Blog / A ransomware guide worth $4.4 million USD?
It turns out that, unlike in the movies, in real life the bad guys sometimes win. That’s how the Colonial pipeline ransomware situation got sorted out.
In case you didn’t hear, a major oil pipeline operated by the Colonial Pipeline Company was recently shut down by ransomware. It was a major issue that caused a spike in gas prices and even had people hoarding gas in plastic bags (and please never, ever do that). The disruption was so profound that the Colonial’s operators agreed to pay the whopping $4.4 million USD ransom. In that regards, the bad guys won, at least until law enforcement hopefully catches up with them. Now that it’s over though, is there any kind of useful information that can be learned from this attack?
Unfortunately the Colonial’s operators haven’t released exactly how the attack got inside their computer system, but there’s still two useful tidbits of information that came out of the mess.
First, ransomware distributors are worse than you think, because the decryption tool they provided to Colonial was too slow to be useful.
Ransomware encryption happens quickly so there’s often very little chance of stopping it once it does get into your system. When Colonial paid the ransom, the attackers gave them a tool to decrypt their files. Except, as it turns out, the tool was too slow and even though the ransom was paid, it would’ve taken Colonial longer to decrypt their files than simply restore all the backups like they eventually did. Remember, the people holding your data hostage are trying to encrypt it, but they don’t put nearly the same effort into their decryption tools. The Colonial situation just goes to show that even if you pay the ransom and get decryption tool, there’s no way of knowing how well, or even if, it’s going to work.
The second useful bit of information coming out of all this was the widespread release of a September 2020 CISA ransomware guide. It includes advice for prevention of ransomware infection and for responding to a ransomware incident. The guide is comprehensive and thorough, with 19 different steps for responding to ransomware. Restoration actually isn’t suggested until step 14, because once you have an outbreak there’s a lot of things you should do before you get down to correcting the situation.
It’s a guide well worth reading to see what advice you can make use of. The people involved in making it clearly understand ransomware events and have valuable advice. It’s not just another worthless, high-level concept document; it’s a useful, detailed document that can inform and help expand your own ransomware response plan.
I’ll wrap this up with a line from All’s well that ends well, Act 1 scene 1 “Our remedies oft in ourselves do lie.”
If you have any questions about ransomware defense, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.