Colonial Pipeline - A Ransomware Attack Hits Close To Home
If you had never heard of the Colonial Pipeline Company before last week, chances are that you have heard about it now. Sitting in your car waiting in long lines to fill up at your local gas station hoping they don't run out is likely not something you have experienced unless you are old enough to remember the gas shortages of the 1970s. Colonial Pipeline was attacked with a ransomware variant from the Ransomware as a Service (RaaS) group DarkSide, causing Colonial Pipeline to take certain systems offline, halting pipeline operations which transport approximately 100 million gallons of fuel daily to 14 states from Texas to New York.
Ransomware is a form of malicious software (malware) that blocks user access to a device or files, usually by encryption until the victim pays a ransom. Once a victim's files are encrypted, attackers explain how to pay the ransom (in cryptocurrency) and unlock the files with a decryption key. Although it has been around for decades, ransomware has become increasingly prevalent, and with so many variants available, it can now be distributed using an RaaS model similar to that used by Darkside, allowing even novice cybercriminal affiliates to launch attacks using already-developed ransomware. These models vary in their payment structure, but are similar to Software as a Service (SaaS) structures in which affiliates can sign up for a one-time fee, a monthly subscription, or on a commission basis allowing the affiliate to keep a percentage of successful ransom payments. Ransomware is traditionally delivered through phishing emails which can be very convincing, or through exploit kits used by hackers to exploit software vulnerabilities (such as when a victim visits a compromised website), or through "free" versions of software.
According to a recent report by Sophos, the average ransomware recovery costs for businesses have more than doubled in the past year, from $761,106 in 2020 to $1.85 million in 2021. Costs include the ransom payment, business downtime, employee time, device costs, network costs, lost business, and other associated costs. Additionally, while the number of organizations who paid to get their data back increased over the last year from 26% of organizations in 2020 to 32% in 2021, only 8% of organizations received all their data back after paying the ransom. On average, organizations that paid received only 65% of their data, with 29% getting back no more than half their data, according to the report.
According to a report by global insurer Beazley, recent trends indicate that ransomware incidents are becoming more complex than the traditional attack designed to trick an employee into clicking on a bad email that encrypts a workstation and file shares. Today's incidents are more likely to involve threat actors who gain access to computer networks to install highly persistent malware that targets data backups and exfiltrates the data. This is part of the "double extortion" strategy apparently used by DarkSide, where a victim's data is not only encrypted and held for ransom, but is first exfiltrated with the threat of being made public if the victim refuses to pay. This effectively undermines data backups as an effective remediation tactic by the victim because the victim is still faced with having to pay in order to avoid the release of sensitive data.
Protecting against ransomware is a multi-layered approach that requires advanced preparation that includes: maintaining an up-to-date cyber security incident response plan and disaster recovery/business continuity plan; conducting regular employee training to recognize phishing emails; managing access to systems across the organization and properly configuring systems and devices; securing remote access to networks; establishing secure offline backups; encrypting data at rest; use of multi-factor authentication and strong passwords; constant monitoring of systems for network intrusions; maintaining images of critical systems in the event they have to be rebuilt; retaining backup hardware; and staying current with vulnerability patches for systems and applications. Implementing these strategies, and others, will increase the ability of businesses to defend against the increasing ransomware threat.
Businesses hit by ransomware shouldn't go it alone. The professionals at WRVB can help your business prepare for and respond to a ransomware attack. Contact us for more information.