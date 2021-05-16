Clear

Colonial Pipeline attack: A 'wake up call' about the threat of ransomware

The Biden administration should make it illegal to pay hackers ransom, and hacker networks should be fried says Richard Clarke, former national coordinator for security and counter-terrorism.

Posted: May 16, 2021 10:00 AM
Updated: May 16, 2021 10:00 AM
Posted By: By Clare Duffy, CNN Business

A relatively unsophisticated ransomware attack that caused a days-long shutdown of America's largest fuel pipeline last week — resulting in gas shortages, spiking prices and consumer panic — is exactly the sort of situation that cybersecurity experts have warned about for years.

And it could have been worse, said Nick Merrill, a researcher with the Center for Long-Term Cybersecurity at the UC Berkeley School of Information.

"The first thing that comes to my mind is: Thank God this wasn't water," Merrill said. "Unfortunately, it doesn't surprise me that this happened."

Other aging, critical utilities potentially at risk include electrical systems and nuclear power plants, Merrill said. And it's not just physical infrastructure: the hack of tools such as point-of-sale software commonly used by small businesses could wreak havoc on the economy.

Experts are hoping the Colonial Pipeline hack — and the real-world impact it had on everyday Americans — will finally be a wake-up call for companies and governments to acknowledge these vulnerabilities and take action to address them. Similar targeted attacks are expected to become more frequent and, potentially, more damaging.

There are some signs that's already happening. This week, shortly after the pipeline shutdown, US President Joe Biden signed an executive order aimed at strengthening the government's cyber defenses.

But experts say companies should be doing more to avoid becoming the next target. Around 85% of critical US infrastructure and resources is owned by the private sector, according to the Department of Homeland Security.

Here's what corporate America needs to know about these kinds of attacks and how to prevent them.

Who was behind the Colonial attack?

For years, it was generally believed that only a state-supported bad actor would be able to hack into and paralyze critical US infrastructure — and that such a thing was unlikely because doing so could be tantamount to declaring war.

But that's not the case anymore. DarkSide, the criminal gang that the FBI has confirmed was behind the Colonial attack, isn't believed to be state-backed.

Now, "a private group that was established in 2020 suddenly has the capability to stop the supply of gas," said Lior Div, CEO of cybersecurity firm Cybereason.

What is DarkSide? Experts believe the criminal group is likely operating from Russia because its online communications are in Russian, and it preys on non-Russian speaking countries. Russian law enforcement typically leaves cybercriminal groups operating within the country alone, if their targets are elsewhere, Div said.

Cybersecurity experts say the group emerged in August 2020.

DarkSide runs what is effectively a "ransomware-as-a-service" business. It develops tools that help other criminal "affiliates" carry out ransomware attacks, wherein an organization's data is stolen and its computers locked, so victims must pay to regain access to their network and prevent the release of sensitive information. When affiliates carry out an attack, DarkSide gets a cut of the profit. (In the Colonial case, it's not clear whether the attack was from DarkSide or an affiliate.)

"It sounds a lot like a business, and ultimately, that's because it is," said Drew Schmitt, principal threat intelligence analyst at GuidePoint Security. "A lot of these ransomware groups have customer service, they have chat support ... all of these different mechanisms that you would see in a normal business."

After the Colonial shutdown, DarkSide said on its website that it is a "profit motivated" entity and not a political organization. And several experts said they don't think DarkSide intended to cause such a debacle.

"Their business is to stay quiet and get paid and move onto the next target," Div said, adding that sometimes hackers often don't know who they're attacking until they're inside a network. "The last thing that they want is to see a briefing of the president of the United States talking about them."

By Thursday, DarkSide's website had been shut down, according to Jon DiMaggio, chief security officer at threat intelligence platform Analyst1. US law enforcement may have been involved in removing it, he said, because typically, ransomware groups typically would post a notice to their site and leave some of the stolen data up for a period of time before vanishing, in hopes of extorting victims out of additional money.

When happens when you are hit with ransomware?

Once a company has been hit by ransomware, its first course of action is usually to take much or all of its system offline to isolate the hackers' access and make sure they can't move into other parts of the network.

That may be among the reasons why Colonial shut down its pipeline — to disconnect the machines running the fuel line. People briefed on the matter told CNN that the company halted operations because its billing system was also compromised and feared they wouldn't be able to determine how much to bill customers for fuel they received.

