The Colonial Pipeline and How to Prevent Ransomware Attacks
Few cyberattacks in recent memory have been as noteworthy or impactful as the Colonial Pipeline ransomware attack. For nearly a week, residents of southeastern US states found themselves hoarding gas and watching the gas prices continually rising. But while the Colonial Pipeline attack was devastating to the infrastructure, it also provided a lot to learn – especially about how to prevent ransomware attacks.
How Does Ransomware Work?
Ransomware is a special type of attack that’s incredibly insidious, as it turns your reliance upon your business data against you. Rather than trying to steal data, the malicious attacker instead encrypts it. Your data cannot be accessed by them or by you; you’re stuck until you pay the ransom. Once the ransom is paid (which is often in the millions of dollars), you get your data back – at least in theory.
Recent ransomware attacks have been “honest,” to an extent; if you pay the ransom, you may well get your data back. But not only does recovering the data cost millions, your system is down for days or weeks – and that costs even more money. Paying a ransom is also no guarantee that your system will come back, and ultimately just encourages the ransomers to continue their operations.
So, how can you protect yourself from ransomware? What can we learn from the Colonial Pipeline ransomware attack?
Consider All Your Systems
It’s not the pipeline itself that got attacked; that would have been a devastating and aggressive act. It was the administrative systems that governed monitoring and billing that got attacked, and the pipeline was pulled down to prevent additional damage. It’s almost always external systems that get attacked, or at least attacked first – this is how attackers gain access to more sensitive layers of your infrastructure. There’s no system in your infrastructure that isn’t critical; it’s always a matter of the “weakest link.”
Keep It All Encrypted
Despite experiencing such an impactful and widespread attack, the Colonial Pipeline ransomware attack didn’t lead to a large amount of data being breached. With proper data encryption, all the criminals can do is shut down a system; they can’t actually read the information that’s been archived and filed. Ransomware works by encrypting the data with a hidden key, which means that you can’t access your own data. But if the data has already been encrypted by you, neither can the criminals.
Always Have Backups
While the Colonial Pipeline administration did pay the ransom, the utility that they received from the cyber criminals wasn’t useful; it was too slow. They ended up ultimately restoring from backups. Restoring from backups can still be disruptive. There’s data loss (and you need to determine how much data was lost), and you need to make sure that the data backups aren’t, themselves, corrupted. But having data backups is critical. If you have a backup that’s reliable and that hasn’t been compromised, ransomware can do very little to you.
Have Cybersecurity Insurance
The truth is that most companies today are eventually going to experience some form of attack. The Colonial Pipeline likely had rather strong security and some significant security measures. Cybersecurity insurance protects you in two ways. First, it insulates you from the direct cost and consequences. And second, it protects against indirect issues, such as the cost of your business disruption. Even if you just need to restore your files from a data backup, that can take some time.
The Colonial Pipeline ultimately ended up paying about $4 million in ransom. And while this ransom was in part recovered, the price of Bitcoin (the cryptocurrency in which the ransom was paid) had gone down in the interim… so the Pipeline still lost a substantial amount of money, not even counting the cost of disruption, mitigation and security improvements.
How a Managed Services Provider Can Help
Analysts suspect that the ransom attack against the Colonial Pipeline could have been months in the making; they have no idea when the system was first breached. It’s possible that the back door could have been introduced to the system the previous year. Because of this, it also means the Pipeline could remain vulnerable; it’s possible the back door still existed in the backups that they restored.
Managed services providers don’t just provide best-in-class technology; they also monitor systems continuously to identify potential risks and hazards. It’s possible that with better monitoring and maintenance, the Colonial Pipeline attack could have been noticed and reacted to before the attack actually occurred. MSPs today can use advanced technology to identify behavior that could indicate an attack.
The Colonial Pipeline had their own important ally: the FBI. The FBI was able to track down the ransom and the wallet key, so the ransom could be returned. It’s also possible they might have been able to track down the encryption key for the ransomware, given enough time and resources. But these aren’t resources that a normal company would have.
Is your company prepared for a ransomware attack? It’s time to find out. Contact Red River today for a full IT audit.