In early May 2021, Colonial Pipeline, which is one of the largest pipeline operators in the US, was hit with a ransomware attack. This resulted in fuel shortages and was yet another example of a large-scale malware attack in 2021.
Let's look at what happened in this attack, what the consequences were, and what we can learn from it.
What Happened in the Pipeline Attack?
On Friday, May 7, Colonial Pipeline reported that an attacked forced it to close down its systems. A ransomware attack was found on its systems, so the company ceased operations until it could get the situation under control. It's not known exactly how the ransomware attack was carried out, though Colonial has hired a security research firm to dig up more details.
While the operation systems weren't affected, the billing system was compromised. This meant that the company had no way to track how much fuel was being used, and thus bill customers accordingly.
The company worried that the hackers had additional information that they could use to cause further damage. Backing this up was the hacking group's claim that it would release close to 100GB of stolen data if Colonial didn't pay the ransom.
As we've explained before, ransomware is a nasty form of attack that encrypts your files so they're unreadable, then threatens to delete them if you don't pay what the attackers want. In this case, the attack had the added element of leaking sensitive information to the public.
Due to Colonial Pipeline's reach, this attack resulted in major supply problems. The company's pipelines provide nearly half of the gasoline, diesel, and jet fuel used on the East Coast.
States in the southeast, such as South Carolina and Georgia, ran low on gasoline because people started panic buying. Average gasoline prices hit their highest price since 2014 while this was happening, and several states declared a state of emergency.
Did Colonial Pipeline Pay the Ransom?
At an unknown point, the company decided to pay the ransom that the attackers demanded. This was close to 75 bitcoin, which is equivalent to roughly $5 million at the time. However, the decryption tool provided by the attackers worked so slowly that Colonial used its own backups to restore service faster. This calls into question whether paying the ransom had any effect on restoring service.
The company's CEO, Joseph Blount, knew the decision might not be popular. He said even though he didn't like doing it, making this choice was in the best interest of the country.
And to a point, this makes sense. Every day that Colonial Pipeline was shut down would cost it an enormous amount of money, so to the company, just paying the ransom and getting back to normal would probably cost them less than holding out on principle.
As of May 13, the company announced that it had resumed normal operations.
Who Were the Attackers Behind the Attack?
The FBI identified a group called DarkSide as the culprit of this attack. From what we know, the group is based in Eastern Europe—most likely Russia. It develops ransomware, then provides access to it for interested parties. In exchange, DarkSide receives a cut of the ransom payments.
The group's software is set not to run on computers that speak Russian or other languages spoken in former Soviet countries. Despite its location, the group claims that it is not sponsored by any government. The group issued a statement about the attack stating that it "does not participate in geopolitics"; it exists "to make money and not creat[e] problems for society."
On May 14, DarkSide decided to shut down due to pressure from the US. It stopped its scheme of licensing its ransomware to attackers, and claimed that it no longer had access to some of its servers. However, this could just be a ruse to allow the company to spring back up later under a new name.
The Ransomware Threat Is Growing
Like the Solwarwinds attack and Passwordstate hack, this situation was messy. There have been a string of high-profile attacks this year where companies scramble to return to normal and minimize disruptions to their customers.
Unfortunately, paying the ransom to criminals like this will encourage more of this behavior in the future. Thankfully, the overall impact of this attack was minor and only lasted a few days. But critical US infrastructure being at risk to cyberattack is clearly worrying.
In response to this incident, the government plans to create a Cyber Safety Review Board under the Department of Homeland Security. But ultimately, the only way to deter attackers from using these attacks is to take away their effectiveness in the first place: not paying the ransom. By practicing proper computer security ahead of time, companies won't get so easily put into a situation where they feel like they have to pay.
It's easy to say that you should take a stand and never pay ransomware authors, but businesses feel desperate if they have no other option. Staying prepared against ransomware by following security best practices and keeping regular backups that are separated from your main operations is essential. This helps prevent ransomware to begin with, and if there is a case of ransomware, the separated backup lets you restore the clean copies and not worry about whether the decryption tool will even work.
A technical audit was performed on Colonial Pipeline in 2018 that found "glaring deficiencies and big problems." The extent to which they remediated since that report was provided was clearly not enough to prevent this from happening.
You might not be running a critical pipeline, but your information and systems are just as critical to your company and clients. Consistent auditing and remediation over time is the best way to prevent an incident like this. Working with a trusted IT provider that delivers that reliability can make the difference between a ransom payment and another day at the office.