Experts generally encourage ransomware victims not to pay any ransom: "You're basically funding those (criminal) groups," Div said.

But a company's ability to get back online without paying hackers may depend on whether it has protected backups of its data. In some cases, hackers can delete their target's backups before locking its files, leaving the victim organization with no recourse.

Colonial Pipeline ended up paying DarkSide this week as it tried to get back up and running, sources told CNN. The group demanded nearly $5 million, but the sources did not say how much the company paid.

Similar ransomware incidents could range from anywhere in the hundreds of thousands of dollars to around $10 million, experts said.

What can be done to prevent it?

By now, organizations of all sizes should be using good "cybersecurity hygiene" — for example, requiring regular password changes by its employees and two-factor authentication. But even those best practices may not always be enough to keep a bad actor out of a network.

When it comes to ransomware, the best-case scenario is if organizations can catch hackers while they're inside the network gathering data but before they've fully executed an attack and files are locked. Bad actors typically penetrate a network up to three weeks before a company gets a ransom notice, according to Analyst1's DiMaggio.

He added that artificial intelligence tools could be helpful to companies in tracking users on the network and identifying suspicious behavior.

That's how tools like Cybereason work — when the technology identifies a pattern of behavior consistent with a bad actor inside the network, it immediately removes that user's access.

"Basically what we're doing is proactive threat hunting," Div, of Cybereason, said. "(You have to have) the mindset that you're going to get breached and somebody will try to hit you with ransomware, so it's helpful to have a research group that's going after those (bad actors), understanding what they're doing ... and can be a step ahead of them constantly."

Going forward, the US government could also play a greater role in helping to reduce the threat of ransomware attacks. For example, US officials could use diplomatic channels to encourage Russia and other countries to prosecute cybercriminal gangs, Merrill, of Berkeley, said.

This week, IBM CEO Arvind Krishna suggested that the US government create a "NASA-style program" to facilitate investment and public private partnerships in cybersecurity.

Government could play a larger role in coordinating an overall cybersecurity plan for businesses rather than letting each company go it alone, GuidePoint's Schmitt said.

"Ultimately, cybersecurity should be addressed as one of the main concerns when we're talking about critical infrastructure," he said.

Related Content

Scroll for more content...
Terre Haute
Cloudy
60° wxIcon
Hi: 74° Lo: 55°
Feels Like: 60°
Robinson
Cloudy
59° wxIcon
Hi: 72° Lo: 56°
Feels Like: 59°
Indianapolis
Cloudy
58° wxIcon
Hi: 73° Lo: 56°
Feels Like: 58°
Rockville
Cloudy
59° wxIcon
Hi: 73° Lo: 54°
Feels Like: 59°
Casey
Cloudy
61° wxIcon
Hi: 73° Lo: 56°
Feels Like: 61°
Brazil
Cloudy
60° wxIcon
Hi: 73° Lo: 54°
Feels Like: 60°
Marshall
Cloudy
60° wxIcon
Hi: 73° Lo: 54°
Feels Like: 60°
Cloudy with storms expected tonight
WTHI Planner
WTHI Temps
WTHI Radar

Most Popular Stories

Latest Video

Image

Sunday Morning Forecast Update

Image

Sycamores Baseball Drops the Saturday Double Header to Southern Illinois

Image

Bluffton Ends Rose Baseball's Season

Image

Terre Haute North Baseball Comes Up Short Against Southport

Image

Terre Haute South Upsets Top Ranked Columbus North

Image

Terre Haute North Softball Picks Up Conference Indiana Win

Image

Northview Beats Clay City Behind Sackett's Perfect Game

Image

All Eyes on Sullivan Tennis Before the State Tournament

Image

Saturday Morning Forecast Update

Image

Terre Haute South Softball Keeps on Winning as They Take Down Northview

WTHI Events

 

