By. Lazaro Serrano Cybersecurity expert
The Colonial Pipeline is the largest pipeline system for refined oil products in the U.S. and carries about three million barrels of gasoline per day, from Texas to as far away as New York. About 45% of all fuel consumed on the East Coast arrives via the pipeline system. This made for an attractive target for hackers to execute a malware attack and steal 100 gigabytes of company data in May 2021. The malware used during the attack is known as ransomware. This type of malware encrypts the contents of the victim’s computer, making then unable to use their computer or device until a ransom payment is made. After the payment is made, the hacker promises the victim the decryption key which is a complex series of characters for unlocking their system. There are many victims that decide to pay these ransoms as they do not have a backup copy of their infected system or because the amount of effort and resources that will be needed to restore hundreds or thousands of computers is extremely high.
After the attack was identified by Colonial Pipeline, the company shut down its operations as a precaution due to a concern that the hackers might have obtained information allowing them to carry out further attacks on vulnerable parts of their systems. The day after the attack, the Darkside Criminal Organization declared the ransom of nearly $5,000,000 for the data that was stolen, or it was going to be released to the public.
On May 9, 2021, President Joe Biden declared a state of emergency and removed limitations in fuel transports by road to alleviate shortages. Planes had to be rerouted and gas stations in the eastern coast suffered gasoline shortages. These limitations made US citizens panic and buy excessive amounts of fuel depleting the supply a lot faster than usual.
Colonial made some declarations that they would return to normal operations by the end of the week while bolstering their cybersecurity. The FBI confirmed that Darkside group is located in Russia and apparently there are currently no ties to the Russian government.
A recent study by Check Point (2021) identified that the top five countries who received the most ransomware attacks were: United States, Israel, India, Japan, and Germany; United States being the most affected country, with 12% of the attacks targeting the U.S. These five countries account for over one third of all ransomware attacks with 38% of all attacks targeting these countries.
This shows us the importance of having a robust cybersecurity infrastructure that will help us avoid these types of attacks. We can clearly see how vulnerable organizations can be when the correct cybersecurity controls are not in place, this is why having the right cybersecurity posture in your organization is essential.
Companies often assume that simply because their industry is not in the financial or healthcare sector, that their organization will be less likely to fall victim of a cyber-attack, which is not the case. A recent study by the Wall Street Journal (2021), identified the top industries that are most likely to be hit by a ransomware attack.
As we may identify in the diagram above, these industries cover over 99% of all industries around the world. As of the year 2021, the top sectors that have been and will continue to be affected by this type of malware are the retail, education, business and professional services, and central government, with around 40% probability. Meanwhile, the technology, manufacturing, healthcare, financial services, government, media, entertainment, transportation, construction, and utilities such as energy, oil and gas, all have more than 25% chance of being victim to a ransomware attack.
Even though the initial attack vector on Colonial still remains unknown, it may surely be caused by unpatched vulnerabilities, an employee opening a phishing email, the use of credentials that were purchased or obtained in the dark web, or any other similar tactic used by cybercriminals for infiltrating the organizations network, where most of these attack vectors are able to be prevented when having the correct security tools and proper backups in place.
Some important protection techniques and services that can be implemented to help your organization prevent ransomware attacks are the following:
- Email Protection – Block .exe files in basic mail flow policies while and enabling advanced threat protection features.
- Real-time Monitoring – Having a dedicated SOC team monitoring your organization will be key to quickly identifying any unusual activity as soon as possible.
- Web Protection – Having security tools for your cloud applications will be of great use for detecting, analyzing, and responding to malicious behaviors.
- Device Compliance – Ensuring your organization’s devices are up to date with compliance regulations and controls will ensure that those devices will meet security requirements.
- Backups – Making sure that the backups are not accessible by users will ensure the backups remain secure. If backups are accessible by the users, then they may also be encrypted by the attacker.
- Blocking Macros in Office Documents – The most common types of malware are going to be based on Macros. Your organization may completely block the Macros, or you can also choose to partially block them.
- Block Known Ransomware File Types – such as ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, and others.
The best option for Colonial Pipeline would be to obtain a well-Managed Security Service so they are able to improve operations and let a team of experts focus on the weaknesses identified by these attacks and make a solid wall of protection against any future attacks. Prevention is one the best practices to assure profits and promote growth.
For more information visit us at: https://www.intechxsp.com/cybersecurity-managed-service/