The recent hack of Colonial Pipeline has led to no shortage of problems, chief among them gasoline shortages all across the east coast of the United States. The pipeline’s operations may have been restored, but the question still remains: what could have been done to stop it, what can we learn from this incident, and what changes can we expect to see as a result?
Let’s take a closer look at the Colonial Pipeline ransomware attack and what can be learned from it.
What Happened at Colonial Pipeline?
Ransomware was first discovered at Colonial Pipeline on May 7, 2021, thus prompting the facility to shut down pipeline operations along the southeast coast. This shutdown was initiated out of an abundance of caution so that the malware could not spread to other parts of the system. The group in question, an organization of newcomers called DarkSide, used a dirty new trick in the ransomware hacker’s methodology called double extortion, where the cybercriminal forces the victim to pay by threatening to leak the encrypted data out into the world (in addition to making them pay to get the data back).
DarkSide itself has earned a reputation as a cybercriminal service provider. They develop threats, then issue them to groups, kind of like a malicious Software-as-a-Service offering.
When Colonial Pipeline put a stop to the threat, the supply chain for gasoline was so disrupted that gas shortages became abundant. Many people panic-bought gasoline in response to this, not unlike the beginning of the COVID-19 pandemic when it became hard to find simple household goods like toilet paper or cleaning supplies.
Did Colonial Pipeline pay the piper in the end? The company initially refused to shell out the $5 million in cryptocurrency demanded, but reports show that they ultimately did so. After receiving the payment, Colonial Pipeline was given a slow decryption tool that was used in conjunction with their own backup solutions.
Such a major hack was sure to spark some conversation about cybersecurity and infrastructure as a whole, so what lessons can be gleaned from this scenario?
Ransomware-as-a-Service is a Major Problem
DarkSide managed to build a network of affiliate hackers to collaborate on services and share in the profits. With a net gain of at least $60 million in the first seven months, it is clear that these services are in high demand. The affiliate hackers keep most of the ransom fees, whereas DarkSide handles the majority of the work, performing tasks such as writing the ransomware, billing victims, hosting the encrypted data, and acting as IT support or public relations.
All in all, it is a remarkably sophisticated arrangement; one that should have every business professional concerned. By making ransomware so much more accessible, literally anyone can direct an attack under the right circumstances.
Double Extortion is Double the Trouble
Normally a data backup would be enough to make a ransomware attack null and void. After all, the organization in question could simply restore a backup from a point before the ransomware infected the system.
Unfortunately, even though Colonial Pipeline did have a data backup system in place, the double extortion method forced them to pay the hackers in the end. If the user does not pay up, the hacker could just threaten to release the data to the world, and if that data is sensitive in nature or holds trade secrets, the ramifications could potentially be more devastating to a business than a massive ransom. In this case, it makes sense for Colonial Pipeline to pay up, as the decision was likely influenced by government regulations and public opinion, but we think it’s safe to say that this method will be used to a large degree of success in the years to come.
These Situations Can Inspire Cybersecurity Innovations
One way in which governments and other private sector companies are fighting back against these types of threats is by boosting cybersecurity protections for critical infrastructure. In particular, an executive order from United States President Joe Biden has created a task force to prosecute hackers that use ransomware. This order clears the way contractually for federal agencies to report severe data breaches, which are now expected to be within three days of the incident. These devastating attacks on critical infrastructure demand considerable action, and these improvements are just the beginning.
The future might be uncertain, but you can remain certain that your organization will be at risk of hackers and other cybersecurity threats if you fail to take the necessary precautions against them. Setton Consulting can help your business toward that end. To learn more, reach out to us at (212) 796-6061.