Why the Colonial Pipeline Attack Was Such a Big Deal
News of the DarkSide ransomware gang’s attack against Colonial Pipeline first emerged in early May. The incident didn’t last long. It took just 10 days for the Colonial Pipeline Company to announce that it had restored normal operations of its systems following the infection.
The same cannot be said of its repercussions. Close to two months later, we’re still figuring out what the full legacy of the ransomware attack might look like. Here is what we know so far.
Changes in the Ransomware Landscape
The Colonial Pipeline attack ended up being DarkSide’s last. As I wrote back in mid-May,
someone seized control of the ransomware actors’ data leaks site, payment server, and DOS servers. They then misused that access to withdraw the operation’s funds, thus preventing DarkSide’s handlers from paying their affiliates.
As part of its DarkSide announcement, the REvil group announced that it would begin restricting the types of organizations that its affiliates could target going forward. That was around the same time when several Russian digital crime forums moved to prevent members from posting about ransomware going forward.
Partial Ransom Recovery by the FBI
According to CNBC, the Colonial Pipeline Company paid a ransom demand of $5 million a day after learning of the ransomware attack. Those monies didn’t remain with the DarkSide affiliate for long. On June 7, the Department of Justice (DOJ) announced that it had recovered approximately $2.3 million of the victim’s ransom payment.
In an affidavit submitted to the Northern District of California, a law enforcement officer said that they used Blockchain Explorer to track the movement of the ransom payment across several bitcoin wallet addresses. They eventually observed part of the ransom payment land in a bitcoin wallet address for which the FBI possessed the private key. It’s unclear from the affidavit how exactly the FBI came to obtain that private key and/or whether this means of recovery was replicable for other ransomware attacks.
Fuel Crisis Motivates a Lawsuit
The disruption of the Colonial Pipeline’s operations led to widespread fuel crises all along the U.S. East Coast. In places like Miami, two in five gas stations were out of fuel, reported Reuters. Other places like Washington, D.C. experienced an outage that affected upwards of 88% of their gas stations following a period of “crazed” panic buying, the news outlet wrote on May 15.
This experience left an impression on gas stations in the eastern part of the United States. EZ Mart 1 LLC, a North Carolina gas station affected by the outages, went so far as to file a lawsuit against the Colonial Pipeline Company, noted Bloomberg. In its complaint, EZ Mart asked to receive monetary compensation for the damages wrought by the attack not only on its business but also on the business of 11,000 other gas stations that it sought to represent.
New Pipeline Security Guidelines Announced by TSA
The Colonial Pipeline attack also left an impression on the Transportation Security Administration (TSA). A child of the Department of Homeland Security (DHS), the TSA realized that it needed to invest in helping pipeline organizations to better identify, protect against, and respond to digital security threats like ransomware. It thus decided to create a new Security Directive for organizations in the pipeline sector.
According to a DHS press release, the Security Directive requires pipeline organizations to report digital security incidents to the Cybersecurity & Infrastructure Security Agency (CISA) as well as to appoint a Cybersecurity Coordinator who’s available 24/7. It also commanded pipeline organizations to review their existing security measures and report any gaps within 30 days.
Biden Demands Putin Take Action to Contain Digital Criminals
Finally, during a summit with Russian President Vladimir Putin, President Biden said that the United States will respond if it continues to suffer ransomware attacks—especially those that target critical infrastructure sectors like oil and gas.
“Responsible countries need to take action against criminals who conduct ransomware activities on their territory,” Biden said at a news conference, as reported by NPR.=
Days prior to summit, Putin indicated that he would be willing to extradite ransomware actors and other digital criminals operating within its borders to the United States if Biden agreed to reciprocate, noted CNN.
How to Defend Against Ransomware
The Colonial Pipeline attack demonstrates how one ransomware incident can have far-reaching consequences that touch various aspects of life. As such, it’s in organizations’ interest to prevent a ransomware infection. One of the ways they can do that is by hardening their defenses against email-borne attacks, one of the most common delivery vectors for ransomware.