Three lessons from the Colonial Pipeline breach

On May 8, 2021, US Colonial Pipeline shut down its operations due to a ransomware cyberattack, leading to a rarely issued emergency declaration by the U.S. federal government on Sunday, May 9, 2021. US Colonial reportedly paid USD $ 5 million to the ransomware operators in order to decrypt its information technology systems. The Federal Bureau of Investigation announced that the cyberattack involved ransomware run by a group called DarkSide, operating out of Russia. 

DarkSide’s Ransomware-as-a-Service (RaaS) and Ransom and Digital Extortion (RaDE) Model

Ransomware is malicious code that prevents the legitimate users of a computer system from accessing any of the information on that system until a ransom is paid to the operator of the ransomware.

DarkSide employs a Ransomware-as-a-Service (RaaS) model, meaning that there is some sort of profit-sharing arrangement between the hackers gaining unauthorized access into a computer network, known as “affiliates,” and the individual(s) operating the ransomware software, known as “operators.” For a RaaS like DarkSide, it is important to understand that the affiliates that initially break into the impacted network often deploy ransomware at the end of a much longer hacking campaign into the breached system. Additionally, there is nothing to prevent a hacking group from using different types of RaaS or ransomware solutions in connection with their hacking campaigns.

DarkSide utilizes a Ransomware and Digital Extortion (RaDE) model, which means that the hackers that ultimately deploy ransomware will exfiltrate sensitive information before deploying the ransomware. The stolen information can then be used to extort the victim company into paying the ransom, often through public dissemination and humiliation.

Threat groups using the RaDE model are known to target multiple industries  and can be extremely problematic for any company dealing with the question of data breach notifications, as the use of such a model could lead to the presumption that sensitive data has left the corporate network.

Successful payment may incentivize similar attacks

Last year, the DarkSide group announced their ransomware service, claiming that they were seeking to make money and not “kill your business” (here). They would not, based on their own principles, attack hospitals, educational institutions, non-profit organizations, or the government.

In response to heightened awareness around the US Colonial Pipeline breach, the DarkSide group posted a message on its website indicating that they are “apolitical” and not affiliated with any government (here). More recently, the group claims it will disband. Whether DarkSide disbands or simply decides to operate under a new name is academic. Other ransomware operators are out there and more will come. Nor is this the first Ransomware operator even in this pipeline field.  The US Cybersecurity and Infrastructure Security Agency issued an alert just last year relating to a similar attack on a gas pipeline company (here).

Perhaps Darkside’s public statements were meant to provide some comfort that a company will not be sanctioned for paying their ransom. When it comes to ransomware, both corporate hacking victims and hackers are keenly aware of the risk of sanction by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC). Just last October, OFAC issued an advisory alert (here) reminding companies that it may impose liabilities for sanctions violations based on strict liability, meaning that regardless of what an organization may believe in good faith and/or for good cause, it may still be sanctioned by OFAC if it facilitates payments to a covered nation or entity.

The advisory alert also notes that “Under OFAC’s Enforcement Guidelines, OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

What should companies be doing in response to this threat?

1. It’s not only about the ransomware & it’s not only about pipelines

It is no surprise that in the wake of a significant ransomware cyberattack, most of the public discussion is about the ransomware itself. This is because for a successful ransomware campaign deployment of the software triggers the victim’s awareness that they have been hacked, and the most readily available and useful forensic evidence will often relate to the ransomware software itself. But someone first needs to hack into a network to deploy the ransomware, and that individual can choose to use any type of ransomware s/he has access to.

Over the past year, it has been reported that hackers are spending more time “exploring” systems between the day of the initial intrusion and triggering the ransomware. Accordingly, it is not enough for security teams to report back that no signatures associated with the ransomware itself have been identified within the network.   Senior leadership of organizations need to ensure that security teams are reporting against a wide range of threat signals, such as early warnings of extraction and ransomware attacks.

Organizations that are less sure of their maturity in responding to cyber threats should use Colonial as an opportunity to assess the risk to their business not just of ransomware (e.g., through an independent technical risk assessment), but also to consider more broadly if they have the right fundamental measures in place  for a  reasonable cybersecurity program which can actually help prevent an event like this from occurring.

Such steps are critical for any company, not just power and energy companies. Regulators around the world in multiple sectors have been focusing on resilience, and cyber resilience is a key element.

2. Of course, it’s also about the ransomware

Preparedness means having the ability to make tough decisions, but more importantly, having some idea of what those decisions (other than “to pay or not to pay”) will have to be. Accordingly, assessments including live tabletop exercises can be incredibly helpful in preparing for the worst, helping to identify pinch points and areas of weakness. Incident response plans should also have specific provisions for ransomware. Also consider having specialized ransomware vendors selected in addition to forensic providers.

And then there is cyber insurance to consider. Such insurance often helps companies with both the response costs and the actual ransomware payments.  However, in the evolving world of cyber insurance, recent reports are that at least one major cyber insurer will cease covering ransom payments in France due to pressure from the government (here).  This could easily start a trend as governments realize that the best way to discourage ransomware is make it unprofitable

That is not to undermine the importance of the “to pay or not to pay” issue.  Tabletop exercises can also help here – giving leadership the opportunity to debate the practical issues each approach raises and how they line up with the organization’s values and public commitments.  Preparedness in this space unfortunately may mean having the ability to engage with the ransomware operator and potentially pay a ransom, a course of action fraught with legal and business risk landmines.  Thinking through in advance issues under OFAC, the UK Proceeds of Crime Act 2002 and similar legislation in an organization’s key markets can help accelerate resolution if an incident occurs.

Preparedness also means considering legal privilege.  Over the past year that concept has evolved significantly under U.S. caselaw.  Recent opinions requiring the production of forensic reports mean companies should re-evaluate their relationship with incident response firms.  Engagements with an incident response firm through outside counsel specifically for an event are now favored as a means of protecting the results of the investigation, though do not necessarily ensure the report will be protected by privilege in all jurisdictions.  Again, preparatory steps can be taken to make that process quicker if an incident occurs.

3. Be ready to answer questions about your readiness

Ransomware risk is a topline concern for virtually any company housing sensitive digital information, or operating critical control systems. Rest assured that questions regarding your readiness will come from investors, lenders, regulators, business partners, clients, and/or prospective clients. Accordingly, it is not enough to be ready for ransomware attacks, but to document that readiness in a consistent manner not only to answer questions from external sources, but to be able to continuously revisit and improve your security posture.

By Erez Liebermann and Andrew S. Pak