Following a ransomware attack on Colonial Pipeline, millions of Americans were left without a way to fill up their vehicles as fuel distribution was brought to a halt on the east coast. Although the company was able to restart operations on Wednesday, reports began to surface that Colonial Pipeline has paid DarkSide, the group responsible for the cyber attack, a $5 million ransom, leading security experts to believe that these kind of attacks will only continue.
While proponents of a zero-tolerance approach to paying ransomware groups were undoubtedly upset with Colonial Pipeline’s decision, there were many factors for the company to consider, as thousands of gas stations were without fuel, including 90% of gas stations in the nation’s capital. Another potential problem that led to the ransom payment was the fear that the company’s billing system had been infected with ransomware, so it had no way to track fuel distribution and bill customers.
The Washington Post reported last week that “Colonial and its cybersecurity consultants were working to secure its servers, having decided not to pay a ransom demanded by foreign hackers, according to two people familiar with the matter.” Subsequent news conflicted with this statement, as Bloomberg reported that 75 Bitcoin (worth $5 million) had been paid the DarkSide.
During a press briefing, White House Press Secretary Jen Pskai told reporters that the government’s stance is to tell victims of ransomware attacks to not give in to their demands, but realized this wasn’t always the reality. Many cybersecurity experts expressed their displeasure with Colonial’s decision, but recognized that there isn’t really a way to win in these situations.
“I can’t say I’m surprised, but it’s certainly disappointing,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “Unfortunately, it’ll help keep United States critical infrastructure providers in the crosshairs. If a sector proves to be profitable, they’ll keep on hitting it.”
“For some organizations, their business could be completely destroyed if they don’t pay the ransom,” says Katie Nickels, director of intelligence at the security firm Red Canary. “If payments aren’t allowed you’ll just see people being quieter about making the payments.”
“You shouldn’t pay, but if you don’t have a choice and you’ll be out of business forever, you’re gonna pay,” says Adam Meyers, vice president of intelligence at the security firm CrowdStrike. “In my mind, the only thing that’s going to really drive change is organizations not getting got in the first place. When the money disappears, these guys will find some other way to make money. And then we’ll have to deal with that.”
The cyberattack on Colonial Pipeline prompted the Biden Administration to issue the “Executive Order on Improving the Nation’s Cybersecurity” on Wednesday. The order allows the Department of Homeland Security to create a Cyber Safety Review Board to investigate and debrief “significant” cyberattacks. While the order might allow for more transparency in regards to the nation’s cybersecurity issues, the fact that companies pay these ransoms doesn’t give ransomware groups any reason to stop.
Last week it was a major fuel provider. Next week, it could be a hospital, or an entire electrical grid. As long as there are high value targets with money to spend, there will be groups looking to take advantage of their dated infrastructure.
Conservative Daily Update 