A Fresh Look at the Short and Long-term Impacts of the Colonial Ransomware Attack
On January 1, 1983, the so-called official birthday of the internet, the founders of the internet saw an opportunity to increase mankind’s access to information. This was a noble goal and one that succeeded. But what the internet forefathers did not perceive is easing access to information is not always a good thing.
In the 38 years since the internet first garbled and beeped its way into existence, we have seen numerous viruses and other attacks on corporate and personal information. From “I Love You” to Stuxnet to the many Ransomware variants we are dealing with today, cybercriminals have existed from almost the beginning. Instead of robbing a bank for paper, gold, and gems, these criminals trade-in data, the currency of the 22nd Century.
Data is everything. I remember the early days of information where I needed a copy of a piece of paper to prove I was born, or I had to carry the films of x-rays from one doctor to another. Corporations had aisles of file cabinets that tracked their orders, invoices, material costs, and trade secrets. Today, nearly all that data is digital, and it has value. Cybercriminals can leverage the intrinsic value of data to extort ransoms because we don’t want this information all over the internet.
And in the light of recent ransomware attacks – in particular, the devastating Colonial Pipeline cyberattack – let’s look at some essential notions and components of these issues.
How does a ransomware attack work?
Ransomware attacks are typically what’s known as “click-through” – an employee clicks on an ad or in an email that is fraudulent, and it downloads the ransomware to their computer. But in some cases, cybercriminals will obtain credentials or use brute force to gain entry to a network to land a payload. Once the payload is on a corporate network, the ransomware acts like a virus infecting the computer systems and network devices, but instead of destroying, it encrypts all the files it touches. The ransomware calls back to its originator to let them know it has made an impact and the cybercriminals reach out to the victim and ask for money. This is usually some form of crypto-currency, to buy a decryption key. With the key, the victim can decrypt its files and go back to normal business.
What options do targeted companies or governments have?
If a company or government body is impacted, their main course of action is to restore their files from backups. This can be tedious and, depending on the ransom request, there is a business decision to be made as to whether the effort is worth paying a ransom. The FBI typically tells companies not to pay any ransom, but the FBI isn’t necessarily offering to protect all companies and organizations while backing up their files. So, it ultimately is a business decision. Unfortunately, cybercriminals are constantly evolving, and using DarkSide – or their version of ransomware – can exfiltrate the company’s data as well as encrypt it. The company is faced with exposure as DarkSide promises to release the company data on the net if the ransom is not paid. We have seen a 31 percent increase in ransomware attacks over the last six months or so, and in many cases, companies are paying the ransoms.
What are the implications for the rate at which pipelines and other major industrial infrastructure owners will continue to integrate IoT technologies into their systems?
It remains to be seen how, for example, the recent Colonial attack will impact the oil and gas industry moving forward. The Department of Homeland Security (DHS) oversees protecting the country’s infrastructure and has recommended regulations and requirements. In some cases, as with the electric utility industry, DHS will routinely audit to ensure measures are in place. We will most likely see a more stringent requirement put on oil and gas in the future, but it will take time for the industry to adapt, build those additional costs into their operations, and ultimately become more secure. The utilities I have spoken with are typically operating their industrial infrastructure in closed systems that let very little information be exposed to the internet. With Colonial, the cybercriminals did not hack the pipeline or IoT devices. Instead, they landed ransomware into the corporate operations of Colonial. As a result of a widespread infection, Colonial choose to shut down its pipeline to ensure no spillage from their corporate networks infected their industrial networks.
What are the biggest takeaways from the Colonial incident?
I anticipate increased government regulation, and hopefully, the public outcry that it is no longer acceptable for cybercriminals to continue to get away with these crimes. If we have pirates raiding ships on the northeast coast of Africa, we load up billion-dollar warships and set sail to intercept; we protect our trade routes and attack those pirates until they go away; we work with our international partners to freeze funds and arrest the criminals.
With cybercriminals, we are just now starting to see initiatives aimed at international coordination to snuff out these crimes, but we haven’t seen a concerted effort, at least not visibly. The Biden administration has taken steps to coordinate with our allies internationally, but it remains to be seen how that cooperation will come together. Companies need to take cybercrimes, especially ransomware, seriously and employ means to protect themselves. It will be imperative for threat intelligence sharing forums to be utilized so industries can coordinate and be prepared to take on future cyber threats as well. After the devastating weather impacts on natural gas lines over the last winter and now the attack on Colonial, our nation’s infrastructure is in the spotlight and its resiliency is in question. Increasing the resiliency of our nation’s infrastructure must be made a priority.
Worried about your business’ cyber-protection? Contact email@example.com to schedule a free cybersecurity review with UNCOMN’s experts.