Earlier this month, the Department of Homeland Security and FBI confirmed the ransomware attack against the Colonial Pipeline Company that prompted a five-day (May 7-12) shutdown of fuel transport operations. Colonial provides approximately 45% of the fuel used in the broader East Coast area. The shutdown of the pipeline network caused panic buying of gasoline, halts or delays in fuel deliveries to retail stations, and ultimately shortages in the southeastern and mid-Atlantic regions of the United States.
This week, Colonial Pipeline Company issued a statement saying they are back to transporting refined gasoline, diesel and jet fuel at normal levels and are fully operational, though it may take some time for the fuel supply chain to fully catch-up.
In an interview with the Wall Street Journal on Wednesday, May 19, Joseph Blount, the chief executive officer (CEO) of Colonial Pipeline Company, confirmed he authorized a ransom payment of $4.4 million. Blount explained that this option is one he had to exercise, given the effects of shutting down such critical energy infrastructure.
Federal authorities have attributed responsibility for the attack to Russian perpetrators using ransomware known as DarkSide. The developers of DarkSide employ an interesting business model by offering the malicious software ( or malware) in what is referred to as a Ransomware-as a-Service (RaaS) approach. In this arrangement, criminal actors, called “affiliates,” are provided the complete attack capability, including malware and discreet servers, in exchange for an agreed portion of any ransom demand that is met. This is an extremely dangerous practice as such turnkey offerings, available for a simple cut of the action with dramatically reduced exposure, opens the door for extortion of businesses large and small.
Based on information from online forum advertisements, the DarkSide developers take 25% of paid ransom amounts of less than $500,000, declining to 10% for ransom payments greater than $5 million.
Late last week, the crime gang operating Darkside announced it was closing their operation due to "pressure from the US," and that its infrastructure and funds had been seized or otherwise disrupted. Some media reports quote unnamed US government sources saying that the takedown of Darkside servers and capabilities was a joint operation carried out by the Department of Homeland Security, FBI and NSA, though this is denied by each entity..
Security experts say cyber criminal groups often disband and return under different names, and it therefore can't be determined if the disruption to DarkSide's infrastructure is legitimate, or if this is a planned exit scam with the intent on returning under a different name.
DHS Urges Action to Protect Critical Infrastructure
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the FBI urge critical infrastructure stakeholders and operators to adopt a heightened state of awareness and to implement the recommendations mitigation steps listed in the their recently released Joint Cybersecurity Advisory which was updated on Wednesday of this week.
Among these mitigation steps, emphasis is given to separating information technology (IT) and operational technology (OT) networks; regularly testing manual controls; and ensuring that backups are implemented, tested, and isolated from network connections. These mitigation steps will help organizations across sectors and industries to improve resilience by reducing vulnerability to ransomware, and the risk of severe business disruption.
Many of the recommendations made can also play a key role in protecting smaller business as well. In one simple example, keeping off-network backups of your critical systems and data can have a huge impact when recovering from a variety of scenarios where main computing systems become unusable.
AlertsUSA continues to monitor the domestic and international threat environment around the clock and will immediately notify service subscribers, via SMS messages to their mobile devices, of new alerts, warnings and advisories or any developments which signal a change the overall threat picture for American citizens as events warrant.