On Saturday, May 8, 2021, Colonial Pipeline – which supplies as much as 45% of the US East Coast’s petroleum needs – announced to the country that it was the victim of a cyber attack which involved a ransomware infection. By now, the news has disseminated across the nation and sparked concerns about gas shortages that led to now-infamous reports of unprecedented hoarding, yet the real story did not end with leaky plastic bags. In fact, it has evolved substantially since then and has prompted significant response from so many of the parties involved, from federal law enforcement to cybersecurity professionals and experts to cryptocurrency investors, to even the hackers themselves.
Below is a breakdown of Colonial Pipeline incident and a few ways it has redefined the ransomware landscape:
The Evolution of the Colonial Pipeline Story and Its Fallout
The way what happened to Colonial has been reported seems to have had nearly as much of an impact across the globe as the facts of the story itself, with every new detail fueling more observation, speculation and eventually real-world consequences. There have been a few predictable revelations and actions taken in response to the very public cyber attack by the Russian group DarkSide, but these are being overshadowed by many seemingly unprecedented surprises and the fallout they have generated. Underneath the ripples of shock, however, are many important lessons for businesses and institutions everywhere about the cybercriminal ecosystem and persistent cybersecurity.
Compromised Password to a Legacy VPN That Lacked MFA
After discovering the breach, Colonial Pipeline contracted FireEye Mandiant (you may recognize the first part of the name from the SolarWinds hack) and other firms to help investigate and resolve the incident. They uncovered that the company had been exposed through an employee’s old password to a legacy VPN previously used, and which access from should have ostensibly been removed. As the system lacked MFA (multi-factor authentication) all the hackers had to do was capture leaked credentials to find a way in – a common scenario with victims of phishing attacks.
CEO Admits to Lawmakers $4.4 Million Ransom Paid
Colonial’s CEO, Joseph Blount, would reveal that he paid the ransom demands of up to $4.4 million (some sources claim $4.3 million) in Bitcoin even while working with his team to restore operations. As he told US Senators at a hearing held soon after, his primary concern was the long-reaching impact the pipeline shutdown had on over a dozen states and finding a way to resolve it as quickly as possible. However, investigators that reviewed the decryption keys DarkSide provided for the payment found little evidence they were even effective in successfully unlocking files and the company had to use its own restored files to recover.
FBI Traces and Recovers $2.3 Million from Hackers
The one piece of good news in this incident is that Blount and Colonial immediately alerted the authorities about the situation. This information would jumpstart an operation led by the FBI and the US Justice Department that managed to traceback the ransom payment made to the digital wallet used by DarkSide and secure $2.3 million of it. The former agency had been investigating the hacker group for some time already and was able to share intelligence with the latter’s new dedicated ransomware taskforce that led to its first asset seizure barely over a month after its creation.
Bitcoin Value Drops as Investors Question Anonymity
When news of the FBI tracking down the ransom funds broke, there was a noticeable decline in the trading value of Bitcoin amid a huge discussion on the role it plays in financing and facilitating cybercrime Although the cryptocurrency had experienced previous drops from a multitude other factors, it was clear that the public revelation (or reminder) that transactions could be traced to recipients caused a panic sell-off. Despite some debate over the true impact of this disclosure, the implications are obvious as to how far the hacker ecosystem extends into the financial market.
DarkSide Shuts Down Servers
Security researchers uncovered a note in Russian supposedly made by the perpetrators of the Colonial Pipeline attack, DarkSide, in which they announced they would be taking down their servers due to “pressure” from the US – and the fact that they lost access to them anyway. The exact type of pressure was applied is still in question, but the Biden administration did promise “action” against DarkSide and its affiliates, and the FBI would reveal only that they were able to take advantage of the majority of hosting infrastructure being located within American borders.
Understanding the Malware Ecosystem
It may seem like the pipeline hack may have ultimately turned into an overall win for US businesses vulnerable to ransomware, but really it revealed part of a bigger picture of a cybercrime network that has footholds in the stock market and national governments. The culprit’s own marketing (and the fact that they even had any) reflects just how much they thought of themselves as a legitimate institution, and it was only hubris and ignorance that led to them crossing the line far enough to bring federal law enforcement down upon their operations. While many cybercriminal forums are openly shying away from ransomware after the blowback, the parties and knowledge involved in carrying out these types of cyber attacks remain.
DarkSide – A Look Inside Ransomware as a Service
DarkSide operated what is known as Ransomware as a Service, linguistically a play on the XaaS (Anything as a Service) business model, but the loaded term ironically echoes the evolving sophistication of malware syndicates. The group operated at the center of a network that would see one side developing code and toolkits to encrypt files while affiliates rented access to then use the solutions against victims. This system netted the entire operation at least $90 million worth of Bitcoin (uncovered by blockchain investigators that discovered their digital wallet), 83% of which went to the affiliates while 17% went to the software developers.
JBS, REvil, Russia and Nation-state Cyber Attacks
Although the Colonial Pipeline hack has dominated the news, the JBS USA breach was nearly as much of a driver in eliciting the prompt US response and its own story reveals many interlinked factors. Chief among them is that suspected culprits, the infamous REvil ransomware group, are also thought to share members with DarkSide and to be closely tied to the Russian government. These findings and the impact of the most recent attacks have led to accusations against and renewed tensions with Russia for the part it plays in either allowing these hackers to operate or outright supporting their efforts.
Cyber Insurance and Ransom Payments
Cyber insurance and other liability programs covering ransomware payments are coming under increasing scrutiny for the role these plans may play in incentivizing the extortion cycle. Insurers had already been reevaluating their rates and coverage before these most recent incidents, and inevitably the industry will feel the ripple effects of new regulatory actions taken in response.
The Effect the Colonial Pipeline Hack Will Have on Cybercrime
If all of the above seems like a lot of unpack, then you may want to take a moment before reading this – this may only be the beginning of a new era of cybercrime. It may only seem counterintuitive to everything you just read, but the truth is that ransomware gangs have shut down before only to return under a different name – indeed, both DarkSide and REvil are suspected to be repeat offenders rebranding every time there is scrutiny.
The severity of the US response caught the Russian cybercriminal ecosystem off-guard, but those hackers are still where they are with access to all the resources they had before cyber extortion became the most convenient tactic. There remain plenty of tools for amateurs to try their hands at, while more sophisticated – and less scrupulous – actors can fall back on previous brute force methods, or work more directly for a nation-state sponsor.
Contact SWK Technologies to Learn How to Fight Ransomware
Ransomware will not go away as there will still be those hackers for whom it provides the easiest payout, and the techniques used to deliver it can be used for other, more destructive cyber attacks. The best defense against any type of malware is still to protect yourself at the user level and back up your data as frequently as possible – reach out to SWK to uncover solutions and training that will help you achieve this as efficiently as possible.
Contact SWK Technologies today to learn more about what you can do to fight back against ransomware and cybersecure your business from all threats.
[fc id=’34’][/fc]