Colonial Pipeline Ransomware Attack: What Happened? What You Can Learn?

Colonial Pipeline, a privately held largest pipeline operator in the United States was forced to proactively close down operations and freeze IT Systems after being a victim to a massive cyber attack. 

What Happened?

Darkside, a ransomware clan, has taken the responsibility for the attack. What they managed to do was, strike the Colonial Pipeline’s networks. 

The initial attack vector is not known yet but it could have been an old unpatched vulnerability in a system, a phishing email that successfully fooled an employee, the use of access credentials purchased or obtained elsewhere, or any other tactics. 

The oil company did take certain systems offline to contain the threat, which temporarily halted all pipeline operations and affected the IT system. 

As of today, the company had to pay a ransom of $5 million in return for a decryption key. This appears to be one of the largest and most successful cyberattacks on a critical component of a country’s infrastructure to date. 

Gartner Report Shows over 90% Ransomware Attacks Preventable

“Gartner report shows that over 90% of ransomware attacks are preventable, security and risk management leaders can mitigate the risk”. Learn more about “Ransomware Risk Assessment“

The Pattern Of Attack

Almost all ransomware attacks happen by a hacker group targeting a major organization through a vulnerability, an unpatched system or social engineering. 

Even after pulling in troops and resources we see this pattern repeating with another organization. 

There has been a spike in ransomware attacks since the start of the pandemic. This attack could have been a result of more engineers remotely accessing control systems for the pipeline from home using remote desktop software such as TeamViewer and Microsoft Remote Desktop. 

>>Given the current crisis, we are offering a limited number of  “Free Ransomware Risk Assessment“

What Could Be Done To Prevent The Attack?

The industry today needs a continuous form of security. The problem of open ports, cloud buckers, etc is persistent. 

Vulnerability testing 4 times a year or pentesting twice a year- it’s periodic in nature. Whereas, threat actors are trying to attack continuously. They really need a small window or one lucky day to break in. There is a need for continuous security testing to prevent these kinds of attacks.