Responding to Ransomware Learning from Colonial Pipeline

Newmeyer Dillion

Recently, Ransomware has taken to the forefront in national news. The most prevalent ransomware attack, the one perpetrated against Colonial Pipeline by the now-defunct "Dark Side" hackers, has served to remind businesses about the risks of ransomware. What happened to Colonial Pipeline? What should businesses do to learn from Colonial Pipeline's response? What should a business avoid?

What happened to Colonial Pipeline?

Colonial Pipeline, a Georgia based operator of fuel pipelines, had its billing software compromised by Dark Side's ransomware attack.1 Following this, Colonial Pipeline took proactive measures to (1) shut down their systems; (2) evaluate the issue; and (3) safely brought systems back on line after ensuring that they were not compromised.

Following this, Colonial Pipeline did eventually pay the 4.4 million dollar ransom demand from Dark Side. What it got in return was a decryption key, as promised, which ended up being slower than Colonial Pipeline's own backups.2 The ultimate result of this event being an initial cost of $4.4 million, in addition to lost profits, additional security costs, reputational costs, and litigation costs as consumers had filed a class-action lawsuit to hold Colonial Pipeline accountable for their perceived lapse in security.3 Further, the fall-out from Colonial Pipeline had prompted additional cybersecurity efforts and changes by the Biden administration, including proposed regulations requiring pipeline companies to inform the Department of Homeland Security of cybersecurity incidents within 12 hours, in addition to keeping a cybersecurity coordinator on staff at all times, and reviews of current security measures.

How to Respond to Ransomware Attacks.

While no business would ever want to deal with ransomware attacks, Colonial Pipeline's efforts give a basic outline on how to address a ransomware attack, in addition to giving information that can be used to glean out improvements.

  1. Be proactive. Even if it is not currently required, the best security against ransomware attacks are internal training and ongoing evaluation of security.
  2. Plan how to still operate after being hit by a ransomware attack. This is mainly done by establishing reliable backup systems and a backup routine, to ensure that continued operations can occur.
  3. Do not pay the attackers. While the hacker can provide the decryption key or will refrain from leaking the materials, it is not guaranteed. Further, the Treasury Department had issued an advisory stating that the payment of ransomware demands may result in sanctions, though prompt reporting of a ransomware attack could be determined to be a mitigating factor.4
  4. Inform the relevant authorities. While this clearly includes federal groups, such as those named in the Treasury's ransomware advisory, some localities have a cyber crime division, such as the California Orange County Sherriff's department.



4 Generally, the OFAC may impose civil liability based on strict liability, so a failure to know whether the action was not prohibited is not necessarily a factor that can remove civil liability. Instead, the existence, nature, and adequacy of sanctions compliance programs are factors that OFAC may consider when determining what action to take, including the levying of sanctions.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Newmeyer Dillion | Attorney Advertising

Written by:

Newmeyer Dillion

Newmeyer Dillion on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.