Experts Blog

Colonial Pipeline Ransomware Breach: How to Protect Your Assets
TrackerPayton

FROM THE DESK OF THERESA PAYTON  

Unlocking the Mystery of Ransomware

According to research from Cybersecurity Ventures, a new organization will fall victim to ransomware every 11 seconds this year.
Image from Unsplash: 1 Amol Tyagi @amoltyagi2

The headlines around cybercrime continue to highlight the biggest and worst attacks ever. We went into the holiday season of 2020, learning that FireEye had their Red Team tools stolen (see: https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html). During their investigation, they determined that SolarWinds had been a victim of an attack that became one of the most concerning supply chain attacks, impacting clients of SolarWinds and organizations that connected to and communicated with clients of SolarWinds. Next, we learned that Microsoft had an attack against their infrastructure (see: https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack).  

Late last week, we learned that Colonial Pipeline was hit with a ransomware attack.

Based upon helping Fortune 100 companies, private companies, and government organizations prepare for and respond to ransomware attacks, I wanted to pass along my perspective and expertise for the greater good.  

Image from Unsplash: 2 Jonny Gios

Perspective

I named ransomware in 2018 the carbon monoxide poisoning of our cyber resilience because it's stealthy, silent, and deadly to operations. Ransomware has been an international mess in the making for more than a decade, with cryptocurrency emboldening attackers as they want to be virtually untraceable. For a historical compilation of ransomware attacks over the years, dating back as far as 1989, go to: https://www.csoonline.com/article/3566886/a-history-of-ransomware-the-motives-and-methods-behind-these-evolving-attacks.html.  

Additionally, we have seen while responding to incidents that victims frequently don't want to pay the ransom. Still, their cyber liability insurance companies may deem it cheaper to pay the extortionists versus paying for a recovery effort - that's problematic. If someone has to pay, I don't judge the victim organization or victim shame because that doesn't solve the issue. But when considering payment victims should know that payments, which averaged $170,000 per Sophos research, do not assure full data recovery. Sophos also found that 29% of affected companies couldn’t recover even half of their encrypted data, with only 8% achieving full data recovery (https://www.forbes.com/sites/daveywinder/2021/05/02/ransomware-reality-shock-92-who-pay-dont-get-their-data-back/?sh=671006c8e0c7).

After the SolarWinds and the Microsoft attacks, I rank this incident as one of the topmost concerning incidents in the last 24 months for the United States. It's perhaps one of the most disruptive ransomware incidents ever to hit a company in the United States' critical infrastructure.

What do we know about the Colonial Pipeline incident as of May 11, 2021?

  • The FBI has confirmed the cybercriminal syndicate known as DarkSide carried out the attack. DarkSide is believed to be made up of predominantly Russian-based operatives. For the record, DarkSide denies any connection to the Russian military or government.  
  • We have seen DarkSide cases within our line of Incident Response work and there are proactive tactics that can help protect or mitigate against damages as well as how to conduct the response for the best outcome.
  • DarkSide set up shop in what I would describe as a “Commercial Ransomware Enterprise” approximately August 2020.  
  • This group typically steals data first before encrypting files and extorts victims after they lock up their systems.
  • It's believed they attempted to steal roughly 100 gigabytes of data from Colonial – that data exfiltration amount is currently unconfirmed, and details are not available regarding precisely what they took at this time.
  • DarkSide is known to have a research arm that provides target companies to attack, they have a press team that promotes their attacks on social media, and they even provide a victim hotline. Recently, they published a “code of conduct.”

Recommendations for Policy Makers and the White House:

  1. International governments must band together to address this issue - we can no longer tell companies they have to protect and defend themselves using compliance frameworks and to "do better."
  1. We have an international responsibility to spot and stop ransomware - we have no idea where the money goes. Follow the money - are we funding new Lamborghinis and Ferraris for criminals or, are we financing something far worse, such as money laundering of human trafficking schemes or funding the nuclear warhead ambitions of various Nation States with nefarious intentions?  
  1. I would highly recommend that the Biden Administration accelerate their task force and stand up an initiative to spot and stop ransomware syndicates and create a platform of rapid response teams, such as putting the best and the brightest minds on rapid development of decryption keys for victims.
  1. We need an international agreement that this type of attack must end and call out the countries that harbor and house ransomware syndicates and enforce economic sanctions and political ramifications.

Expertise  

The Fortalice Threat and Incident Response group has dealt with attacks attributed to the Ransomware-as-a-Service Darkside group recently, here are some of our findings:

  • Darkside prefers to use PowerShell commands during its attack. The commands are often double encoded to obfuscate their intentions.
  • Darkside leverages Name and Shame sites on the Dark Web to compel its victims to pay the ransom demand.
  • Darkside attackers target the victim’s backup tools and storage before encrypting the rest of the environment.  

If you don’t already have a threat hunt program in place within your organization, this is a good time to start. Review the Indicators of Compromise, such as the bulletins provided by FBI InfraGard, and conduct a threat hunt immediately. If you are uncertain how to get started, we can assist.

What can you do now?  

Here are the Top 4 Most Effective Steps From Our Client Work:

  • Store your backups and your audit trail logs out-of-band and disconnected from your critical and day-to-day operations.  
  • Implement multi-factor authentication on EVERY platform and every access point. Where it’s not practical to implement, restrict access via firewall or network rules and ensure you have logging turned on and someone manually monitoring the logons for anomalies.
  • Have a tested containment strategy to limit admin accounts across the environment and a privileged account management strategy in place that monitors for use and abuse.
  • Have a tested Incident Response Plan in place.

The Next 7 Most Effective Steps:

  • If resources are scarce, focus on your remote access platform and your email platform – these are the top two attack vectors for most ransomware syndicates.
  • Test your backup and restoral processes at least quarterly.
  • Convene your executive leadership team in the next 60 days to create or update your ransomware playbooks.
  • Call your insurance company and ask detailed questions about your ransomware coverage and what decision tree the insurance company uses regarding when they would encourage clients to pay the ransomware syndicate versus not.
  • Automate an ongoing review of your data movement, data copy, and data extraction logs highlighting anomalies to your security operations team daily.
  • Enforce micro-segmentation of everything with role-based policy enforcement assuming “trust nobody” and “least privilege access.” This can include, but is not limited to: access controls, authorization, app to app, backups, logs, and domains.  
  • We have a Fortalice client advisory on how to begin to implement the MITRE ATT&CK framework to benefit your organization. The framework and our approach are a great foundation to prevent ransomware syndicates from gaining access to your systems, as the first six categories of MITRE ATT&CK are solely focused on thinking like an adversary when they want to gain access to your architecture, systems, and data.

There are more steps you can take to prepare for, thwart, and respond to a ransomware attack. If you would like a more in-depth best practices conversation and you are a customer of Fortalice Solutions, call our offices to ask for a free 30-minute best practices consult at 877.487.8160.  If you are not a customer, contact us at 877.487.8160 or email us at Watchmen@FortaliceSolutions.com and ask for an introduction call to discuss how we provide boutique security and intel solutions to the world’s best companies and organizations.  

If you are a victim of a ransomware crime or believe you might be, please report it to your local FBI field office or the FBI's 24/7 Cyber Watch (CyWatch). Unsure who your contact is? Fortalice can connect you, or go to www.fbi.gov/contact-us/field-offices. Want to chat with someone at FBI CyWatch? Call them at (855) 292-3937. You can also email them at CyWatch@fbi.gov.