Colonial Pipeline Attack: Breaking it down
Ransomware attacks are particularly nasty, not just because there’s a monetary demand involved but also because the attacker seizes control of a system. Ransomware might render a computer system unusable, locking out access or encrypting hard drive data and making it inaccessible.
This can have detrimental effects on anyone or any business, but nothing compares to the damage caused when ransomware attacks hit mission-critical systems — like the Colonial Pipeline hack.
The Colonial Pipeline ransomware attack is one of the most recent and high-profile cybersecurity events affecting a public or private organization. However, what’s most frightening about it is the implications it has for the future of digital technologies.
Nefarious actors launched an attack on the Colonial Pipeline using something called DarkSide ransomware. They successfully gained access to the company’s systems, stealing data and locking down terminals and computers. They requested a ransom payment for returning the data and systems access.
The Colonial Pipeline complied and paid a $5 million ransom in bitcoin. It then publicly announced the attack, and in the interest of safety, shut off system servers and the use of some of its pipelines. Not long after, it made an additional announcement about how it would be handling system restarts.
It’s around this time that the FBI became involved, confirming DarkSide ransomware was used. The company also talked about mitigation strategies and later announced the recovery of $2.3 million in bitcoin. The full ransom was not recovered.
What Is DarkSide Ransomware?
While it may sound like a notorious hacking group, DarkSide is actually a ransomware package or program. Similar to software-as-a-service, DarkSide is ransomware-as-a-service. When it’s deployed and used by hackers, the RaaS developers get a share of the proceeds.
DarkSide actors deploy attacks and target organizations for financial gain. Most of the time, they gain access through smart social engineering or phishing, which involves tricking legitimate users into sharing access or providing their credentials.
Some of the first activities perpetrated by the group can be traced back to dates between August and November 2020 . However, the ransomware had been around for much longer — as far back as 2019.
Interestingly, the DarkSide group does follow a loose code of morals and refuses to attack hospitals and schools. They also carry out these attacks for commercial and financial gain and are not tied to any one country or region. They have even tried to donate money to charity in the past
What Does This Mean? What Can We Learn From This Attack?
While no system is completely invulnerable, and there will always be ways to gain access, following even some of the most basic cybersecurity protocols can mitigate and thwart potential attacks. Using strong passwords, deleting old accounts, monitoring user authentication and updating software are just some of the recommended strategies.
When hit by a ransomware attack, the ransom should not be paid. There are no guarantees the hackers will return access to the systems or data. That would mean the payment goes out, and nothing is exchanged in return.
Backups of data and systems are one of the best ways to protect against this. The data may be compromised after an attack, but companies can regain access, and there’s no need to comply with any ransom demands.
Adept individuals may recognize the WannaCry ransomware attack from 2017, which compromised hundreds of thousands of computers and systems, including those operated by the National Health Service. The ransomware was able to wreak so much havoc merely because of outdated software. If the affected systems had been updated and outfitted with the proper security patches, the widespread attack never would have happened.
It’s remarkably similar to the Colonial Pipeline hack, except the actors were able to use phishing to their advantage. They gained access by using a virtual private network account, which was no longer in use and had its password compromised during a much earlier breach . The password likely had been used for other accounts, and when the affected one was no longer in service, no one thought to revoke access or remove it. It’s an egregious mistake and one that definitely could have been avoided.
It shows that while they are somewhat unpredictable, there is a method behind the madness.
It’s Time to Start Taking Cybersecurity Seriously
Hopefully, the event means that not just organizations are paying attention, but also federal agencies and any parties responsible for national security and digital operations. Employee and personnel training on cybersecurity will go a long way toward shoring up some of the vulnerabilities that are so common.
With a bit of prevention, the damage inflicted by ransomware attacks can be minimized or even avoided altogether.
Cybercriminals use ransomware to block organizations from accessing their critical business data to extort ransoms. Data encryption protects data wherever it resides. The encrypted data becomes obsolete as encryption makes it difficult for the ransomware to detect it and attack.
A good data backup & restoration strategy and a DRM solution are the key factors when companies want to respond to ransomware attacks. These allow companies to restore the data encrypted during the attack.
As the hackers threaten to publish the company’s confidential data to the internet, only DRM can prevent this data leakage, as confidential data is protected independently of the exposure.
To learn more about how SECUDE can help you protect your critical SAP and CAD/PLM data from ransomware attacks, write to us at firstname.lastname@example.org .