The $5 Million Password That Paralyzed a Nation (A Ransomware Tale)

ransomware-attack-pipeline

Hackers Take Advantage of Poor Cyber Hygiene in Colonial Pipeline Company Attack

The opening weeks of May 2021 saw cities throughout the southeast experiencing widespread fuel disruption. At one point, according to GasBuddy, a mind-blowing 71 percent of gas stations in North Carolina, 49 percent of gas stations in Georgia, and 55 percent of gas stations in Virginia were bone dry.
As gas supplies dwindled, lines to get gas lengthened. Panic-stricken consumers hoarded gasoline in everything from approved gas receptacles to large garbage bags. Gas prices soared to an average of three dollars, which was a price not seen in the United States since 2014.

After a six-day shutdown, gas began to flow through the Colonial Pipeline slowly. However, the gas station outages continued to plague the southeast for several days.

How did we get here, and how do we prevent this from happening again? The answer underscores the importance of vigilance and cybersecurity hygiene.

The Growing Threat of Ransomware

First appearing in Europe during the middle part of the last decade, ransomware primarily targeted individual computers and small businesses.

When turning on their computers, victims would see messages purporting to be from government agencies and informing them that their computers were blocked because they had logged into an illegal website, maybe something to do with child pornography, and the only way they could get access to their computer was to pay fine of between €100 and €200.

As their confidence grew, cybercriminals began using ransomware to attack larger companies, solar power farms, police departments, water treatment plants, hospitals, and government agencies.

Ransomware has been on the radar of the US government and private industries for several years. They have run intricate simulations and produced carefully crafted plans to respond to a cyber-attack on gas pipelines.

However, when the do-or-die moment arrived for the Colonial Pipeline Company, all of the planning was for not. As a heavyweight champion once said, “Everyone has a plan until they get punched in the mouth.” Or, as Moltke the Elder, a German Field Marshal more eloquently put it, “No plan survives contact with the enemy.”

When the May 7th attack happened, the Colonial Pipeline Company was forced to take systems offline and disable the pipeline. And, just like that, the largest petroleum pipeline in the United States, responsible for transporting 2.5 million barrels of jet fuel, heating oil, gasoline, and diesel on a 5,500-mile trek from Texas to New Jersey, went dry.

Watching panic-stricken consumers waiting in line for hours and hoarding gas throughout the southeast, the Colonial Pipeline Company caved and capitulated to the demands of the cybercriminals and paid the ransom of $4.4 million in Bitcoin.

The DOJ was able to recover the Bitcoin. However, Colonial Pipeline Company will need to pay tens of millions of dollars to restore its systems over the next few months. Two questions linger in the minds of people. First, who was behind this attack? Second, how in the world did something like this happen?

The Who and the How

The who is DarkSide, an organization that offers ransomware-as-a-service (RaaS) by providing malware to the cybercriminals looking to hack a target. Other services the group provides include tools to communicate with victims and demand payment. DarkSide receives a 25 percent commission on any ransom paid.

Since appearing in August 2020, DarkSide and its affiliates have been responsible for cybercrimes in more than 15 countries, affecting several vector industries.

Now, on to the how. An analysis of the attack showed that the Colonial Pipeline Company’s network was hacked via a compromised old VPN password. The VPN account did not use multi-factor authentication (MFA).

This meant that hackers, with just a compromised username and password, could access the largest petroleum pipeline in the United States. This is an extreme level example of what can happen to an organization when there is a lack of cyber hygiene.

What Is Cyber Hygiene?

Cyber hygiene, also called cybersecurity hygiene, is maintaining the basic health and security of software and hardware. It is a joint cautionary measure that requires diligence on the part of the computer systems administrator, security practitioner, and users to protect against cyber-attacks.

Cyber hygiene works similarly to personal hygiene. A person maintains their health by taking preventative measures that ensure health. For example, you protect your teeth by brushing, flossing, and using mouthwash daily. If a person neglects their teeth, they may develop cavities or eventually lose their teeth. If an organization neglects cyber hygiene, it could lead to a data breach, virus, or ransomware.

Cyber hygiene best practices include:

  • Creating a cyber-hygiene policy
  • Creating a list of software, hardware, and web applications used and updating the list as needed
  • Employing proper password management
  • Keeping software and hardware updated
  • Minimizing administrative access to the network
  • Properly installing and configuring antivirus and anti-malware software
  • Removing or uninstalling unused or outdated software and hardware that could create vulnerabilities
  • Using two-factor authentication (2FA) or multi-factor authentication
  • Reviewing and updating cyber hygiene best practices

Cyber hygiene improves security and maintenance. Your customer’s data is better protected. It is easier to identify unauthorized software, identify unmanaged assets, and run compliance audits.

Conclusion

Ransomware attacks, like those suffered by the Colonial Pipeline Company, aren’t going anywhere. Although DarkSide promised to suspend its activities, several bad actors are waiting in the wings to take their place.

Would you like to protect your organization from becoming the next ransomware victim? IDMWORKS can help. Contact us to see what steps your organization can take to improve cyber hygiene and preserve its digital identity.