In Case You Missed It

${article.thumbnail.title}

After putting their 2020 event on hold - Pedal Putnam set for this fall

${article.thumbnail.title}

SCAM ALERT: Fake free trials for CBD

${article.thumbnail.title}

Scam Alert: Homework Extortion

${article.thumbnail.title}

SCAM ALERT: Don't fall for travel cons

${article.thumbnail.title}

Family returns lost wallet full of cash, gets rewarded for good deed

Image

Isolated wetlands at risk with new Senate Bill

Image

The Wrap: Virtual Escape room and a presidential poll

Image

Here's how you can access a resource to get help with your bills

${article.thumbnail.title}

Here's how you can get energy assistance help this winter

Image

VIDEO: Merom Bluff in the fall

Illinois Coronavirus Cases

(Widget updates once daily at 7 p.m. CT)

Cases: 1364919

Reported Deaths: 24770
CountyCasesDeaths
Cook54636010136
DuPage907311283
Will75665991
Lake67328990
Kane58479777
Winnebago33296475
Madison30549520
McHenry28644288
St. Clair27886514
Peoria23156316
Champaign20674145
Sangamon18807234
McLean18185180
Tazewell16973289
Rock Island15019318
Kankakee14212210
Kendall1307994
LaSalle12573243
Macon10774200
DeKalb9886119
Vermilion9677132
Adams8476123
Williamson7435130
Whiteside7166172
Boone671173
Ogle611881
Grundy589775
Clinton576190
Coles569096
Knox5567150
Jackson503164
Henry500367
Livingston483185
Stephenson476583
Woodford476076
Effingham473072
Macoupin470883
Marion4471115
Franklin445575
Monroe435693
Jefferson4298120
Lee417352
Randolph413384
Fulton394457
Morgan390482
Logan388559
Bureau372482
Montgomery372374
Christian367773
Fayette317755
Perry317660
Iroquois302566
McDonough286247
Jersey269150
Douglas258935
Saline256554
Lawrence240625
Shelby229937
Union225940
Crawford212126
Bond205424
Cass199325
Jo Daviess181524
Clark180233
Warren180046
Pike179252
Ford178947
Wayne177753
Hancock176132
Carroll175536
Richland175240
Edgar170540
White169826
Washington164525
Moultrie161128
De Witt151625
Mason151445
Piatt150014
Clay148143
Mercer147333
Johnson144415
Greene143933
Massac134640
Wabash134512
Cumberland129019
Menard123612
Jasper115118
Marshall107518
Hamilton83615
Schuyler7587
Brown7106
Pulaski6877
Stark63824
Edwards57112
Henderson52514
Calhoun5182
Putnam4843
Scott4791
Alexander46811
Gallatin4584
Hardin38612
Pope3224
Out of IL50
Unassigned02355

Indiana Coronavirus Cases

(Widget updates once daily at 8 p.m. ET)

Cases: 734736

Reported Deaths: 13471
CountyCasesDeaths
Marion1005261750
Lake54085975
Allen40876680
St. Joseph36249552
Hamilton35783408
Elkhart28784442
Tippecanoe22449219
Vanderburgh22359397
Porter18894310
Johnson18053381
Hendricks17298315
Clark13026191
Madison12740339
Vigo12490248
LaPorte12040214
Monroe11936170
Delaware10738187
Howard9974218
Kosciusko9455117
Hancock8346142
Bartholomew8091156
Warrick7795155
Floyd7682178
Grant7090174
Wayne7067199
Boone6732101
Morgan6603139
Dubois6165117
Marshall6092112
Cass5864105
Dearborn582678
Henry5772105
Noble564484
Jackson503273
Shelby493896
Lawrence4580120
Gibson436592
Harrison436472
DeKalb430185
Clinton428353
Montgomery425589
Whitley397539
Huntington393580
Steuben390757
Miami383268
Knox372790
Jasper370848
Putnam362660
Wabash355080
Adams342555
Ripley340470
Jefferson331781
White316354
Daviess298299
Wells292081
Decatur285792
Fayette281862
Greene280485
Posey272033
LaGrange268370
Scott267354
Clay260947
Washington241932
Randolph241781
Spencer232631
Jennings230749
Starke218454
Fountain213646
Sullivan212242
Owen202556
Jay197230
Fulton195740
Carroll190120
Orange184354
Perry184237
Rush173725
Vermillion170044
Franklin168435
Tipton163145
Parke146716
Pike135334
Blackford135132
Pulaski117245
Newton108634
Brown102641
Crawford101415
Benton99014
Martin89515
Warren82415
Switzerland7938
Union71410
Ohio57111
Unassigned0417