The MSP Responder – Colonial Pipeline Ransomware Attack

msp responder, mailprotector, colonial pipeline shutodown, ransomware

Another Darkside Ransomware Attack

What Happened?

At this point, everyone in the IT community is familiar with the recent Colonial Pipeline cyberattack. In addition to a big ransom payment of $4.4 million, this ransomware attack ultimately resulted in a temporary closing of the pipeline, which is a critical part of U.S. petroleum infrastructure. In fact, the Colonial Pipeline supplies nearly half of the Eastern United States with fuel, as it stretches 5,500 miles and transports 2.5 million barrels per day.

While the cyberattack on Colonial Pipeline was not the first of its kind, it certainly was a one whose grimy tentacles reached millions.

Here’s a rough timeline of the attack:

  • April 29 – Hackers identifying themselves as “DarkSide” entered the Colonial Pipeline network via VPN using a single compromised password from an unused account that was likely purchased on the dark web. Several days are spent downloading critical business information.
  • May 7 – Colonial Pipeline IT employees receive a ransom note demanding cryptocurrency. News of the ransomware attack is escalated internally, then externally, leading to the pipeline being shut down for the first time in its 57-year history as a precaution.
  • May 8-12 – Options are explored and eventually a $4.4 million in ransom is paid.
  • May 12 – The pipeline is turned back on and the FBI begins to deal with the aftermath.

Outside of Colonial Pipeline allowing itself to be vulnerable to outside threats due to lack of proper IT security protocol, the attack was planned and orchestrated by a growing enemy – organized cyber criminals.

What was always a dishonest money maker for cyber criminals has become big business as hackers have graduated to attacking infrastructure. As seen with Colonial Pipeline, the more people an attack effects, the larger the motive an organization has to pay hackers and move on.

Ransomware is a profitable and trending crime for many organized cybercriminals. CrowdStrike reported over 1,400 ransomware and data extortion incidents in 2020. Just since the Colonial Pipeline attack in late April, attacks have been made on government agencies, a Florida water system, schools, health care institutions, the meat industry and even a ferry service to Martha’s Vineyard. Such assaults have caused FBI director Christopher Wray to draw comparisons to the government response taken after the September 11 terrorist attacks.

What Data Did DarkSide Steal?

In addition to Colonial Pipeline, cyber criminals calling themselves “DarkSide” have been very active lately, even having recently attacked the European subsidiaries of Toshiba. In another ransomware attack of a large US-based manufacturing company, DarkSide published a list of what was stolen. The list includes data concerning:

  • Accounting
  • Finance
  • Human Resources
  • Employee Confidential Data (photos, taxes, benefits)
  • Marketing
  • Budgets
  • Taxes (sales tax compliance, property, income, franchise taxes)
  • Payroll
  • Banking Data
  • Arbitration
  • Scans
  • Insurance
  • Reconciliations
  • Reports (monthly bank inventory, monthly financial, claims reports)
  • Audits (DHG, insurance audits)
  • B2B clients config data
  • Confidentiality 2020
  • 2020, 2021 Business Plans
  • 2019, 2020, (2021 YTD) years closing (full dumps)

DarkSide concluded the list by saying in addition to the list above, they also stole “a lot of other sensitive data.” “Other sensitive data” might include things like embarrassing email conversations hackers can now use to compromise the company’s brand.

How Do I Prevent Cyber Attacks?

While they have suffered enough, it is also unfortunate for Colonial Pipeline that they have to be used as the example of what not to do. However, simple email encryption and a few other security measures could have prevented this data from being exposed.

Read More: How to Prevent Ransomware Attacks >>

Preventing Ransomware Attacks eBook (PDF)

Read an in-depth summary where we look at several recent ransomware attacks to break down exactly what happened, which ransomware prevention plans worked, and which ones didn’t hold up when it mattered the most.

Want to receive more information like this?

Mailprotector strives to help MSPs keep organizations safe. In doing so, we like to send occasional information on cybersecurity-related news events. As an email security company, we promise not to over-share!

Stay aware of email threats

Get notified whenever a new MSP Responder article is published: