390 through 399 of the Federal Motor Carrier Safety (FMCSRs), except as otherwise restricted in this Emergency Declaration. Such emergency is in response to the unanticipated shutdown of the Colonial pipeline system due to network issues that affect the supply of gasoline, diesel, jet fuel, and other refined petroleum products throughout the Affected States, the official document states.
The affected states include Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, and Virginia.
DarkSide Ransomware Behind the Attack
Yesterday, May 10, the FBI confirmed that the Darkside ransomware is responsible for the severe attack against the Colonial Pipeline networks. The Bureau continues to work with the company and the U.S. government partners on the investigation.
DarkSide ransomware has most likely leaked data belonging to more than 91 organizations since the beginning of its operations in August last year. Furthermore, the threat group under the ransomware-as-a-service principle, enabling multiple partners to expand the criminal enterprise by compromising corporate networks. In the meantime, the developers’ theme of DarkSide continues to improve the ransomware’s code and payment infrastructure.
Companies previously affected by the criminal organization include brands such as Forbes Energy Services and Gyrodata. Security researchers believe that the ransomware was coded by the Carbon Spider threat group, also known as Anunak, Carbanak, and FIN7. It is noteworthy that Carbon Spider’s high-level manager and system administrator was just sentenced to 10 years in prison in the United States.
Two years ago, the source code of the infamous Carbanak banking malware was discovered uploaded on VirusTotal. FireEye researchers said that they found the malware’s source code, builders, and some unknown plugins in two RAR archives, uploaded on VirusTotal two years prior to the discovery from a Russian IP address.
The Carbanak malware itself was first discovered in 2014 by Kaspersky Lab researchers. The cybercriminals behind it have proven to be quite capable, initiating multiple successful attacks while avoiding detection. In retrospect, the criminal group first started its malicious campaigns about eight years ago using Anunak and Carbanak malware pieces in attacks against banks and ATM networks.