Ransomware Temporarily Disrupted – But More Action is Required

By Hubert Yoshida posted 05-18-2021 21:53

Ransom Blog.jpg
Colonial Pipeline who supplies gasoline and jet fuel to the eastern United States resumed operation of the pipeline which was shut down by a ransomware attack on May 7.  This created widespread fuel shortages and panic buying in major cities along the east coast. Colonial Pipeline returned to operation on May 15, after reportedly paying 75 bitcoin or about $5 million to the hackers according to Bloomberg. In earlier reports, the company said that they would not be paying the ransom. In actuality, Bloomberg reports that the company paid the hefty ransom in cryptocurrency within hours after the attack due to the immense pressure faced by Colonial Pipeline to get gasoline and jet fuel flowing again to major cities along the East Coast. Although the official position of the U.S. Government is not to pay any ransom, a person familiar with the situation said U.S. government officials were aware that Colonial made the payment. Most industry executives believe that the extent of the impact on critical infrastructure, left Colonial with no choice but to pay the ransom. The Hack occurred on May 7, and Colonial shut down operations in order to ensure that the ransom hack did not also expose the operational systems to damage or override. The FBI blamed the attack on DarkSide, a cybercriminal gang believed to be based in Eastern Europe. Although the decryption tools were made available almost immediately, bringing the operation back online took careful planning since the networks that controlled the distribution of different types of fuel had to be carefully planned. Even though the pipeline is fully operational it will take time to backfill the various distribution points.

Reaction to this attack may have been more than Darkside had expected. Normally ransomware attacks are under reported. However, since this had such an immediate impact on the United States’ critical infrastructure. President Biden signed an executive order on cybersecurity citing the recent SolarWinds and Microsoft Exchange hacks in addition to the Colonial Pipeline attack.
The executive order is designed to "disrupt their (hackers) ability to operate" -- including a new task force dedicated to prosecuting ransomware hackers. The intent is to increase training and funnel more resources to identifying hackers while improving intelligence sharing and "links between criminal actors and nation-states." The force will also target the ecosystem behind such criminals, with prosecutions, disruptions and curbing services like forums that advertise their services.

On May 14 Intel471.com   observed numerous ransomware operators and cybercrime forums either claim their infrastructure has been taken offline, are amending their rules, or they are abandoning ransomware altogether due to the large amount of negative attention directed their way over the past week. Darkside which has been named as the one responsible for the Colonial Pipeline incident, also passed an announcement to its affiliates claiming a public portion of the group's infrastructure was disrupted by an unspecified law enforcement agency. The group’s name-and-shame blog, ransom collection website, and breach data content delivery network (CDN) were all allegedly seized, while funds from their cryptocurrency wallets allegedly were exfiltrated. In the meantime the Bitcoin value for 75 Bitcoin has declined from nearly $5 m to $3.3 m in the past week.

This disruption in Ransomware is probably temporary and will return with even greater vigor in a short time. While law enforcement agencies can make it tougher to collect the rewards of ransomware, the real deterrent lies with each organization. It's up to organizations to implement the type of cyber-security that is appropriate and proportionate. Encryption of sensitive data, multifactor authorization, object storage, backup, maintenance updates, are all good practices that will prevent Ransomware. The biggest attacks are usually through email, where employees are tricked into downloading malware. Recently, hackers have also gotten in through weaknesses or compromises in third party software like the SolarWinds hack.

While ransomware attacks have largely been a monetary exposure, the Colonial Pipeline Hack has exposed the greater danger of an operational attack which could cripple critical infrastructure and impact national security. Critical infrastructure is as secure as its weakest link and a lot of the links are in the private sector and across geopolitical boundaries. It. Requires all of us to ensure the crypto security of our systems.




05-04-2022 11:51

Thanks for sharing

04-27-2022 02:51

Nicely Written