Lessons from the Colonial Pipeline Ransomware Hack

Lessons from the Colonial Pipeline Ransomware Hack

Will your weak security leave your clients waiting in line?

Every year, several cybersecurity incidents make national headlines and cause every business owner to reconsider their own security measures and processes. The recent Colonial Pipeline ransomware hack, which halted fuel distribution on the East Coast for nearly a week, is a prime example of such an incident.

All systems—and fuel distribution with them—resumed normal operation only after Colonial Pipeline Company, the operator of the largest pipeline system for refined oil products in the United States, paid a 75-bitcoin ransom (worth as much as $5 million at the time of the incident) to an Eastern Europe-based cybercriminal hacking group called DarkSide.

Fuel shortages are still a problem in many key markets served by the pipeline system, with as many as 80 percent of gas stations in Washington, DC reportedly being without fuel as of Saturday morning.

But instead of being able to fill their car with gas, cybersecurity experts across the nation worry about the message the Colonial Pipeline hack is sending to other hacking groups and the cybersecurity readiness of their potential targets.

Ransomware Attacks Are Common

If you’re not paying attention to cybersecurity-related news, then ransomware attacks may seem relatively rare to you, affecting only large enterprises and organizations. The reality is, unfortunately, very different.

In 2020, there were a total of 304 million ransomware attacks worldwide, and a 62 percent increase from a year prior. From time to time, cybercriminals successfully pull off a headline-worthy attack, but most ransomware attacks never receive any publicity.

Even the villain behind the Colonial Pipeline ransomware hack, the DarkSide hacking group, typically focuses on lower-end ransoms, asking their victims anywhere from $80,000 to $100,000 to regain access to their data. Typically, DarkSide performs about 10 smaller hacks a month, earning them $12 million a year.

Because hacking groups are motivated primarily by money (as DarkSide stated in their ransom note), targeting smaller businesses and avoiding the attention of news reporters and three-letter agencies suits them well.

Paying the Ransom Is Not the Right Solution

According to IBM Security’s X-Force survey of executives at 600 businesses of all sizes, 70 percent of businesses infected with ransomware have paid the ransom to get their data back. The decision to pay the ransom virtually always comes down to simple math, as was the case with the Colonial Pipeline ransomware hack.

The DarkSide hacking group took down Colonial Pipeline’s billing system, leaving it unable to track fuel distribution and bill customers. The hackers also stole approximately 140 GB of accounting and research & development data from the company’s servers and preloaded them online to be automatically published.

From the financial point of view, paying the ransom was likely a relatively easy decision, but decisions like this send the wrong message, emboldening other groups going forward.

“I can’t say I’m surprised, but it’s certainly disappointing,” says Brett Callow, a threat analyst at antivirus company Emsisoft, about Colonial Pipeline’s decision to pay the ransom. “Unfortunately, it’ll help keep United States critical infrastructure providers in the crosshairs. If a sector proves to be profitable, they’ll keep on hitting it.”

For the same reason, the FBI and other law enforcement groups discourage ransomware victims from paying the ransom, recommending them to focus on improving their defenses and recovery capabilities, instead.

Prevent Weak Security from Leaving Your Clients Waiting in Line

As dangerous as they are, ransomware attacks can be avoided by following basic ransomware prevention best practices:

  • Require MFA: Multi-factor authentication is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account or a VPN. This should be used wherever possible. In many cases, it is included with your subscription (M365; Google; etc.) and simply needs to be turned on.
  • Cybersecurity awareness training with simulated phishing attacks: Hacking groups like DarkSide rely heavily on social engineering techniques to obtain access credentials that allow them to circumvent established cybersecurity defenses with minimal effort. Employees should be taught to recognize them by completing cybersecurity awareness training.
  • Backup and recovery: Ransomware attacks are so effective because organizations can’t afford to lose their data. By creating backups of all important data and storing them offline in an encrypted format, you gain the ability to wipe affected devices clean and recover everything you need in order to do your work.
  • Cybersecurity response plan: You should have a documented, written plan to guide your response to a ransomware attack. The plan should describe everyone’s roles and responsibilities, detail mandatory notification procedures, and include other essential information.
  • Activity monitoring: Because of how ransomware works, its activity on the network leaves behind an easily recognizable signature, and there are many tools and solutions that can spot it early on, giving you time to act before it’s too late.
  • Regular patching: Unpatched vulnerabilities are like secret unlocked doors that invite attackers to come in and wreak havoc. To close these doors, you need to update all hardware and software on your network as soon as possible.

Please review our Blog post from 2019 16 Cybersecurity Tips for Small and Medium Businesses for more fundamental cybersecurity tips. Also review CISA Alert (AA21-131A) - DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks that speaks to findings on DarkSide but also provides additional helpful resources.

Want to see just how costly this is to business like yours?  Verizon's 2021 Data Breach Investigations Report was just released. For specific costs to your industry, try the Chubb Cyber Index®

We are passionate about helping our clients leverage technology to grow and SECURE their businesses. Get in touch with us  if we can be of assistance or to learn more about our managed cybersecurity services.


Just released our free eBook, 20 Signs That Your Business is Ready for Managed ServicesDownload
+