nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

Managed Event Collection

Colonial Pipeline – Timeline Of Events

On Friday May 7th Colonial Pipeline suffered a cyberattack involving ransomware, causing them to shutdown their IT systems and temporarily pause production on a majority of their pipelines. Additional details of the attack are still coming out each day, but here is a current timeline of events and details of how the hacker group, DarkSide, has carried out its attacks based on publicly available information.

May 6th 
Colonial Pipeline networks are breached, 100GB of data is stolen and computers are encrypted with ransomware.

May 7th 
Colonial Pipeline paid $4.4 million to DarkSide hacking group to decrypt their infrastructure.

May 8th 
Colonial Pipeline, along with U.S. Government organizations and U.S. companies take systems offline that were in control by the hackers.

Colonial Pipeline issues statement on attack stating they have been victims of ransomware and have engaged a third-party cybersecurity firm and alerted law enforcement. Source:Colonial Pipeline Statement

May 9th
Colonial Pipeline issues second statement giving an update of their investigation into the attack and the status of their pipeline operations. Source: Colonial Pipeline Statement

May 10th 
FBI issues statement confirming DarkSide is the responsible party for the hack.

Colonial Pipeline issues a statement that their goal is to substantially restore service by the end of the week.

Colonial Pipeline manually operates a line from Greensboro, NC to Woodbine, MD for a limited period of time, but other main lines continue to be offline.

May 11th 
CISA and FBI issue cybersecurity advisory describing ransomware used by DarkSide with strategies for risk mitigation. Source:Joint Advisory.

Colonial Pipeline’s website is offline for part of the day.

May 12th 
Colonial Pipeline’s website is restored and a new website is provided to address their response to the attack. Source: CP Cyber Response

Colonial Pipeline is able to restart services around 5:00pm. It will still take many days to replenish the depleted supply chain after panic buying of fuel and delayed fuel deliveries.

How Did Darkside Launch the Attack?
Based on research of DarkSide, the below methods are the tactics they have typically followed in recent attacks. Source: DarkSide Ransomware Research

  1. Attackers were able to gain access in a few different ways:
    1. Phishing attacks
    2. Brute-force password attacks
    3. SQL Injection against VPN networks
    4. Utilizing TeamViewer
    5. Installing backdoors
  2. Once inside the network, attackers escalated privileges by:
    1. Exploiting the Zerologon vulnerability.
    2. Utilizing Mimikatz.
    3. Accessing and dumping Local Security Authority Subsystem Service (LSASS).
  3. With privileged access, DarkSide uses PowerShell and Certutil to deploy and execute the ransomware across the network.

Where to go from here?
The attack methods used by DarkSide should lead to a review of your organization’s security assessment programs to ensure the below critical assessment activities are included.

nGuard’s security assessment portfolio can help your organization find your vulnerabilities before the bad guys do. If your organization falls victim to a ransomware attack like Colonial Pipeline, bring in our experts for your Cybersecurity Incident Response.

Should We Pay The Ransom?

Summary
Has your organization been a target of ransomware? Did you pay the ransom? If so, did you get all your data back? Whenever an organization becomes a victim of a ransomware attack, paying the malicious attackers may seem like the only hope, especially for companies that don’t have proper backup procedures in place. Unfortunately, statistics are showing us that paying the ransom guarantees little in return. Here are some key data points collected from a large sample size of mid-sized organizations spread across the globe.

  • In 2021, 37% of organizations have experienced some type of ransomware attack.
  • The average costs of remediating against a ransomware attack grew in 2021 to $1.85 million.
  • The average cost of paying the ransom grew to $170,000.
  • 32% of the organizations affected by a ransomware attacks decided to pay the malicious actors.
  • ONLY 8% WERE ABLE TO DECRYPT AND RECOVER ALL THEIR DATA AFTER PAYING THE RANSOM!

The last point truly brings reality into check. Paying the ransom rarely pays off. This can be attributed to many factors, but the overwhelming majority of organizations say that they received the ransom key after payment, but were unable to use it in an effective manner. This can be linked to poorly coded malware and IT teams with limited experience.

What Can You Do?
It is extremely important for organizations to take proper precautions to protect themselves against the increasing threat of ransomware.

  • Perform monthly or quarterly vulnerability scans against your external perimeter and internal networks to stay up to date with the latest vulnerabilities that could give an attacker their initial foothold.
  • Perform annual penetration testing to protect against advanced techniques that may allow an attacker to pivot once they have a foothold.
  • Create effective Incident Response policies and procedures.
  • Conduct tabletop exercises to validate and identify gaps in your Incident Response Plan.
  • Perform consistent security awareness training with employees to limit the chance of successful social engineering and phishing attacks.
  • Have proper onsite and offsite backup policies and procedures in place. If you fall victim to ransomware, you may be able to recover from backup, with limited, if any data loss, and not rely on paying a large sum of money for an 8% chance of getting your data back.

When it comes to protecting your organization’s critical data, it’s time to get serious. nGuard is ready and willing to discuss all these preventative solutions with you and your team.

Chat Icon Chat Close

Learn how nGuard can secure your data

Ready to take the next step? Speak to an nGuard expert and get your questions answered today.

Chat Popup

No thanks, maybe later