Ransomware Temporarily Disrupted – But More

Action is Required
By Hubert Yoshida posted 05-18-2021 21:53
    
 

2   Li ke

Colonial Pipeline who supplies gasoline and jet fuel to the eastern United States resumed operation
of the pipeline which was shut down by a ransomware attack on May 7.  This created widespread
fuel shortages and panic buying in major cities along the east coast. Colonial Pipeline returned to
operation on May 15, after reportedly paying 75 bitcoin or about $5 million to the hackers according
to Bloomberg. In earlier reports, the company said that they would not be paying the ransom. In
actuality, Bloomberg reports that the company paid the hefty ransom in cryptocurrency within hours
after the attack due to the immense pressure faced by Colonial Pipeline to get gasoline and jet fuel
flowing again to major cities along the East Coast. Although the official position of the U.S.
Government is not to pay any ransom, a person familiar with the situation said U.S. government
officials were aware that Colonial made the payment. Most industry executives believe that the
extent of the impact on critical infrastructure, left Colonial with no choice but to pay the ransom.
The Hack occurred on May 7, and Colonial shut down operations in order to ensure that the ransom
hack did not also expose the operational systems to damage or override. The FBI blamed the attack
on DarkSide, a cybercriminal gang believed to be based in Eastern Europe. Although the decryption
tools were made available almost immediately, bringing the operation back online took careful
planning since the networks that controlled the distribution of different types of fuel had to be
carefully planned. Even though the pipeline is fully operational it will take time to backfill the various
distribution points.

Reaction to this attack may have been more than Darkside had expected. Normally ransomware
attacks are under reported. However, since this had such an immediate impact on the United States’
critical infrastructure. President Biden signed an executive order on cybersecurity citing the recent
SolarWinds and Microsoft Exchange hacks in addition to the Colonial Pipeline attack.
The executive order is designed to "disrupt their (hackers) ability to operate" -- including a new task
force dedicated to prosecuting ransomware hackers. The intent is to increase training and funnel
more resources to identifying hackers while improving intelligence sharing and "links between
criminal actors and nation-states." The force will also target the ecosystem behind such criminals,
with prosecutions, disruptions and curbing services like forums that advertise their services.

On May 14 Intel471.com   observed numerous ransomware operators and cybercrime forums either

claim their infrastructure has been taken offline, are amending their rules, or they are abandoning
ransomware altogether due to the large amount of negative attention directed their way over the
past week. Darkside which has been named as the one responsible for the Colonial Pipeline incident,
also passed an announcement to its affiliates claiming a public portion of the group's infrastructure
was disrupted by an unspecified law enforcement agency. The group’s name-and-shame blog,
ransom collection website, and breach data content delivery network (CDN) were all allegedly
seized, while funds from their cryptocurrency wallets allegedly were exfiltrated. In the meantime the
Bitcoin value for 75 Bitcoin has declined from nearly $5 m to $3.3 m in the past week.

This disruption in Ransomware is probably temporary and will return with even greater vigor in a
short time. While law enforcement agencies can make it tougher to collect the rewards of
ransomware, the real deterrent lies with each organization. It's up to organizations to implement the
type of cyber-security that is appropriate and proportionate. Encryption of sensitive data,
multifactor authorization, object storage, backup, maintenance updates, are all good practices that
will prevent Ransomware. The biggest attacks are usually through email, where employees are
tricked into downloading malware. Recently, hackers have also gotten in through weaknesses or
compromises in third party software like the SolarWinds hack.

While ransomware attacks have largely been a monetary exposure, the Colonial Pipeline Hack has
exposed the greater danger of an operational attack which could cripple critical infrastructure and
impact national security. Critical infrastructure is as secure as its weakest link and a lot of the links
are in the private sector and across geopolitical boundaries. It. Requires all of us to ensure the crypto
security of our systems.