It has been barely a month since we reported on the recent ransomware attack on the Colonial Pipeline Company, yet news continues to break with additional revelations about the recent attack. What we have learned during the past several weeks should give businesses encouragement, while reinforcing some important lessons.
Shortly after the attack, it was revealed that Colonial Pipeline paid roughly $4.3 million in bitcoin (BTC) to obtain the decryption key from the attackers to allow Colonial to access its data and help restore its systems. On June 7, 2021, the Department of Justice announced that it was able to recover 63.7 BTC valued at approximately $2.3 million allegedly representing funds paid to the group DarkSide which had targeted Colonial in the ransomware attack. According to the Department, the Federal Bureau of Investigation was able to track multiple transfers of BTC and to identify the virtual currency wallet used by DarkSide to collect payment. Based on this, law enforcement was able to seize the funds, via a warrant, using a private key in their possession. This is a significant development in the investigation of ransomware attacks and good news for future investigations. For more information about Bitcoin technology, please review our recent articles here.
Colonial Pipeline’s CEO Joseph Blount testified before Congress concerning the attack this week. Blount’s testimony revealed that the ransom payment was made the day after the attack and that the hackers had gained access to the company’s network and exfiltrated data from the company by compromising a legacy VPN account that, unlike other remote access accounts, was protected by a single password, not multi-factor authentication. It is unclear how the password was compromised. Blount also testified that while the decryption key was obtained from the hackers, the company is still recovering from the attack but that the emergency response processes that were in place helped the company swiftly respond to the attack.
After watching the events unfold surrounding the ransomware attack on Colonial Pipeline – a critical infrastructure facility – there are some key takeaways for all businesses, large or small, to reduce risk:
- Ensure incident response plans are up to date and include specific steps to address a ransomware attack and consider performing “table top” exercises to practice responding to events
- Use multi-factor authentication across accounts and keep track of all user accounts, including remote access accounts
- Understand that ransomware can impact any business
- Even if a business decides to pay ransom, it will likely take some time to get systems back up and running
Falling victim to a ransomware attack can cause significant damage, particularly to smaller businesses that lack the resources to recover from such an attack. Don’t go it alone.