Colonial Pipeline Ransomware Analysis: 100GB Exfiltrated Before a Single File Was Encrypted

How DarkSide Breached Colonial Pipeline

The initial access vector was a compromised VPN credential belonging to an employee account that was no longer actively used but had not been deactivated. The account did not have multi-factor authentication enabled. DarkSide used this credential to access Colonial's IT network on April 29, 2021 — a full week before the ransomware was deployed. During that week, the attackers conducted reconnaissance, escalated privileges, and identified high-value data stores. The 100GB data exfiltration was completed before any encryption began, ensuring DarkSide had leverage regardless of whether Colonial could restore from backups.

The Exfiltration-First Strategy

Colonial Pipeline exemplifies the double extortion model that has become standard practice for sophisticated ransomware groups. The sequence is deliberate: gain access, move laterally, identify valuable data, exfiltrate it to attacker infrastructure, then deploy encryption. Even if the victim has perfect backups and can restore operations without paying for a decryption key, the stolen data provides a second extortion lever. DarkSide threatened to publish Colonial's corporate data — including contracts, financial records, and employee information — unless payment was made. This two-phase approach means that backup strategies alone are no longer sufficient defence against ransomware.

• Phase 1: Access via compromised VPN credential (no MFA)
• Phase 2: Week-long reconnaissance and privilege escalation
• Phase 3: 100GB data exfiltration to DarkSide infrastructure
• Phase 4: Ransomware deployment — encryption of IT systems
• Phase 5: Double extortion demand — pay for decryption AND data deletion

Cascading Impact Beyond IT

Colonial's decision to shut down pipeline operations was precautionary — the ransomware had only affected IT systems, not the operational technology (OT) controlling the pipeline. But the company could not confirm that the OT network was uncompromised, so they halted fuel distribution for six days. The result was fuel shortages across the southeastern United States, panic buying, price spikes, and a presidential executive order on cybersecurity. A single compromised VPN credential led to a national infrastructure crisis. The incident demonstrated that data exfiltration is not merely a data loss event — it can trigger operational shutdowns when organisations lose confidence in the integrity of their systems.

What Anti-Data Exfiltration Would Have Prevented

BlackFog's ADX technology monitors and blocks unauthorised outbound data transfers at the endpoint level. In the Colonial Pipeline scenario, the 100GB data transfer to DarkSide's external infrastructure would have been identified and blocked during the exfiltration phase — before any encryption was deployed. Without the exfiltrated data, DarkSide would have lost their double extortion leverage. More critically, the exfiltration attempt itself would have triggered alerts, giving Colonial's security team visibility into the compromise days before ransomware deployment. Anti-data exfiltration transforms a silent data theft into a detected intrusion.

Frequently Asked Questions