On May 7, 2020, the DarkSide ransomware gang successfully breached Colonial Pipeline’s IT systems, forcing a critical U.S. fuel artery to temporarily shut down operations. The FBI confirmed three days later that DarkSide initiated the ransomware attack, and Colonial Pipeline eventually admitted to paying more than $4 million in ransom.
Government agencies warn against paying ransoms because it only encourages future attacks — and payment doesn’t guarantee your data will be released. In the case of Colonial Pipeline, although DarkSide sent the decryption key after receiving payment, the key was of such poor quality that the fuel distributor used its backups to restore systems instead because it was faster.
Law enforcement officials were able to recover $2.3 million of the ransom in bitcoin, but the damage had already been done. The DarkSide attack has cost Colonial Pipeline lost revenue, security and remediation expenses, reputational damage, and litigation costs.
What went wrong for Colonial Pipeline, and what are the lessons for the rest of us?
IBM X-Force Threat Intelligence Index ranks ransomware as the No. 1 cyberthreat in 2021. DarkSide’s recent attack on Colonial Pipeline highlights a growing trend of ransomware attacks against critical infrastructure sectors that shows no sign of slowing.
The Colonial Pipeline attack should serve as a wake-up call for all businesses that ransomware is a serious threat. IT teams must take proactive steps to ensure they have robust cybersecurity and cyber resilience strategies in place to prevent security breaches and data loss.
The DarkSide ransomware attack disrupted operations at Colonial Pipeline for little more than a week, but the implications of the breach will have a long-lasting impact; for example, many security teams will adjust their approaches to network and data protection.
Cybersecurity is a moving target.
If we want to keep history from repeating itself, we need to examine the root cause of the Colonial Pipeline breach. What cybersecurity failures allowed malicious access to Colonial Pipeline's IT systems? And how can we prevent future attacks on other critical infrastructure providers?
According to several sources, DarkSide used a compromised VPN password to break into Colonial Pipeline’s network. Inadequately secured VPN has become a highly targeted vulnerability since early 2020 when COVID-19 drove a global pivot to remote workplaces; VPN now ranks in the top three most dangerous ransomware delivery vectors alongside RDP and phishing.
Ransomware attacks on VPNs often exploit common vulnerabilities, such as missed patches, open ports, public-facing internet, and weak password policies. Had Colonial Pipeline implemented and enforced strong authentication and other VPN security best practices, the outcome of this event could have been much different.
The central message IT and cybersecurity professionals need to take away from Colonial Pipeline’s misfortune is that a multi-layer ransomware prevention strategy is necessary whether you are protecting a two-person startup or one of the United States’ most critical fuel arteries.
A multi-layer ransomware protection plan addresses three key factors: cybersecurity technology, backup and recovery capabilities, and human fallibility.
Cyberthreats are constantly evolving, and new threats are introduced almost daily. Securing sensitive data in this ever-changing threat landscape requires integrated cybersecurity solutions that can respond and adapt to known and unknown threats.
Effective cybersecurity requires more than simply installing antivirus software on company computers. To combat today’s evolving threats, cybersecurity must include everything from AI-driven threat detection and neutralization to endpoint protection to email scanning and filtering.
Our highly distributed workforce and reliance on SaaS and mobile technology have made the traditional firewall almost obsolete. People are the new security perimeter, and a comprehensive, unified cybersecurity strategy is the only way to keep systems, applications, and data safe.
Backup and Recovery
Colonial Pipeline is proof that a comprehensive backup and recovery plan is essential for business continuity after a disaster. After it paid DarkSide more than $4 million, the decryption key Colonial Pipeline received was essentially useless.
Decrypting data using DarkSide’s key would have caused unnecessary downtime, leading to further disruption to the fuel supply chain. Fortunately, Colonial Pipeline had secure backups available and used them to get its systems back online quickly.
Today’s security landscape makes a 3-2-1-1 backup strategy a business imperative. Ransomware operators have introduced strains that target backup files, encrypting them, so they are useless for recovery efforts. Suppose you add an air-gapped backup copy to the traditional backup approach (i.e., three backups, two media types, one copy stored off-site). In that case, your business-critical data is safely backed up away from the company network and essentially untouchable.
The Human Element
Human error is a leading cause of security breaches. Fortunately, with the proper training and strict security policies in place, it is possible to minimize the impact of poor choices and malicious intent can have on your business-critical systems and data.
Security awareness training should be a standard step in your organization’s new hire onboarding processes. And, because cyberthreats are constantly evolving, training should be an ongoing initiative for all employees to ensure they know how to identify and avoid potential threats and what to do if a breach occurs.
To further protect your networks and data from accidental or malicious user actions, implement and enforce proven identity access management best practices, including:
- Strong password policies
- Frequent account reviews and access cleanup
- Multi-factor authentication
- Zero trust
Resilience is (not) futile.
Cyber resilience is an organization’s ability to respond to a cyberattack and recover quickly with little to no disruption of operations or data loss. An effective cyber resilience strategy relies on three key components:
- Isolation: Storing air-gapped copies of your data off-site and offline
- Orchestration: Activating the incident response processes automatically to quickly contain and neutralize the threat.
- Rapid recovery: Ensuring business continuity and disaster recovery processes can restore systems and data quickly
The Colonial Pipeline response to the DarkSide ransomware attack was not exactly the new industry standard for cyber resilience excellence, but in fairness, it could have been much worse.
When DarkSide infiltrated Colonial Pipeline’s network, they paralyzed critical systems and exfiltrated almost 100 gigabytes of data. The result was several days of downtime during which no fuel was flowing and sensitive data could have been sold or publicly exposed.
Colonial Pipeline had recent, complete backups available for the recovery effort helped get operations back up and running faster than if they had to rely on the decryption key. However, a more robust cyber resilience strategy could have reduced the disruption further and helped prevent the data exfiltration.
Don’t become another ransomware statistic.
Ransomware is becoming an accepted risk of doing business, but there is no reason you have to make your organization an easy target. Download “Don’t Become a Statistic: Stay Ahead of Cybercriminals by Implementing a Holistic Ransomware Protection Strategy” to learn proven practices for increasing cybersecurity and cyber resilience and minimizing your ransomware risk factors.