Jarrett Kolthoff | June 10th, 2021

Long-Term Effects of Colonial Pipeline Ransomware Attack

On Friday, May 7, the Colonial Pipeline disclosed a ransomware attack that they said forced the company to halt operations and freeze IT systems. The Colonial Pipeline in Georgia supplies about 45% of the East Coast’s fuel which includes gasoline, diesel, military supplies, and other useful resources. They transport over 100 million gallons of fuel in a day across the Eastern United States.

The threat group responsible for the attack is assumed to be the DarkSide threat group, but it’s possible other threat actors could be claiming DarkSide in order to get in the news. “DarkSide” operators claimed they did not intend to disrupt the operations of the pipeline and they only wanted to achieve financial gain. Unfortunately, their attack was not as precise as planned and they effectively gained operational control of the organization, as of April 2021, via compromised VPN credentials.  The Threat Actors initiated a dual extortion effort by stealing 100GBs of data and threatening to disclose, in addition to encrypting the environment. Gas prices skyrocketed due to the operational impact to Colonial Pipeline and unable to distribute gasoline, which caused mass hysteria with those that felt compelled to buy more gas in fear of the shortage only increased the prices.

This particular fallout proves how modern-day ransomware attacks have severe real-world implications. On May 12 at 11 CT, five days after operations had initially stopped, the percentage of all stations in states without gasoline: GA 10.4%, AL 1.1%, TN 1.0%, SC 8.3%, NC 16.0%, FL 3.4%, 10.2%, and MD 1.6%.

When organizations endure ransomware attacks, the biggest toll taken on the company is likely due to the business disruption. This is one of the reasons Joseph Blount, the CEO of the Colonial Pipeline, decided to make the ransom payment of almost $5 million after consulting with a third party firm. He was faced with the decision of recovering without his company’s data or paying the ransom to restore operations quicker. The bottom line is that ransomware attacks are a no-win situation.

There a few things everyone can learn from this attack.  When ransomware goes beyond the digital world and starts to affect society in such a way as the pipeline, more people become aware of the impact it can have. In terms of general cyber awareness, attacks on this scale can be a positive.

On the other hand, there aren’t many things that can devastate organizations like ransomware attacks. Attempting to recover from these attacks by utilizing internal resources, downtime from a ransomware attack takes at least 18 days before your organization is fully recovered. It is the number one threat to your business in today’s climate, but there are ways to mitigate these threats. Engage with a cybersecurity firm and allow them to provide their services to protect your business. Profit is precious, so don’t give the lurking threat actors a chance to steal it.

The easy response would be to begin implementing plans for cybersecurity and bolstering their infrastructure, although simply throwing capital at these issues is not enough.  Executive Leadership MUST begin asking the tough questions to their CIOs and other technical stewards within their organization – “Can we defend ourselves and respond to these attacks – 24/7?”  The truthful answer 90% of the time is no – internal resources are not combatting these threats 24/7 and exposed to the various unknown attack methodologies.

As a leader in your organization, having a security firm with a security operations center protecting your organization 24/7 will relieve the headache and strategic risk of dealing with these attacks. It will also lower the chances you’ll be hit by these threat actors in the first place. Be proactive because cyber threats are sophisticated, relentless, yet arbitrary at times. Everyone in this industry understands it’s a matter of when, not if, and you should, too.