On May 7, 2021, Colonial Pipeline shut down the largest fuel pipeline in the US due to a ransomware attack. Gas stations ran dry across the East Coast. The company paid $4.4 million in Bitcoin ransom. The FBI later recovered $2.3 million. The entire incident started with a single compromised password.
How They Got In: A Forgotten VPN Account
DarkSide gained access through a legacy VPN account that was no longer in active use but had never been deprovisioned. The password appeared in a dark web credential dump from a previous breach where the same password was reused. The account had no MFA enabled. The attackers simply logged in with a username and password — no exploit required.
Attack Timeline
April 29, 2021 — Initial Access: DarkSide logged into the VPN and spent 8 days inside Colonial’s network doing reconnaissance — mapping file servers, locating backup systems, identifying critical operational data, and staging ransomware.
May 6, 2021 — Data Exfiltration & Staging: DarkSide exfiltrated approximately 100GB of data before encryption. This is the “double extortion” technique: encrypt AND threaten to publish the data if the ransom is not paid.
May 7, 2021, 5:00 AM — Ransomware Executes: An employee discovered a ransom note. Colonial confirmed widespread encryption across billing, accounting, and corporate systems. Fearing the ransomware had crossed into OT systems controlling the physical pipeline, they proactively shut down all pipeline operations.
May 7-12 — National Emergency: President Biden declared a state of emergency. Average US gas prices hit a 7-year high. Panic buying caused fuel shortages across 17 states.
May 8 — $4.4 Million Ransom Paid: Colonial paid 75 Bitcoin to DarkSide and received a decryption tool. The tool worked but was too slow, so they restored from backups in parallel. Full operations resumed May 12.
June 7 — DOJ Recovers $2.3 Million: The FBI traced the Bitcoin wallet and seized 63.7 BTC — demonstrating that crypto ransomware payments are not as untraceable as criminals believe.
DarkSide Ransomware Technical Details
# DarkSide encryption: RSA-1024 + Salsa20
# File extension: .{8 random chars} e.g., .a8sdj3k2
# YARA detection rule
rule DarkSide_Ransomware {
meta:
description = "Detects DarkSide ransomware"
strings:
$a = "DarkSide" ascii
$b = "DECRYPT_FILES" ascii
$c = "README.%s.TXT" ascii
condition:
2 of them
}
# DarkSide IoCs:
# C2: darksidfqzcuhtk2.onion
# Mutex: Global{unique_victim_ID}
# Ransom note: README.{extension}.TXT
# Lateral movement: WMI, PsExec with stolen credentialsDetection Queries
# Splunk: Detect VPN logins from stale/legacy accounts
index=vpn_logs action=success
| stats count by user, src_ip
| where user IN (legacy_account_list)
# Elastic KQL: Successful auth from unexpected accounts
event.category: authentication AND event.outcome: success
AND user.name: NOT IN (active_user_baseline)
# Wazuh rule: Mass file modification (ransomware indicator)
# In /var/ossec/etc/rules/local_rules.xml:
# rule id 100200, level 15 - File modified at high rate
# PowerShell: Find accounts unused for 90+ days
$cutoff = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonDate -lt $cutoff -and Enabled -eq $true} -Properties LastLogonDate |
Select Name, SamAccountName, LastLogonDate | Export-Csv stale_accounts.csv
# Disable stale accounts
Get-ADUser -Filter {LastLogonDate -lt $cutoff} | Set-ADUser -Enabled $falseCheck Credentials Against Breach Databases
# Check all AD users against HIBP Enterprise API
Import-Module ActiveDirectory
$users = Get-ADUser -Filter * -Properties EmailAddress | Select -ExpandProperty EmailAddress
foreach ($email in $users) {
$result = Invoke-RestMethod "https://haveibeenpwned.com/api/v3/breachedaccount/$email" -Headers @{"hibp-api-key"="YOUR_KEY"} -ErrorAction SilentlyContinue
if ($result) { Write-Host "BREACHED: $email found in $($result.Count) breach(es)" }
Start-Sleep -Milliseconds 1600 # HIBP rate limit: 1 request per 1.5 seconds
}
# Also check NTLM hashes against Pwned Passwords
# Download from: https://haveibeenpwned.com/Passwords (18GB)
Import-Module DSInternals
Get-ADReplAccount -All | Test-PasswordQuality -WeakPasswordHashesFile ntlm-ordered.txt5 Things That Would Have Prevented This Attack
1. MFA on all VPN/remote access — The single most impactful control. One TOTP prompt would have stopped DarkSide completely. No exceptions, no legacy account exemptions.
2. Regular access reviews — The compromised VPN account was no longer needed but was never disabled. Quarterly access reviews with automatic deprovisioning after 90 days of inactivity would have caught this.
3. Password breach monitoring — Services like HIBP Enterprise or SpyCloud monitor employee credentials in real time and alert when they appear in breach dumps. Colonial’s compromised password was likely in public breach data well before the attack.
4. IT/OT network segmentation — Colonial shut down the pipeline because they could not confirm the OT network was clean. Proper air-gap segmentation between IT and operational technology would have allowed pipeline operations to continue during IT recovery.
5. Rapid-recovery offline backups — The DarkSide decryptor was too slow. Colonial still relied on backups that took 5 days to restore. The 3-2-1-1-0 backup rule (3 copies, 2 media types, 1 offsite, 1 offline, 0 errors verified by testing) with regular restoration drills is non-negotiable for critical infrastructure.
One compromised password. No MFA. A forgotten account. $4.4 million ransom. National fuel shortage. The lesson is painfully simple: basic security hygiene at scale is harder than it sounds, but no critical infrastructure organization can afford to skip it.