Ransomware attacks used to be relatively simple, if unpleasant, affairs. A device would be compromised, the user locked out, and a ransom notice would appear: Pay up if you want to access those files again. On an organizational level, hackers would sometimes gain enough presence in the network to be able to lock IT and users out of their systems. Many of these attacks would go largely unnoticed, even unreported with minimal impact to anyone except the victim organization.
But the Colonial Pipeline hack added a more sinister element – shutting down the pipeline backbone that provides 45% of the gasoline consumed by most of the U.S. eastern seaboard. Gas prices spiked as supplies began to run out. Lines appeared as panic set in at the pumps. The pipeline operator acted quickly and made a ransom payment of $4.4 million dollars in bitcoin to the cybercriminals behind the breach. In return, they provided Colonial with a decryption tool to regain access to their systems. Not surprisingly, the decryption tool turned out to be less than effective, forcing Colonial to restore from existing backups anyway.
But the success of the attack and money paid over is likely to embolden hackers to go after even more lucrative infrastructure targets. That’s why the FBI strongly advises organizations not to pay a ransom. It’s not unlike the policy of refusing to negotiate with terrorists. Paying the ransom not only emboldens the criminals, it does not guarantee complete recovery or prevent repeated ransomware attacks. The more you give in to their demands, the more likely they are to try again.
But Colonial Pipeline paid after careful consideration of what was best for all those that depend on its infrastructure. Some are now wondering if the FBI will carry out its threat to fine Colonial and those who do decide to pay out a ransom. This remains to be seen. Yet, in the high-stakes game of oil and gas, any fine is likely to be no more than a minor inconvenience compared to the potential revenue and profits at risk – perhaps one of the motivations behind the company paying fairly soon after the attack.
Brazen Attacks on the Rise
Expect, then, even more brazen and perhaps costly attacks on U.S. infrastructure, government, industry, and essential services. Remember the SolarWinds saga from earlier in the year? The vulnerabilities of the U.S. Government and its software contractors exposed in this case prompted the White House executive order on “Improving the Nation’s Cybersecurity” issued on May 12th. The fall-out from the Colonial Pipeline attack will likely lead to stiffer regulations imposed on pipeline operators and other critical infrastructure players. The broader market needs to pay attention, too, as the frequency of ransomware continues to rise:
Most organizations are understandably far more focused on their primary mission than on instituting cybersecurity measures. This often makes them easy targets. All it takes is one slip by IT or one gullible user and the bad guys can move in and do their damage. Increasingly, that damage involves ransomware.
Backup Not Enough
Some victims get lucky as they have a trustworthy and recent backup of all mission-critical files readily available. They can use it to recover quickly and avoid paying the ransom.
But the bad guys are wise to that recovery strategy. Hence, they often include strains of malware that hunt out backup files and infect them, too. When the targeted organization uses an infected backup to attempt a recovery, they are right back where they started from – locked out of their systems.
The problem with backups is that they are generally left online. Companies have gotten used to using disk or the cloud for backups. These systems are always online, and therefore, subject to infection. Anything that is connected to the network is potentially within reach of a ransomware breach.
5 Best Practices to Minimize Risk
So while the FBI mulls over the question of fining companies that payout ransoms, they and their partners from CISA, DHS, and others offer 5 best practices to minimize ransomware risks:
Number one above is where the tape air gap comes into play. Tape cartridges have always been designed to be easily removable and portable in support of any disaster recovery scenario. Thanks to the low total cost of ownership of today’s modern, high-capacity tape systems, keeping a copy of mission-critical data offline, and preferably offsite, is economically feasible – especially considering the prevalence of ransomware attacks and the associated costs of recovery, ransom payments, lost revenue, profit, and fines.
In the event of a breach, a wise organization can retrieve a backup copy from tape systems, verify that it is free from ransomware, and effectively recover. Ransomware attacks are no longer simply unpleasant affairs. Companies need to be prepared to mitigate the damage of ransomware that can be very costly.