Colonial Pipeline Ransomware Attack: What We Know

On May 7th, Colonial Pipeline experienced a ransomware attack that shut down the largest supplier of gasoline to the South. This led to widespread panic-buying of gasoline across the southern United States. In Triaxiom’s home state of North Carolina, 71% of gas stations were without gasoline according to GasBuddy. In this blog, we will explore what we know so far.

Who is Colonial Pipeline?

Colonial Pipeline (colpipe.com) is the largest refined products pipeline in the US. They transport more than 100 million gallons of gas per day. This includes various grades of gasoline, diesel fuel, jet fuel, and US military fuels. In total, this pipeline spans 5,500 miles from Texas to New Jersey.

The states experiencing a gas shortage as a result of the attack are primarily the ones in the middle, comprising the South. This includes Virginia, North and South Carolina, Georgia, Alabama, Mississippi, and Louisiana. The states on the gulf are slightly less affected as their ports contribute a large volume of the gas for their states.

colonial pipeline

What Happened

A ransomware attack is when an attacker gains administrative control over a network, and uses that privileged access to encrypt all of the files and operating systems. They then send a message to the owner saying they promise to decrypt it if they pay a ransom, hence the term ransomware. Further, in this instance, the attack was reported by Bloomberg as a double extortion scheme. In a double extortion scheme, the attackers first steal sensitive information, 100 GB of data in this case, and then they can demand a bribe both for getting things back online, and for not releasing sensitive information publicly.

The FBI was quick to attribute this attack to a criminal group known as DarkSide. This criminal group is based out of Russia, but according to the FBI this was not endorsed by Russia or a “nation-state attack.”

In a bizarre twist, DarkSide came out and said their goal was simply to make money, and they will choose their targets more carefully next time. They deny the attack was meant to shut down the pipeline and said there was no political motivation. Something tells me Russia was not happy with DarkSide and made them apologize before the US sanctioned them (personal opinion).

When Did All This Happen

  • Friday, May 7 – Colonial Pipeline reports ransomware.
  • Monday, May 10 – Colonial Pipeline updates and says they are working to bring systems online incrementally
  • Tuesday, May 11 – Colonial Pipeline releases another update stating they are working around the clock.
  • Thursday, May 13 – Colonial Pipeline States that operations have restarted, but it will take a few days for the supply chain to return to normal.
  • Thursday, May 13 – Bloomberg reports that Colonial Pipeline payed the ransom of nearly $5 million.

How Did the Attacker’s Get In

So far, we don’t know the answer to this. Commonly, ransomware gets in through either a system that is exposed externally that is missing a critical security patch that can be exploited, or even more commonly attacker use social engineering. When Triaxiom performs our most sophisticated social engineering attacks designed to steal an employee’s password, it works around 80% of the time. Then an attacker can use that on the VPN to gain access to the internal network.

Why This Matters

Unfortunately, ransomware isn’t going anywhere. As you saw from this example, if Bloomberg is right, the attackers made away with 5 million dollars. Additionally, due to international jurisdictions and the red tape that comes with cyber attacks, it is very unlikely DarkSide will ever see their day in court. BitDefender, a next generation endpoint protection company, reported a 715% increase year over year in ransomware attacks. Further, we are seeing an increase in double extortion schemes, where attackers steal all the files, then encrypt your network. This gives them a better chance of you paying the ransom.

Further, as this was such a high profile event, we can expect that the Biden administration will put a heavier emphasis on security. Already on Wednesday, President Biden signed an executive order designed to improve federal cybersecurity, noting that these agencies need to lead by example. Further, a Cybersecurity Safety Review Board will also be established. So we can expect a trickle down of requirements as the government starts taking steps to require more stringent security.

How Do I Protect My Company?

I thought you would never ask! We have written a few blogs on the subject, one is an intro to ransomware and one talks about the importance of backups. However to summarize at a high level, it boils down to a few key concepts.

  • Prevent – The first and most obvious goal is to prevent ransomware from getting a foothold on your network. You can do this by reducing the risk of social engineering and an external attacker. To reduce the risk of social engineering, the key is to have ongoing social engineering testing to slowly raise awareness and engage in highly targeted awareness training for your employees. To reduce the risk of an attacker gaining access from your perimeter, it comes down to limiting your attack surface as much as possible, having proper patch management, and employing multi-factor authentication on all externally exposed logins.
  • Detect – It is vital to identify and contain an attacker before they can spread. This is a massive topic, but this includes things like next generation antivirus, proper logging and alerting, honeypots, and a really good response team who can tailor, analyze, and respond to these alerts.
  • Respond – Once you detect ransomware, you need to contain it quickly before chaos sets in. Segmentation is a vital control that will slow down the spread, giving you a chance to respond. Also, you need to have an incident response plan that you are regularly practicing.
  • Restore – We have a whole blog dedicated to this, but with ransomware, you need to have a full backup somewhere offline that is unreachable by an attacker. Consider an attacker who is able to gain full domain administrator privileges on your network, can they get to your backups? What if they go to your computer and deploy a key logger or dump your Google Chrome saved passwords? Have you met with your C-level execs to give them an understanding of what will be restored, what order everything will be restored in, and what timeline they can expect to have everything back up?
  • Assess – It is vitally important to assess your risk to ransomware. This should be a continuous process, where you are updating security controls and evaluating. This helps you to understand your risk, identify any holes, and justify to upper management the budget or changes you need to make. This can include a social engineering engagement, an external penetration test to evaluate the risk of an attacker gaining access, and/or an internal penetration test to see what happens if ransomware does gain access. Once you think you have a mature security program in place and want to test your ability to respond to an attack, then I would consider a red team engagement.