The ransomware group accused of crippling the leading U.S. fuel pipeline operator said on Monday that its goal was to make money and not sow mayhem, a statement that experts saw as a sign the cybercriminals’ scheme had gone farther than they had intended.
The FBI accused the group that calls itself DarkSide of a digital extortion attempt that prompted Colonial Pipeline (COLPI.UL) to shut down its network, potentially causing extraordinary disruption as gasoline deliveries dry up.
On Sunday the largest U.S. refinery – Motiva Enterprises LLC’s (MOTIV.UL) 607,000 barrel-per-day (bpd) Port Arthur, Texas, refinery – shut two crude distillation units because of the outage at Colonial, according to people familiar with the matter.
Pipeline Hack Claimed by Russian Group DarkSide
The FBI confirmed Monday that the culprit is a strain of ransomware called DarkSide, believed to be operated by a Russian cybercrime gang referred to by the same name.
Brett Callow, an analyst at the cybersecurity company Emsisoft who tracks ransomware, said there were signs in DarkSide’s malicious software that it was meant to hit targets outside Russia and eastern Europe. He noted that the software is coded to not work against computers where Russian or one of several other eastern European languages are set as the default.
“DarkSide doesn’t eat in Russia,” Callow said. “It checks the language used by the system and, if it’s Russian, it quits without encrypting.”