How Colonial Pipeline managed its ransomware attack

[harlan4096]

Should you contact authorities about ransomware?

The recent ransomware attack on Colonial Pipeline, the company that controls the pipeline network supplying fuel to a large chunk of the US East Coast, is one of the most high-profile in living memory. Understandably, the details of the attack have not been made public, but some scraps of information have found their way into the media, and from that we can derive at least one lesson: Promptly informing law enforcement can reduce the damage. Of course, not everyone has a choice — in some states victims are obligated to inform regulators. However, even where that is not required, such a move may be useful.

The attack

On May 7, ransomware hit Colonial Pipeline, which operates the largest fuel transfer pipeline on the US East Coast. Employees had to take some information systems offline, partly because some computers were encrypted, and partly to prevent the infection from spreading. That caused fuel-supply delays along the East Coast, sparking a 4% rise in gasoline futures. To mitigate the damage, the company plans to increase fuel deliveries.

The company continues to restore its systems, but according to sources on the Zero Day blog, the problem lies less in the service networks than in the billing system.

Federal lockdown

Modern ransomware operators not only encrypt data and demand ransom to decrypt it, but also steal information as leverage for extortion. In the case of Colonial Pipeline, the attackers siphoned off about 100GB of data from the corporate network.

However, according to the Washington Post, external incident investigators quickly figured out what had happened and where the stolen data was, and then contacted the FBI. The feds, in turn, approached the ISP that owned the server holding the uploaded information, and had it isolated. As a result, the cybercriminals may have lost access to the information they stole from Colonial Pipeline; that quick action at least partially mitigated the damage.

Knowing that happened doesn’t bring the company’s main pipelines back online, but the damage, though considerable, could have been far worse.

Attribution

It seems the company was attacked by DarkSide ransomware, which can run on both Windows and Linux. Kaspersky products detect the malware as Trojan-Ransom.Win32.Darkside and Trojan-Ransom.Linux.Darkside. DarkSide uses strong encryption algorithms, making data restoration without the right key impossible.

On the surface, the DarkSide group looks like an online service provider, complete with helpdesk, PR department, and press center. A note on the perpetrators’ website says their motivation for the attack was financial, not political.
...

Continue Reading