On or about May 7, 2021, Colonial Pipeline had to shut its pipelines down because of a ransomware attack. Colonial is a major fuel pipeline operator in the southern and eastern US. Its pipelines stretch from Texas to New Jersey, and reach into Louisiana, Mississippi, Alabama, Georgia, both Carolinas, Tennessee, Virginia, Maryland and Pennsylvania. After a week of downtime that saw gas shortages in many of the more eastern states just mentioned, the company announced on May 12 it was restarting pipeline operations. By May 15, those operations had more or less returned to normal. One burning question remains: What happened?
A Word from Joseph Blount, Colonial Pipeline’s CEO
In an interview with the Wall Street Journal, Blount recounted he authorized a ransom payment of $4.4 million. He did so because company executives, in the words of the WSJ story, “were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back.” According to the WSJ, “Colonial Pipeline provides roughly 45% of the fuel for the East Coast…” Essentially Colonial Pipeline chose to disregard long-standing advice from the FBI and other law enforcement agencies not to pay ransom demands in such situations. Blount demurred and is quoted as saying he authorized payment because “…it was the right thing to do for the country.”
More About the Attack
Security experts are in agreement with US government officials who attribute the attack to a criminal gang based in eastern Europe named DarkSide. This shadowy organization builds malware to attack systems for extortion, and shares the proceeds obtained from its ransomware with affiliates who actually foist the attacks that see its ransomware take over business and government systems all over the world.
As reported in the WSJ story, Colonial worked with experts who had prior experience dealing with the organization behind the attack. That said, the company declined to share details on the negotiations involved in making the payment, or how much of its losses might (or might not) be covered by its cyber insurance coverage. Once the attackers received payment, they provided a decryption tool to unlock affected systems. To underscore law enforcement advice, Colonial also disclosed that the decryption key did not provide everything needed to restore its systems to normal operation.
According to CNN, and contrary to many other reports, the sponsoring Darkside organization is not “believed to be state-backed.” Instead Lior Div, CEO of cybersecurity firm Cybereason, describes DarkSide as a “private group that was established in 2020.” That said, consensus is emerging that DarkSide operates in Russia for two compelling reasons. According to CNN, “its online communications are in Russian, and it preys on non-Russian speaking countries.” Div is further quoted as saying “Russian law enforcement typically leaves groups operating within the county alone, if their targets are elsewhere.”
DarkSide runs what CNN and other call a “ransomware-as-service” business. That it, it builds tools that it makes available to other criminals, who then use them to foist ransomware attacks. If its customers (known as affiliates) harvest income from such attacks, because DarkSide’s software also handles ransom payments, it is first in line to collect its share of the resulting proceeds. At present, the high visibility of the Colonial Pipeline attack has led to a shutdown of the DarkSide website, owing to presumed influence or efforts from US law enforcement agencies.
Lessons to Take from the Colonial Pipeline Attack
Rumor has it that Colonial shut down its pipelines, not just because of the compromise of its systems, but also because its billing system was compromised and it couldn’t tell how much to charge companies for fuel shipped over its pipelines. It’s also fair to assume that Colonial did not have protected backups it could use to wipe its existing systems and replace with known, good working images. Why? Because it chose to pay the ransom. The biggest lesson to take from this successful attack is that a known, good, valid backup is the only sure remedy to ransomware attack, and the only way for organizations to be sure they can get back to work in the wake of such attack.
Other recommended best practices to avoid successful ransomware attacks include:
- Requiring regular password changes for employees and other authorized users
- Requiring two-factor authentication, where the other factor is a cell phone or smart token
- Better use of monitoring tools, often AI-based, to track user and system activity to identify suspicious behavior (wholesale file encryption, for example, is a big red flag)
- Denial of access, or shutting down accounts, when suspicious behavior occurs (sometimes described as “proactive threat hunting”)
- Scanning of code as part of a DevSecOps regime where threat and vulnerability intelligence becomes a routine part of development, deployment and maintenance
Companies and organizations must create security policies and practices to directly address ransomware attacks. They remain a huge vector int the malware landscape, and occur at increasing frequency and rising costs per incident. Colonial Pipeline is just a more dramatic illustration than usual to show that ransomware threats pose real and present danger.