On May 7, 2021, the 5,500 miles (8,850 km) Colonial Pipeline was forced to cease operations. As a result, roughly 45% of the east coast’s total fuel supply halted. The Pipeline operations did not resume until May 12, five days later.

A ransomware attack had crippled Colonial Pipeline’s operations. Mere hours after the attack, the company paid over $4,400,000 in ransom. The attackers demanded payment in Bitcoin after stealing roughly 100 gigabytes of data. Additionally, the perpetrators threatened to release stolen data to the public while also encrypting all the existing data it could touch on the internal Colonial Pipeline network to render it inaccessible.

The attack utilized a method called crawling and encryption. This type of ransomware is the most common and has the power to quickly render a company helpless and unable to operate without a means of decrypting its hijacked files.

On June 8, 2021, the head of Colonial Pipeline spoke to a U.S. Senate committee and shared that the ransomware attack accessed their internal network via an intercepted or stolen password. Through a virtual private network (VPN) using single-factor authentication, anyone with that single password could authenticate through their VPN and access anything within the entire Colonial Pipeline network. From there, the attackers merely had to deploy an executable to crawl the network and encrypt any files it found.

To make matters worse, after paying the ransom money, the attackers provided a decryption tool that was slower than Colonial Pipeline’s backup recovery process, so they had paid the ransom for nothing. As a result, long lines, fuel hoarding, price spikes persisted for days while Colonial Pipeline’s IT team restored from backups.

In an unusual turn of events, the FBI was able to recover $2,300,000 in cryptocurrency from the hacking group’s crypto wallet. Specifically, the FBI was able to show that the hacking group utilized some portion of US-based internet infrastructure, allowing a court to grant the FBI the ability to go after the crypto wallet that received the ransom. However, no one should expect this when being held for cyber ransom as the FBI has made it very clear that paying the ransom only encourages further attacks.

So, while President Biden stated that there was no evidence the Russian government was directly responsible for the attack, it has been confirmed that the perpetrators were from the Russian hacking group DarkSide. According to David Kennedy (former NSA hacker), if the group does not target Russia, they have the implicit sanction from Russian authorities to deploy infections across the world with impunity. Investigators found that the ransomware used in this attack specifically avoided encrypting any files in Russian. According to blockchain analytics firm Elliptic, the cryptocurrency wallet belonging to the DarkSide group and associates has received $90,000,000 in payments in just the last year from 99 organizations.

Lessons Learned
Cybercriminals have little to no incentive in providing a working tool to decrypt your data. In addition, double encryption attacks and blackmail are increasingly heaped onto the initial attack to secure additional payments. As a result, you are just as likely to get a broken executable that does nothing for your payment. Once you are compromised, your power to respond is severely limited. Every company should have a set of agreed-upon policies and standards that will apply when you are under attack while dealing with an attack and after the attack. We refer to this as the policy layer within our cybersecurity model – the Pyramid of Protection.

Properly maintained backups are the cornerstone of cybersecurity and disaster recovery. The Colonial Pipeline could have avoided paying the ransom altogether and relied on their backups had they accepted they would be down an amount of time that it would take to restore from their known last good backup. This activity aligns with our Pyramid of Protection under the Practice layer. Companies of every size should be keeping hot backups of their file servers and cloud storage in case of infiltration of any kind. If you think your files are 100% secure using a cloud-based service, you should reconsider. Cloud services can be infiltrated by hacker groups or inside operators. Offline backups hosted in a safe location on site can be an answer to that threat.

An ounce of cybersecurity prevention (utilizing cybersecurity policy, practice, and posture) is worth a pound of cure (in this case, backups – or worst case – ransom money). If Colonial Pipeline had more stringent and thought-out policies, that attack might have been prevented entirely. The same goes for a more planned out set of practices that the IT, network, and security teams create together and follow to avoid the intrusion on their VPN, network, and file servers. We refer to this discipline as the Posture layer of our Pyramid of Protection. A continuously monitored network with highly trained staff regularly tested by the cybersecurity team would never fall for a ransomware attack in a perfect world. A defense is only as strong as its weakest link, whether a misconfigured piece of hardware or software or a user lacking the proper training.

Cyber disruptions are increasing in such frequency and severity that it’s no longer a matter of “if” but instead a matter of “when.” Organizations need to prepare. Vulnerabilities lead to erosion of confidentiality, integrity, or availability that may stem from malicious attacks, accidents, or natural occurrences.

SHINE Systems helps customers establish cyber resilience, enabling them to operate in the face of these threats through proactive prevention and detection, streamlined response, and rapid recovery.

For more information on our Cybersecurity services, please call Dr. Angela Orebaugh at 434-322-3000 Ext. 102 or email cyber@SHINESystems.com.