The United States’ largest pipeline, Colonial Pipeline, halted operations due to a ransomware attack. Colonial Pipeline carries 45% of the fuel used on the U.S. East Coast, running from Texas to the New York Bay Area. The pipeline company released a statement on May 7, 2021, stating they learned they were victims of a cyberattack:
“We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”
According to Bloomberg and The Wall Street Journal, cybersecurity incident response experts from FireEye are assisting with the investigation, who linked the attack to a ransomware strain called DarkSide.
DarkSide Ransomware
DarkSide started its cybercrime organization in August 2020 and has already published stolen data from more than 40 victims to date (May 2021). It’s not clear how much money the attackers are demanding or if Colonial Pipeline paid the hackers. Although, a report from Bloomberg alleged that the cybercriminals behind the attack stole 100GB of data from its network. For reference, Travelex, a London-based foreign currency exchange, paid $2.3 million to ‘unlock’ only 5GB of data. With the pipeline missing 100GB of data, one can do the math to figure out how much the hackers may be asking for from Colonial ($40M-$50M). Perhaps Colonial can’t pay the ransom because the Treasury department made ransomware bitcoin payments illegal last fall. If this ransomware only encrypted Colonial’s data, they would be down for a few days while they restored from backups. However, it appears the Darkside organization is also threatening to reveal what can only be assumed are sensitive and damaging information to the Internet.
Ransomware Evolves Into A More Dangerous Form
Cyberattacks targeting utilities and critical infrastructure have witnessed a surge in recent years. A problem with this trend is newer strains of ransomware aren’t only encrypting the victim’s data but now exfiltrating the information and publicly releasing the stolen data if the ransom is not paid. This type of ransomware is called ‘Leakware‘. CyberHoot has been following this trend of leakware for a while, with Maze Ransomware starting this new strategy over a year ago.
Based on data gathered by Check Point and HackerNews, cyberattacks targeting American utilities have increased by 50% on average per week in 2021, from 171 at the start of March to 260 by the end of April.
What To Do?
Ransomware has garnered the attention of both the Whitehouse and industry. A recently created Ransomware Task Force (RTF) is bringing public and private entities together to brainstorm on ways to address this epidemic. The RTF consists of high-profile cybersecurity experts who help companies proactively combat ransomware. Work has been done in the past in an attempt to combat ransomware, but the task force’s main goal is to reduce the frequency and impact of these attacks. While the RTF does its work, your company cannot wait for a magic bullet. There are actions you must take to improve your security and reduce the likelihood of falling victim to ransomware attacks like Colonial:
- Adopt two-factor authentication to prevent a password breach of your business’s VPN, email services, and any other critical service that is directly Internet accessible
- Adopt a password manager for all your staff to use personally and professionally to improve password hygiene
- Regularly backup data following the 3-2-1 backup method for backing up all your critical and sensitive data
- Train employees on how to spot and avoid phishing attacks – the primary way ransomware attacks occur
- Test employees on their training to validate they can spot and delete rather than click and succumb to a ransomware attack
- Have a documented and tested Business Continuity and Disaster Recovery (BCDR) plan.
There are many other protective measures that go into a robust cybersecurity program including performing a risk assessment, building a risk management framework, and various technical protections. Learn all about these and start building your robust defense-in-depth cybersecurity plan at CyberHoot.