How Colonial Pipeline managed its ransomware attack

Should you contact authorities about ransomware?

The recent ransomware attack on Colonial Pipeline, the company that controls the pipeline network supplying fuel to a large chunk of the US East Coast, is one of the most high-profile in living memory. Understandably, the details of the attack have not been made public, but some scraps of information have found their way into the media, and from that we can derive at least one lesson: Promptly informing law enforcement can reduce the damage. Of course, not everyone has a choice — in some states victims are obligated to inform regulators. However, even where that is not required, such a move may be useful.

The attack

On May 7, ransomware hit Colonial Pipeline, which operates the largest fuel transfer pipeline on the US East Coast. Employees had to take some information systems offline, partly because some computers were encrypted, and partly to prevent the infection from spreading. That caused fuel-supply delays along the East Coast, sparking a 4% rise in gasoline futures. To mitigate the damage, the company plans to increase fuel deliveries.

The company continues to restore its systems, but according to sources on the Zero Day blog, the problem lies less in the service networks than in the billing system.

Federal lockdown

Modern ransomware operators not only encrypt data and demand ransom to decrypt it, but also steal information as leverage for extortion. In the case of Colonial Pipeline, the attackers siphoned off about 100GB of data from the corporate network.

However, according to the Washington Post, external incident investigators quickly figured out what had happened and where the stolen data was, and then contacted the FBI. The feds, in turn, approached the ISP that owned the server holding the uploaded information, and had it isolated. As a result, the cybercriminals may have lost access to the information they stole from Colonial Pipeline; that quick action at least partially mitigated the damage.

Knowing that happened doesn’t bring the company’s main pipelines back online, but the damage, though considerable, could have been far worse.

Attribution

It seems the company was attacked by DarkSide ransomware, which can run on both Windows and Linux. Kaspersky products detect the malware as Trojan-Ransom.Win32.Darkside and Trojan-Ransom.Linux.Darkside. DarkSide uses strong encryption algorithms, making data restoration without the right key impossible.

On the surface, the DarkSide group looks like an online service provider, complete with helpdesk, PR department, and press center. A note on the perpetrators’ website says their motivation for the attack was financial, not political.

DarkSide's reaction to the media

The DarkSide group uses a ransomware-as-a-service model, providing software and related infrastructure to partners that carry out the attacks. One of those partners was responsible for targeting Colonial Pipeline. According to DarkSide, the group did not intend to cause such serious social consequences, and it will henceforth keep a closer eye on which victims its “intermediaries” choose, but it’s hard to take one statement in a long list of PR tricks too seriously.

How to stay safe

To protect your company from ransomware, our experts recommend the following:

  • Prohibit unnecessary connections to remote desktop services (such as RDP) from public networks, and always use strong passwords for such services;
  • Install all available patches for VPN solutions that you use to connect remote workers to the corporate network;
  • Update software on all connected devices to prevent vulnerability exploitation;
  • Focus defense strategy on detecting lateral movement and data exfiltration, with special attention to all outbound traffic;
  • Back up data regularly and make sure that in case of emergency you have ready access to the backups;
  • Leverage threat intelligence data to stay up-to-date on attack tactics, techniques, and procedures;
  • Use security solutions such as Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response that help stop attacks early on;
  • Train employees to mind the security of the corporate environment;
  • Use a reliable solution for endpoint protection that counters exploits and detects anomalous behavior and can roll back malicious changes and restore the system.

The Colonial Pipeline example shows the advantage of contacting legal authorities — and quickly. There’s no guarantee they’ll be able to help, of course, but it might just minimize the damage.

Tips