The attack that hit Colonial Pipeline last week is a novel form of cybercrime that puts normally staid corporate entities in the vise of an old-school extortion scheme, one in which a company’s balance sheet, insurance status and capacity to absorb the pain of a lengthy operational shutdown may all come into play.
The attackers, specialists in a type of hack called ransomware, penetrated the company’s administrative network and locked employees out of company computers, forcing the unexpected shut down of the Eastern Seaboard’s main supply source of diesel, gasoline and jet fuel.
Colonial is getting help from private cybersecurity experts, but the company is largely alone in facing a barrage of unenviable choices — not the least of which is whether to negotiate with the hackers and pay the ransom, according to security experts and veteran negotiators. Colonial’s executives — as well as much of the country — are now getting a brutal lesson in the efficiencies of ransomware and the fact that the hackers hold most of the key advantages. Some ransomware groups, including DarkSide, the group that is suspected of breaching Colonial, now make it a regular practice to lock up a victim’s data and steal it, too, threatening to make it public as part of the extortion demand.
Colonial is emerging from what is typically the most crucial stage of a ransomware attack — the first 72 hours — a highly stressful and weighted period that may reveal the scope of the damage inflicted on operations and the cost of the recovery, according to cybersecurity experts. Colonial said Monday it expects service to be mostly restored by the end of the week.
In the days since the breach, Colonial and its incident response contractor, FireEye‘s Mandiant, have been in a race to kick out the hackers while trying to determine exactly how wide the malware’s infection spread. One key question is determining how much data can be restored without paying the ransom, according to Chester Wisniewski, principal research scientist at the cybersecurity firm Sophos.
“In most cases, we’d still be trying to figure out if we got them out of the system or if there are still ways they can break back in,” Wisniewski said. “In the first couple days, you’re just trying to make sure the attacker can’t just undo whatever steps you plan to take once you get to the recovery stage.”
Colonial has said nothing about whether it intends to pay a ransom — or even whether the company is negotiating with the hackers. It’s known that the DarkSide attackers stole nearly 100 gigabytes of data before encrypting the company’s files and demanding payment, according to two people familiar with the investigation.
“This is pretty scary for the Colonial folks,” said Vicki Knott, chief executive officer of Crux OCM, a company that seeks to automate pipeline control rooms. “Colonial is better off figuring out a ransomware deal than they are having this data leaked and then paying for lawsuits with all their customers.”
Among the more sobering possibilities, Knott said, is that the hackers stole commercial data that is sensitive for any pipeline operator, including what different producers pay to ship products through the pipeline.
Because ransomware is now a global criminal enterprise, Colonial will have a small army of experts available to help executives work through the variables. Colonial’s insurer will likely get involved and might provide an approved list of negotiators that the company should use if it chooses to communicate with the hackers.
Typically, those negotiators have worked scores of similar cases, and previously may have negotiated with the DarkSide hackers in other cases. The victim and the hackers may haggle over the ransom demand, sometimes for days, before agreeing on a final number. DarkSide has previously sought ransoms in the single-digit millions of dollars, but given the magnitude of the Colonial attack, the price tag could be higher, according to cybersecurity experts.
In past attacks, some companies have made a choice not to pay, even under heavy pressure. After Norsk Hydro, a Norwegian aluminum products company, was hit by a devastating ransomware attack in 2019, the company’s chief executive decided not to engage with the hackers — a decision that likely increased the cost of recovering from the attack by tens of millions of dollars.
DarkSide’s attackers have established a reputation for stealing company data that’s most likely to lure victims into paying, said Wendi Whitmore, senior vice president at Palo Alto Networks’ Unit 42 cyberresearch team.
“They tend to be more well-informed about the data they’re encrypting to increase their return on investment,” Whitmore said.
The initial responses almost always include ensuring employees have stopped using their corporate email accounts until the adversary is definitively removed from the network. That’s because if the attackers still have visibility to internal communications, they may be able to monitor efforts to recover from the breach, Wisniewski said.
In those early days of the attack, communication with the hackers is often minimal as the victim tries to determine if there is a possibility of avoiding payment. If the encrypted data resides on backup servers immune to ransomware infection, the victim may be able to restore operations without paying a ransom. That’s one reason many ransomware gangs now steal data too — they can still demand payment even if files are restored.
It’s rare that ransomware attacks get resolved in the first week or so, the experts said. But most ransomware attacks don’t carry the same stakes — or get the attention of the White House, which has created a multiagency task force to deal with the cyberattack.
On Monday, a message from DarkSide reinforced that the attack on Colonial Pipeline was anything but normal.
DarkSide maintains a publicly available webpage where the hackers list previous victims but also attempt to create an image of themselves as credible business people — even if their business happens to be digital extortion.
The group updated its website to directly address the Colonial hack in what appeared to be an attempt to recast its shakedown of the American economy in a more favorable light. It shifted blame to a customer — DarkSide and other ransomware gangs sometimes sell the malware to others — and appeared to express some remorse.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives,” the new statement by the hackers said. “Our goal is to make money, and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”