Late on Friday, May 7th, 2021, Colonial Pipeline faced a massive shutdown due to a ransomware attack. This attack affected critical infrastructure, shutting down pipeline operations for the biggest gasoline, diesel, and jet fuel pipeline in the US.
Early reports indicate that DarkSide, a Ransomware-as-a-Service company, supplied the ransomware used in the attack. DarkSide is emerging as a powerful new player in a burgeoning arena of organized cybercrime providers. DarkSide employs a particular style of ransomware referred to as “double-extortion”. This method was first identified in 2019, and its use had exploded by the end of 2020.
In a typical ransomware attack, malicious actors gain access to an organization's internal systems and encrypted data with a private key provided to the victim once the ransom demands are met.
Double-extortion methods utilize the same underlying principle, but the malicious actors also steal the data, threatening to release the data if additional ransom demands are not met.
Ransomware attacks in general are growing at an alarming rate. The insurance firm, Beazley, reported in their Breach Insight Report, that Quarter 1 of 2020 saw a 25% increase in ransomware attacks over Quarter 4 of 2019, which pales in comparison to the 300% increase so far in 2021.
While the brazen attack of the Colonial Pipeline is cause for alarm, it’s not surprising. During my time assessing critical infrastructure for the Department of Energy, our discussions revolved around not if, but when attacks would occur. And while those efforts were to help sites improve their proactive measures and planning, the truth is most places maintain a reactive cybersecurity posture.
One of the most important things your organization can learn from the Colonial Pipeline attack is that attacks against your organization will occur. Again, attacks against your organization will occur.
You're probably racking your brain searching for the reasons as to why your organization is not a target, why you wouldn’t actually be attacked, and why your program is too effective for any attacks to get through.
A strong cybersecurity posture is reliant on accepting the fact that no matter your industry or your organizational reach, you will be a target for someone at some point. Once you have acknowledged the very real threats to your organization, what additional left of bang strategies should you employ to better protect your data?
A good place to start is with frequent testing and auditing of your cybersecurity program. This can provide you a clear picture of how current your policies are and where your programmatic gaps are. Learn more about scheduled a DevSecOps assessment to Shift Left and protect your organization.
When new threats emerge and you are unsure if your organization is adequately prepared, simulated attack testing--tailored to your environment--could highlight potential vulnerabilities or areas of concern.
While threats such as double extortion ransomware may be newly recognized in the media, just as the EternalBlue exploit was in 2017, the technical concepts behind them are often familiar to experienced cybersecurity experts.
It can be extremely beneficial to your organization to bring in an experienced third-party cybersecurity firm to provide an unbiased assessment of your security program. This tactic can provide your organization with a fresh perspective backed by real-world experience.
Whether you choose to partner with an experienced cybersecurity firm or go it alone with your own internal audit, it's important to stay up to date on the latest vulnerabilities, threats, and cybersecurity trends.
If you want to know more about the DarkSide attack, ransomware, and what others are doing to protect themselves, reach out to us here at NextLink Labs. We would be happy to answer any questions to support your organization and your endeavor to improve your cybersecurity program.
As always, stay safe, stay secure, and stay curious.