Ransomware: What Led to the Colonial Pipeline Attack?

On May 7, an employee of Colonial Pipeline found a ransomware attack note from hackers on a control-room computer. By that evening, Colonial paid DarkSide $4.4 million in Bitcoin for a key to unlock its files. “I will admit that I wasn’t comfortable seeing money go out the door to people like this,” CEO Joseph Blount told the Wall Street Journal.

How Did This Ransomware Attack Happen?

That kind of ransom would be the death of many small and medium-sized businesses. Details of what occurred are not public and may never become public. Most companies do not explain what occurred in a cyberattack for a lot of reasons, but it’s pretty easy for a cybersecurity analyst to guess. We can infer that the attack came through one of these three vectors:

1. Direct penetration through old, unpatched vulnerability in a public-facing system such as an email or web server (the recent Microsoft Exchange vulnerability is a possible candidate).
2. A phishing email that tricked an employee into downloading a Trojan horse containing the ransomware.
3. The use of login credentials purchased or obtained elsewhere that were leaked previously because an employee re-used the same password at work as they used on a public website that had been breached.

Did Executive Management React Appropriately?

Furthermore, the ransomware attack was exacerbated by what was likely an overreaction on the part of executive management. The attack only hit an isolated portion of their network involved with billing and did not actually put pipeline operations at risk, according to outside security research. The CEO made the decision to shut down the pipeline anyway out of an abundance of caution, and that decision caused the supply disruptions, not the ransomware attack itself.

Should You Negotiate With Hackers?

Ransomware is fundamentally different from most breaches in that attackers don’t steal or extract information from your network. Instead, they encrypt your files and hold them for ransom until you purchase a decryption key from them. Here’s the big secret nobody is talking about: You don’t have to pay. With the right backup policies and rapid detection and response, cost (not even extra fees to us) the same day you can recover your data from backups and be back to work faster than you could negotiate with hackers.

How Connetic Protects Your Data from Ransomware Attacks

We protect our customers from ransomware attacks in many ways: 

1. We perform security audits for all new customers and put in place remediations to patch all old software (or isolate it from the internet if that’s not possible).
2. We enable all possible email protections to reduce spear-phishing spam and engage spear-phishing resistance training.
3. We eliminate administrator access to end-user computers that is necessary for ransomware to execute.
4. We enforce strong, unique passwords and multi-factor authentication to eliminate credential theft.
5. We emplace real-time backups capable of completely recovering from malware attacks without losing data.

We know our techniques work because our monitoring systems show these kinds of attacks being attempted against our customers all the time, and we see them all fail. 

At Connetic, our fixed-price, unlimited IT support services model keeps us constantly searching for ways to keep our customers safe. Contact Connetic’s IT services team to learn more about how you can benefit from Connetic’s extensive experience and exceptionally managed IT services.