Diary of a Ransomware Attack: Inside the Colonial Pipeline Incident

Ransomware is a devastating blow to any organization. Financial damage is the first thing that comes to mind, but other aspects of the incident can be just as bad or even worse. The disruption from just one ransomware attack bleeds over into the entire operation and creates a ripple effect that can have far-reaching consequences. The Colonial Pipeline ransomware incident in May 2021 is a good example of how that ripple effect plays out.   

Companies impacted by ransomware lose an estimated average of six working days, and 37% of them experience downtime of one week or more. That’s something no one can afford especially now with budgets squeezed tightly in an uncertain economy. The disruption at Colonial Pipeline not only impacted their productivity but also impacted the daily life of many Americans, shining a spotlight on the danger of cyberattacks against infrastructure or critical services targets. Most ransomware attacks are complex, shadowy operations, and the exact details rarely come to light. But the Colonial Pipeline ransomware incident has been widely investigated, researched and reported on, and that provides a rare inside look at how a ransomware attack goes down. 

5 Facts About Ransomware Vs. Businesses to Remember 

• Ransomware danger skyrocketed in the first half of 2021, with an estimated 304.7 million attempted ransomware attacks. 
• 50% of IT pros do not believe their organization is prepared to repel a ransomware attack. 
• 70% of IT leaders believe that their business will be harmed by email attacks in the next year. 
• The cost of a ransomware incident including investigation, remediation and recovery worldwide is expected to exceed $265 billion by 2031.   
• Close to a third (32%) of SMB respondents to a 2020 study named a lack of budget as the greatest barrier to digital security. 

The Story of the Colonial Pipeline Incident

Setting Up the Operation 

The DarkSide ransomware gang gained renown for conducting a successful attack against Colonial Pipeline, scoring a payday that has been estimated at a little over $4 million. But that operation wasn’t run by the developers and operators of DarkSide directly. Instead, the Colonial Pipeline hack was carried out by an affiliate of the larger operation using DarkSide’s proprietary malware.  That affiliate hired its own subcontractors through dark web forums and gathered resources from dark web data markets and dumps to do the deed. 

Then the satellite gang sprang their trap, snagging Colonial Pipeline in a devastating attack that shut down the largest fuel pipeline in the US. The point of entry for the gang was a single compromised employee password that gave them the keys to the kingdom. Using that stolen password, the DarkSide affiliate slipped inside Colonial Pipeline’s admittedly lax digital security and delivered their cargo, DarkSide’s proprietary ransomware, to encrypt Colonial Pipeline’s systems and data. After that came the easy part – the affiliate set a timer for the malware to deploy, made their ransom demand and sat back to wait for their money.  

Springing the Trap

A little more than one week after the initial intrusion, the ransomware infection began, kicking off the endgame of the affiliate’s operation.  An employee starting their day’s work in the Colonial Pipeline central control room saw a ransom note demanding cryptocurrency pop up on their computer and called in their supervisor. Then the race began for Colonial Pipeline as they tried to outpace the infection to preserve their systems and data. After shutting down the pipeline to try to mitigate the damage and prevent the hackers from further penetration, Colonial had to scramble to bring in experts to help.  

The attackers locked Colonial Pipeline down to devastating effect, disrupting gasoline supplies across the eastern US. The media hype around the attack drove worried consumers to wait in long lines at gas stations out of fear of potentially long-lasting impending fuel shortage that failed to truly materialize. But that didn’t matter. Every major news outlet covered this massive story and cybersecurity became everyone’s favorite subject, especially in regard to the uses of cybersecurity in warfare and nation-state hacking although this was ultimately determined to not be an operation by nation-state threat actors, just greedy cybercriminals.  

Reaping the Profits (and the Consequences) 

In addition to any ransoms paid for decryption, the gang stole an estimated 100 gigabytes of data that had the potential to be highly sensitive. That gave them an additional opportunity to profit whether or not Colonial Pipeline chose to pay the ransom. Plus, paying off the attackers doesn’t mean that the victim’s data will be returned in full and not duplicated or used in another cybercrime operation. There is never a guarantee that the gang hasn’t already copied and sold your data and you can never be sure if they’re telling the truth when they say that they haven’t done that. In fact, less than 60% of companies that pay the ransom are able to recover even part of their data, and 39% of companies that pay a ransom never see any of their data again. 

By any standard, the DarkSide affiliate’s attack was a smashing success. The attackers scored a big payday and a treasure trove of valuable data. Colonial Pipeline paid the attackers at least one $4.4 million ransom in short order. The larger DarkSide gang made money too: according to researchers at FireEye, DarkSide affiliates are required to send about 25% of ransom payments under $500,000, and 10% of any successful ransom collections over $5 million up the chain to the larger gang.  

