I’ve been getting a lot of emails about this. Most of the questions are the same – Could the same attack that happened to Colonial Pipeline happen to their business, nonprofit or government network? The short answer is yes – everyone is vulnerable to some degree. However, there are steps you can take to help ensure your business, network or office is not low hanging fruit for hackers. Let’s take a closer look at what happened.
From the research I have gathered, it appears a professional hacking group named DarkSide managed to implant malware on the Colonial network. The details of how this happened are not clear. Typical methods are sometimes as simple as a user clicking on something they shouldn’t have, opening an email attachment they shouldn’t have, or visiting websites they shouldn’t have. You may notice a common theme here since most attacks get their foothold by user error. Other effective methods of breaching a network include taking advantage of unpatched systems, lack of security updates, outdated antivirus, etc. There are far too many entry points and methods for me to list here. Suffice it to say, hackers are ingenious at what they do and why this is a worldwide multi-billion-dollar problem. The FBI reports a 400% increase in attacks during 2020 over 2019. Keep in mind most attacks are never reported. We only see the big ones that are newsworthy. I can assure you the numbers are not decreasing for 2021.
The malware did two things once it infected the network:
It uploaded an estimated 100gb of company data to the hacker. This has become a common tactic. It allows the hacker to not only leverage the data in a ransom situation but also to sell that data if the ransom is not paid. Since we are talking about criminals, paying the ransom doesn’t mean they still won’t sell your data. Never forget that. It’s one of the main reasons you should never pay the ransom if it can possibly be avoided. You have no guarantees in a situation like this. It’s called ransomware for a very good reason.
The malware also encrypted the data it touched. This means the data is useless to the company because it is rendered unreadable. Decryption is required to unlock the data and there is only one decryption key which belongs to the hacker.
Let’s put this into real world perspective. Imagine you came to work and noticed all of your files were unreadable. You couldn’t open Word, Excel, PDF documents, your database, your HR records, invoices, or even your QuickBooks file. Even your email may be compromised. That would devastate most businesses. To make it worse, you had a note on your computer saying you had to pay $847,000 to get your data back. That was the AVERAGE ransomware request in 2020. Now let’s make it even worse. The criminals have threatened to sell your HR and payroll data on the dark web. In addition, they are posing as you and sending out emails to all your clients and attaching the same malware. Now your clients are also infected and guess who they are going to blame. The hackers have copies of all your files, tax documents, payroll reports and your customer lists so this is a very real threat. Your customers may choose to never do business with you again. That’s precisely why over 50% of companies suffering an attack go out of business. I cannot over emphasize how important it is to protect yourself. Hope is not a strategy.
So what did Colonial Pipeline do? They were in a very bad position and the east coast was being crippled because they could not deliver fuel. Against FBI recommendations, they paid a $5 million dollar ransom to the DarkSide group to get that critical decryption code. At the same time, they hoped DarkSide would be “ethical criminals” and not put their data on the dark web. That last part is still to be determined. We do know the decryption process was so slow that it was actually quicker to restore systems from backup. The $5 million was basically wasted in my humble opinion.
The pipeline is operational again but the damage was severe in several ways:
1. They could not pump fuel for several days so that mean’t no income
2. They paid $5 million in ransom which only supports and encourages more criminal activity
3. They put several states into a state of emergency due to fuel shortages
4. They have no idea if the stolen data will be sold on the dark web
5. They have no idea if the stolen data will be used against them for additional ransom. A smart hacker must assume if you pay once then you might very well pay again.
6. Based on last year’s profits of 420 million dollars, I would estimate the outage cost the company a minimum of 7 million in net income. The figure is probably much higher.
Fortunately, some good did come of this. Although ransomware and hacking has been in the news constantly, this hit home right here at the gas pump so it is getting local attention. Businesses are asking how to protect themselves since EVERYONE is a target for cybercrime. It doesn’t matter what your company size is. Many attacks are done by casting a big net and hoping for a hit. Sometimes the hackers get a big fish like Colonial but we often see small companies right here in central North Carolina getting stung as well. Since over 90% of attacks are because of user error, you must protect your business from these threats. This includes educating your staff on what a threat looks like. An attack on your business may not bring down the east coast fuel supply but it can severely impact your ability to serve your clients and can literally put you out of business. Even the federal government finally woke up and an executive order was signed on Wednesday, May 12th, acknowledging cybercrime as a very real threat to BOTH private and public entities.
I’ve been on a personal mission for the past two years to educate business owners, government leaders and nonprofits about these threats. Nothing pains me more than having the “I told you so” conversation but it still happens frequently. I’ve seen hundreds of thousands of dollars lost due to cybercrime right here in our area. There are some very effective steps you can take to protect your data, your business, your livelihood, and your staff from these threats. The criminals are hoping you ignore the threats since that just makes it easier for them to get in. Please check with your IT department or IT provider to double check your security. Do not assume everything is in order. The hackers are counting on finding holes in your system, so it is your responsibility to make sure those holes are closed. Here are some free things (best practices) you can do immediately.
Poke holes in my Security Stack, or offer additions I am missing? : msp (reddit.com)
If you are comfortable doing so, please apply the best practices first. However, these are just the first steps in securing a network. To learn more, ComTech offers a free consultation and analysis of your network security. The findings will show not only what data is vulnerable to ransomware, but also what data can be stolen and used against you. The results can be quite eye opening.
For more information on the pipeline attack, here is a link to a new source that dives into much deeper detail. Colonial Pipeline attack: Everything you need to know | ZDNet