{"id":18331,"date":"2021-05-13T01:52:46","date_gmt":"2021-05-12T21:52:46","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/pipeline-ransomware-mitigation\/18331\/"},"modified":"2021-05-13T01:52:58","modified_gmt":"2021-05-12T21:52:58","slug":"pipeline-ransomware-mitigation","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/pipeline-ransomware-mitigation\/18331\/","title":{"rendered":"How Colonial Pipeline managed its ransomware attack"},"content":{"rendered":"

The recent ransomware attack on Colonial Pipeline, the company that controls the pipeline network supplying fuel to a large chunk of the US East Coast, is one of the most high-profile in living memory. Understandably, the details of the attack have not been made public, but some scraps of information have found their way into the media, and from that we can derive at least one lesson: Promptly informing law enforcement can reduce the damage. Of course, not everyone has a choice \u2014 in some states victims are obligated to inform regulators. However, even where that is not required, such a move may be useful.<\/p>\n

The attack<\/h2>\n

On May 7, ransomware hit Colonial Pipeline, which operates the largest fuel transfer pipeline on the US East Coast. Employees had to take some information systems offline, partly because some computers were encrypted, and partly to prevent the infection from spreading. That caused fuel-supply delays along the East Coast, sparking a 4% rise in gasoline futures. To mitigate the damage, the company plans to increase fuel deliveries<\/a>.<\/p>\n

The company continues to restore its systems, but according to sources on the Zero Day blog<\/a>, the problem lies less in the service networks than in the billing system.<\/p>\n

Federal lockdown<\/h2>\n

Modern ransomware operators not only encrypt data and demand ransom to decrypt it, but also steal information as leverage for extortion. In the case of Colonial Pipeline, the attackers siphoned off about 100GB<\/a> of data from the corporate network.<\/p>\n

However, according to the Washington Post<\/em><\/a>, external incident investigators quickly figured out what had happened and where the stolen data was, and then contacted the FBI. The feds, in turn, approached the ISP that owned the server holding the uploaded information, and had it isolated. As a result, the cybercriminals may have lost access to the information they stole from Colonial Pipeline; that quick action at least partially mitigated the damage.<\/p>\n

Knowing that happened doesn\u2019t bring the company\u2019s main pipelines back online, but the damage, though considerable, could have been far worse.<\/p>\n

Attribution<\/h2>\n

It seems the company was attacked by DarkSide ransomware, which can run on both Windows and Linux. Kaspersky products detect the malware as Trojan-Ransom.Win32.Darkside and Trojan-Ransom.Linux.Darkside. DarkSide uses strong encryption algorithms, making data restoration without the right key impossible.<\/p>\n

On the surface, the DarkSide group looks like<\/a> an online service provider, complete with helpdesk, PR department, and press center. A note on the perpetrators\u2019 website says their motivation for the attack was financial, not political.<\/p>\n

\"DarkSide's<\/a><\/p>\n

The DarkSide group uses a ransomware-as-a-service<\/a> model, providing software and related infrastructure to partners that carry out the attacks. One of those partners was responsible for targeting Colonial Pipeline. According to DarkSide, the group did not intend to cause such serious social consequences, and it will henceforth keep a closer eye on which victims its \u201cintermediaries\u201d choose, but it\u2019s hard to take one statement in a long list of PR tricks too seriously.<\/p>\n

How to stay safe<\/h2>\n

To protect your company from ransomware, our experts recommend the following:<\/p>\n