Why the Colonial Pipeline Attack Was Such a Big Deal
News of the DarkSide ransomware gang鈥檚 attack against Colonial Pipeline in early May. The incident didn鈥檛 last long. It took just 10 days for the Colonial Pipeline Company to announce that it had restored normal operations of its systems following the infection.
The same cannot be said of its repercussions. Close to two months later, we鈥檙e still figuring out what the full legacy of the ransomware attack might look like. Here is what we know so far.
Changes in the Ransomware Landscape
听
听
The Colonial Pipeline attack ended up being DarkSide鈥檚 last. As I wrote back in mid-May,
someone seized control of the ransomware actors鈥 data leaks site, payment server, and DOS servers. They then misused that access to withdraw the operation鈥檚 funds, thus preventing DarkSide鈥檚 handlers from paying their affiliates.
As part of its DarkSide announcement, the REvil group announced that it would begin restricting the types of organizations that its affiliates could target going forward. That was around the same time when several Russian digital crime forums moved to prevent members from posting about ransomware going forward.
Partial Ransom Recovery by the FBI
According to , the Colonial Pipeline Company paid a ransom demand of $5 million a day after learning of the ransomware attack. Those monies didn鈥檛 remain with the DarkSide affiliate for long. On June 7, the (DOJ) announced that it had recovered approximately $2.3 million of the victim鈥檚 ransom payment.
In an submitted to the Northern District of California, a law enforcement officer said that they used Blockchain Explorer to track the movement of the ransom payment across several bitcoin wallet addresses. They eventually observed part of the ransom payment land in a bitcoin wallet address for which the FBI possessed the private key. It鈥檚 unclear from the affidavit how exactly the FBI came to obtain that private key and/or whether this means of recovery was replicable for other ransomware attacks.
Fuel Crisis Motivates a Lawsuit
The disruption of the Colonial Pipeline鈥檚 operations led to widespread fuel crises all along the U.S. East Coast. In places like Miami, two in five gas stations were out of fuel, reported . Other places like Washington, D.C. experienced an outage that affected upwards of 88% of their gas stations following a period of 鈥渃razed鈥 panic buying, the news outlet wrote on .
This experience left an impression on gas stations in the eastern part of the United States. EZ Mart 1 LLC, a North Carolina gas station affected by the outages, went so far as to file a lawsuit against the Colonial Pipeline Company, noted . In its complaint, EZ Mart asked to receive monetary compensation for the damages wrought by the attack not only on its business but also on the business of 11,000 other gas stations that it sought to represent.
New Pipeline Security Guidelines Announced by TSA
The Colonial Pipeline attack also left an impression on the Transportation Security Administration (TSA). A child of the Department of Homeland Security (DHS), the TSA realized that it needed to invest in helping pipeline organizations to better identify, protect against, and respond to digital security threats like ransomware. It thus decided to create a new for organizations in the pipeline sector.
According to a , the Security Directive requires pipeline organizations to report digital security incidents to the Cybersecurity & Infrastructure Security Agency (CISA) as well as to appoint a Cybersecurity Coordinator who鈥檚 available 24/7. It also commanded pipeline organizations to review their existing security measures and report any gaps within 30 days.
Biden Demands Putin Take Action to Contain Digital Criminals
Finally, during a summit with Russian President Vladimir Putin, President Biden said that the United States will respond if it continues to suffer ransomware attacks鈥攅specially those that target critical infrastructure sectors like oil and gas.
鈥淩esponsible countries need to take action against criminals who conduct ransomware activities on their territory,鈥 Biden said at a news conference, as reported by .=
Days prior to summit, Putin indicated that he would be willing to extradite ransomware actors and other digital criminals operating within its borders to the United States if Biden agreed to reciprocate, noted .
How to Defend Against Ransomware
听
The Colonial Pipeline attack demonstrates how one ransomware incident can have far-reaching consequences that touch various aspects of life. As such, it鈥檚 in organizations鈥 interest to prevent a ransomware infection. One of the ways they can do that is by hardening their defenses against email-borne attacks, one of the most common delivery vectors for ransomware.