It has been announced that Colonial Pipeline reportedly paid the ransomware group responsible for a cyberattack last week close to $5 million to decrypt locked systems. On Thursday, Bloomberg reported that two people close to the matter said a blackmail demand was agreed to within hours of the cyberattack that has impacted the fuel giant’s systems for close to a week.
<p>Ransomware is a reality that many organisations are facing today, but by coming out and talking about the attack, the CEO of Colonial Pipeline is providing the security industry with invaluable intelligence into the techniques deployed by cybercriminals, which will help drive more awareness around the threat and build better defences. When it comes to ransomware it is no longer a case of if, but when. Companies need to get into a post-breach mentality, pre-breach and harden systems so that when they are faced with an attack, they know exactly how they will respond and what they stand to lose depending on their response.</p>
<p>Getting hit with ransomware does not mean a company has failed, the threat is an unfortunate fact of life today and it doesn’t matter how strong your defences are, attackers will continue to be creative and adapt new techniques to infiltrate defences. The fact that the CEO of Colonial Pipeline is speaking publicly about the company’s recent ransom payment is a very positive step and more companies should follow suit. The more companies open up about attacks and are transparent on the action they took when under attack, the more we can learn about cybercriminal techniques and build better defences. While paying cybercriminals is an outcome no CEO desires, especially when there is no guarantee that the attackers will fully delete data and it will not appear for sale later down the line, however sometimes when the impact of an attack is so significant, it can seem like the only choice. No company or CEO should be shamed for this. Instead, we should learn from these incidents to understand how attackers got in, what data was actually returned and what could have been done differently to secure a different outcome. Attackers collaborate on their attacks, and the only way to get ahead of them is to collaborate on our defences.</p> <p> </p> <p>Whilst it appears the CEO felt they had no further option, the surrendering and paying of ransom does further feed the issue by providing the attackers with more funds for better capability and more notoriety, which may fuel copycat tactics by other groups.</p>
<p>I don’t think we are at the end of this story, there is no clear winner here. Darkside may of been paid $5 million to Destroy the data they hold and unencrypt the affected files, but in doing so, they became a global news story and consequently a bargaining chip in future US and Russia dealings. Darkside clearly know they are public enemy number 1 right now, even issuing an apology about the collateral damage to their attack. Other criminal affiliates will be trying to distance themselves from Darkside, to avoid getting rolled up in the future law enforcement investigations. If there is a loser, it\’s the cyber insurance company behind Colonial, who now have to cover the costs. If I want to insure a car, I have to have an MOT, a third party certificate of road worthiness. However, in cyber, I can have completely inappropriate levels of cyber security and still get cyber insurance. At the other end, we have Colonial who have been publicly embarrassed by the saga, and yet, have essentially got away scot free, and in doing so, have sent a message that, it’s OK not to demonstrate any sort of compliance with a cyber security framework, as long as your insurer will cover the costs of an attack.</p>
<p><span lang=\"EN-US\">Not only did this attack affect the operations of Colonial Pipeline, it also impacted the lives of millions of American citizens, so it is not surprising the company decided to pay the ransom, however early reports indicate that the decryption tool did not work. While the demand does seem high, it was actually a lot lower than many in the security industry have expected, so it may set a benchmark for future ransom requests. Protecting against ransomware is all about cyber resilience and carrying out tests to prior to attacks to understand damages and limit them. Network segmentation is always critical, especially keeping operational technology separate from IT infrastructure, which is more likely to be attacked.</span></p>
<p>Colonial Pipeline initially said the pipeline shutdown was precautionary in nature. If the OT environment around the pipeline operations was properly segregated and secured apart from the Colonial administrative systems, then the pipeline shouldn’t have been in any danger. If the ransomware infiltrated the administrative networks only, Colonial might have been greatly impacted, but the pipeline could have continued to run. The alleged payment of $5M in ransom seems excessive in the situation where the pipeline wasn’t in any real danger. The OT environment could have been somehow affected due to poor security, separation of OT from IT admin systems, or otherwise.</p>