The cybercriminals who pulled off this operation made a splash on the world stage and in hacking circles. They accumulated resources to help them conduct future cybercrime operations. enhanced their reputation and the gang’s in some ways while at the same time creating a problem that ultimately led to DarkSide’s demise. A massive and well-resourced investigation into the circumstances and players in the Colonial Pipeline attack forced DarkSide underground and the organization officially dissolved. Some of the ransom money was later recovered by the FBI in a cybercrime sting operation. 

Ransomware is very profitable, especially the double encryption strain that DarkSide preferred. Before the gang went dark after the Colonial Pipeline incident, DarkSide had received $90 million in bitcoin ransom payments over the course of its short lifetime according to blockchain analysts at Elliptic. They further estimated that the average ransomware payment in a DarkSide operation was about $1.9 million. Of the total haul that DarkSide operations pulled in, those experts estimate that $15.5 million went to DarkSide’s developer while $74.7 million went to its affiliates. 

The Forecast is Not Good 

This attack put ransomware front and center in a larger cultural conversation about how to protect important resources and guard against cybercrime in the digital world. In the wake of this attack, The US federal government opened a Ransomware One-Stop site to bring the government’s available resources under one roof in order to give businesses support in the fight against cybercrime. That’s a timely addition of a resource too –  ransomware attacks have continued to pound businesses, rising to heretofore unseen new heights in Q2 2021.  

• Ransomware now accounts for 69% of all attacks involving malware  
• That’s a 30% jump over the same quarter in 2020. This increase includes  

• There was a massive, 45% jump in ransomware attacks in April 2021 alone 
• UK researchers noted that 22% of attack in the first quarter of 2021 were ransomware    

The Future of Ransomware Risk 

What can we expect to see in the evolution of ransomware and cybercrime in the near future? Here are three of our predictions.  

1.  More Use of Ransomware as a Weapon 

In December 2020 the true impact of a massive, precisely targeted nation-state attack was felt by the United States government and many large corporations in the wake of a breach at cybersecurity software giant SolarWinds. A messy tangle of back doors, fake patches, business email compromise, malicious code, phishing, and more was unraveled exposing the alarming fact that likely Russia-sponsored nation-state hackers had been inside US government and defense agency systems for months, accessing all sorts of information. The same group of hackers was also linked to attacks at Microsoft, Cisco, FireEye and more major tech players. This is one of the largest demonstrations so far of ransomware’s use as a tool of espionage or even war. 

2. Phishing Risk That Never Stops Rising  

Phishing risk is exploding, up almost 300% in 2021 over 2020’s record-breaking numbers. Some of that increase can be attributed to ongoing pandemic lockdowns extending remote work and new hybrid work models. Unfortunately, an estimated 74% of organizations in the United States experienced at least one phishing attack in 2020, and 80% of respondents in a UK survey said that they have also experienced an increase in the number of phishing attacks that their organizations have faced. 

3. Increases in Strategic Attacks with Pinpoint Accuracy 

Researchers determined that targeted ransomware has grown by an eye-popping 767%, easily dwarfing all other types. This increase in carefully socially engineered malicious messages has been especially felt in the APAC region. Recent numbers logged by UK researchers tell a chilling tale as well, with a record-breaking 11% year-on-year increase in attacks against UK targets in Q1 2021. UK businesses encountered 172,079 cyberattacks each, on average, between January and March 2021, the equivalent of 1,912 per day. Cybercriminals are choosing targets wisely in order to gain the maximum benefit from each attack and minimize law enforcement investigations that could land them in hot water. 

Uncover the Secret to a Strong Ransomware Defense 

Stopping ransomware starts with stopping phishing. Establish a smart defense against ransomware threats in a flash with automated, AI-powered email security from Kaseya 365 User. The ideal choice to combat the flood of dangerous phishing email heading for every business, Kaseya 365 User layers security for more protection with three powerful shields. 

• TrustGraph uses more than 50 separate data points to analyze incoming messages completely before allowing them to pass into employee inboxes. TrustGraph also learns from each analysis it completes, adding that information to its knowledge base to continually refine your protection and keep learning without human intervention.  
• EmployeeShield adds a bright, noticeable box to messages that could be dangerous, notifying staffers of unexpected communications that may be undesirable and empowering staffers to report that message with one click for administrator inspection.    

• Phish911 enables employees to instantly report any suspicious message that they receive. When an employee reports a problem, the email in question isn’t just removed from that employee’s inbox — it is removed from everyone’s inbox and automatically quarantined for administrator review. 

The choice is clear: smart, automated email security is the right move for businesses in 2021 and beyond. Let us help you give your business the big benefits of automated security at a small price without sacrificing functionality or innovation when you choose Kaseya 365 User. Book a demo today.