On the morning of May 7th, 2021 Colonial Pipeline experienced a ransomware attack. According to the FBI, this attack was carried out by a hacking group known as Darkside. Shortly after this attack, Colonial announced they were shutting down their 5,500 miles of pipeline in order to mitigate the attack. Colonial has been around since the 1960’s and they move about 45% of the fuel used on the west coast – about 2.5M barrels of oil a day.
According to Bitdefender’s 2020 Consumer Threat Landscape Report, Ransomware attacks have gone up 485% in 2020 as compared to 2019.
What is a ransomware attack?
Ransomware is a software that locks up files and application data using encryption. It is usually installed unknowingly by a legitimate source like an employee at a company. To the employee it appears as a normal update or a link to a website that they normally use. One of the biggest entry points of a ransomware attack is through email.
Ransomware is designed to install itself silently in the background until it has locked up as many files as possible. More sophisticated versions of ransomware exist which can wait pre-specified times in order to see if the opportunity to lock up more valuable data presents itself. It can wait and watch over several days and weeks to see if a user’s computer is connected to a network or servers because, chances are, that data is more valuable than data on a single user’s computer. After the trap has been sprung, the victim is presented with the opportunity to pay a ransom to receive a digital key that unlocks their data.
How did Colonial Pipeline respond?
After several days of being down and unable to serve its customers, Colonial decided to pay the $4.4 Million ransom. CEO Joseph Blount stated that they needed to quickly restore service to their customers.
Who are these hackers?
The Darkside hacking group has been a relatively small group and unknown on the larger world stage up to this point. They are believed to be based in Eastern Europe, and are thought to specialize in crafting the malware used to breach systems. They also share it with affiliates—for a cut of the ransoms they obtain.
It has been interesting to note that during this attack Darkside has responded in some very odd ways with communications seeming to indicate that they didn’t mean the attack to have been quite as severe as it wound up being. They have also put out statements that suggest that they were only carrying out the attack on behalf of another organization or group and were not responsible for choosing the target.
What should I do to protect my business?
Good cybersecurity should be set up in layers. No solution is impenetrable, but using a layered approach helps stack the odds in your favor. A good enterprise grade antivirus is a great place to start building your solution.
Second, a solid commercial level firewall, like Watchguard, Fortinet, or Cisco among many others. The firewall is the entrance and exit of your IT infrastructure. Make sure that your security subscriptions are up to date. Firewalls are just like antivirus software. They need to be updated regularly to prevent breaches.
Third, backup, backup, backup! Backup your important data in at least 2 if not 3 locations. Make sure that you not just backing up the files but also the servers and applications that run those files. That way you can restore your data and immediately be able to access it. Design your backups to happen automatically so they don’t rely on humans to trigger it. Check your backups annually at the very least to ensure that the data is not corrupted and the restore process works the way you think it is supposed to.
Fourth, write it all down! Have a backup and disaster recovery plan ready so that you are not scrambling to make things happen in the moment of disaster. So many things get forgotten and mishandled when you are being reactive and not proactive.
Finally, there are many more things you can do. Many more layers to consider. Encryption, multi-factor authentication, and proactive network monitoring are just a few. Find a technology partner that can help you consider how to best layer your security. Doing these things could mean the difference in staying in business or starting over from scratch.
Author: Josh Cochran, President and CEO of Diverse CTI
Josh has worked in Information Technology and Telecommunications for over 25 years. He is an expert in business, technology, and entrepreneurship. He also speaks on these subjects and many others at many engagements across the country.