On May 7, Colonial Pipeline suffered a devastating malware attack deployed by the Eastern European Ransomware as a Service (RAAS) practitioner DarkSide. The attack forced Colonial Pipeline to shut down over 5,500 miles of infrastructure, ranging from the Gulf Coast to the Eastern Seaboard. More than 11,000 gas stations were forced to close, causing fuel shortages and raising gas prices to a seven-year high.
The ransomware used is thought to be a GandCrab malware variant, encrypting over 100 gigabytes of Colonial Pipeline’s data. With plans to extort upwards of $28 million from the $15 billion Colonial Pipeline, DarkSide mocked the company’s security failure on social media.
Some strategists believe ‘big game hunting’ was the intent of the Colonial Pipeline breach, which describes an attacker's intent to hunt down high net-worth targets, specifically those able to pay a large ransom. Threat actors who deploy these methodologies can lurk on the systems of organizations for months before an alert or indicator of compromise is triggered. Hackers prey on an organization’s poor security posture, gullibility, and general lack of cybersecurity awareness and training.
Many publicly traded companies are hesitant to acknowledge ransomware attacks in their SEC filings, despite the fact that millions of these attacks cripple organizations and individuals yearly. It is important to note that the SEC describes these breaches as a material event that may influence an investment decision. Organizations also fear the sort of publicity Colonial Pipeline (a privately held company) suffered and the subsequent alarm to investors that could potentially drive down their stock price.
On average, studies show that data breaches can cost a company upwards of $4 million. Most of the strategy required to address such threats involve the company implementing end-user training, ranging from creation of a firm password policy to developing an incident response strategy. Education and training are key to protect your company from cybersecurity compromise.
Best practices for preventing and responding to ransomware attacks include:
Backups- Maintain a consistent backup strategy, including policies that specify the required frequency of backups for critical infrastructure and data. Most importantly, test your restore capabilities on a regular basis. A backup that cannot be restored during incident response is equivalent to having no backup at all.
Endpoint Security- Install and continuously update an endpoint security/anti-malware solution from a top-tier vendor on all operating systems, as every commercial OS is vulnerable to malware, including ransomware. Independent testing labs such as AV-TEST and AV Comparatives are excellent sources of data on protection efficacy of different vendors. Top-tier vendors may also provide fix tools for unencrypting some types of ransomware.
Training- Many successful ransomware attacks start with email or social media phishing as the initial infection vector. Ensure employees are regularly trained to recognize and avoid phishing attacks, then test their awareness through internal phishing attempts to reinforce awareness and diligence.
CYBRScore offers a wide range of training, from the essentials of cybersecurity awareness to more advanced topics like endpoint detection and response. Round-the-clock training is available anywhere an internet connection exists. Our proven program can evaluate, train, and reevaluate your operational and cybersecurity staff to ensure they have the skills required to protect your company's data from attack.
Contact us today to evaluate your cybersecurity risks and your options to secure your organization’s assets.