The Colonial Pipeline Ransomware attack

Feroze Ashraff
December 1, 2021

I have been following the Colonial Pipeline ransomware attack closely this past few day sand I must admit that I learnt a lot. You can read all about the attack and subsequent recovery in the reference links below.

Highlights:

  1. Colonial Pipeline got hit by a ransomware attack.
  2. Threat Actor: Darkside group using a RaaS (Ransomware-as-a-Service) model.
  3. Attack Vector: Compromised VPN credentials from a legacy VPN profile.
  4. Colonial Pipeline was pressured into meeting the payment amount and dateline using a combination of DDoS and Triple Extortion method.
  5. Colonial Pipeline paid out approximately USD$4.4 million (in bitcoin).
  6. U.S Department of Justice (DoJ) managed to recover approximately USD2.3 million (in bitcoin).
    •   How: DoJ managed to obtain the Private key of the crypto wallet that contained the ransomed crypto currency.

Key words:

  • RaaS: Ransomware-as-a-Service
  • Ransomware: a form of malware that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment.
  • VPN: Virtual Private Network. Generally used when you need to connect to a network from a remote location.
  • Threat Actor: a single person carrying out a security incident, as well as a group, an organization, or even a country involved in carrying out a cyberattack.
  • Attack vector: Attack vectors are the methods that a cybercriminal could use to breach or infiltrate a network.
  • Triple Extortion: cyber criminals are demanding payments from the target company, their customers, partners and other related third parties.
  • Darkside: a cybercriminal hacking group, believed to be based in Eastern Europe, that targets victims using ransomware.
  • DDoS: Distributed Denial of Service.

So how do you protect yourself and/or your organization?

  • Up-to-date patches
  • Use Anti Malware and Anti Ransomware software
  • Well configured Firewall
  • Block unused ports and services
  • Disable unused accounts
  • A strong password policy
  • Well trained IT team
  • End user education

Learn more by obtaining your CompTIA Security+ certification at Skills Campus.