Colonial Pipeline Co. said Saturday afternoon that it had been hit with ransomware, a form of malware in which attackers gain control of systems and demand payment in return for unlocking the victim’s networks and data.
Colonial operates a 5,500-mile pipeline system that brings gasoline and diesel from the Gulf Coast to the New York area. The company said it “took certain systems offline to contain the threat, which has temporarily halted all pipeline operations.”
Cybersecurity analysts say companies have been targeted with ransomware for several years and that the attacks are becoming more brazen and costly, particularly since the start of the pandemic. As companies shifted to remote work, fewer employees worked exclusively within protected networks, creating more opportunities for hackers to break into their systems, cybersecurity analysts say. Estimates from cybersecurity company Emsisoft Ltd. show that attacks against schools, local governments and healthcare providers alone jumped to at least 2,354 in 2020 from 966 in 2019.
School districts, hospitals, local governments and businesses of all sizes have been targets, and cybersecurity analysts say that hackers often demand millions of dollars to decrypt seized files.
How does ransomware work?
Ransomware is a form of software that encrypts files on computer systems it infects, rendering those files and any systems that rely on them unusable, according to the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. Many variants of ransomware, a form of malware, exist. A specialized tool developed by hackers is often necessary to decrypt the targeted systems.
Ransomware gangs usually demand payment for use of this tool, CISA said. Coveware Inc., a company that specializes in ransomware recovery, said the average ransom payment in the first quarter of 2021 was $220,298, a 43% increase from the previous quarter. Demands that total millions of dollars are not unheard of, incident responders said.
What is the extent of the ransomware threat to companies?
On Wednesday, Homeland Security Secretary Alejandro Mayorkas described ransomware as a threat to national security. The rate of ransomware attacks increased 300% in 2020, he said during a virtual event hosted by the U.S. Chamber of Commerce. Around three-quarters of victims were small businesses, who paid a total of over $350 million in ransoms during the year, he said.
In addition to locking files, ransomware gangs increasingly pursue double-extortion tactics, in which they threaten to publish sensitive stolen information if they aren’t paid. Coveware said that 77% of attacks in the first quarter of 2021 involved data theft to some degree.
“We certainly see a lot of customers who are potentially able to recover operationally, but are paying the ransom to prevent the data that’s been stolen from being publicly released,” said Mark Lance, senior director of cyber defense at GuidePoint Security LLC.
How can companies mitigate the risk from ransomware?
Security analysts say that many ransomware attacks are opportunistic in nature, meaning that attacks are designed to exploit common gaps in defenses, rather than actively target individuals or companies.
“Ransomware is a symptom of a broader problem, and that broader problem is poor cyber hygiene,” said Megan Stifel, Americas executive director at the Global Cyber Alliance, a nonprofit cybersecurity group.
CISA recommends that all companies implement several practices to reduce the risk of ransomware infections. Those precautions include keeping software up to date and regularly patching security flaws. As an added measure, the agency also will scan an organization’s network for vulnerabilities, a service that it offers for free to state and local governments and to companies that operate critical infrastructure.
What should you do if you are attacked?
Law-enforcement agencies such as the Federal Bureau of Investigation and the U.S. Secret Service say that companies victimized by ransomware should contact them for assistance.
Companies may be reluctant to involve bodies such as the Secret Service over fears of later enforcement actions from regulators, said Peter Marta, a partner at law firm Hogan Lovells LLP. Law-enforcement officials say that they are only interested in helping hacked companies with recovery efforts.
“We’re not a regulatory body, so there’s no evidence that the Secret Service is sharing any information with any regulatory entities and/or employing any punitive measures against victims,” said David Smith, special agent in charge of the criminal investigation division of the Secret Service, who also spoke at the U.S. Chamber event with Mr. Marta.
Some businesses may be required to report data breaches or cyberattacks to regulators under laws such as the Health Insurance Portability and Accountability Act and the New York State Department of Financial Services’ cybersecurity regulations.
What are the options for recovering from a ransomware attack?
Cybersecurity officials say that properly backing up data is a crucial defensive measure against ransomware. Steps will have to be taken to remove malware from hacked systems. Proper backups may allow companies to restore their systems without needing a decryption tool from hackers, said Eric Goldstein, executive assistant director of cybersecurity at CISA, speaking at the U.S. Chamber event.
“Once your network is cleaned up and you’re confident that the adversary has been removed, you’re able to restore your most critical data from a known good [source]. That is the most powerful remedy to a ransomware attack,” he said.
Should you pay the ransom?
The FBI recommends that companies shouldn’t pay ransoms. Cybersecurity specialists who deal with ransomware often say there is no guarantee that a hacker will provide a working decryption tool even if they are paid—and the hacker may target an organization again for a ransom.
Many ransomware operators now have infrastructure resembling legitimate companies and advertise the fact that they do provide full decryption once paid as a type of selling point.
“They have impacted many, many different organizations and they have customer service set up. They have a chat. They have phone support if needed,” said Drew Schmitt, principal threat intelligence analyst at GuidePoint.
What is being done about ransomware?
The Justice Department has established in recent weeks a task force dedicated to studying ransomware attacks, which will look at the links between ransomware gangs and nation-states, among other topics.
On April 29, a group named the Ransomware Task Force, comprising government officials and technology companies including Microsoft Corp. , Amazon.com Inc. and FireEye Inc., published a report proposing policies to combat ransomware. The proposals range from the creation of interagency task forces led by the White House to tighter regulations on cryptocurrency markets, which the group said are used by hackers to receive ransoms.
“Even if you’re pushing at the diplomatic level in order to clear up those safe-haven spaces in which they operate, you can do more than that because you can go after their infrastructure and payments process at the same time,” said Philip Reiner, the chief executive of the nonprofit Institute for Security and Technology, and a co-chair of the Ransomware Task Force.
Mr. Mayorkas has said that DHS and CISA will focus on ransomware as a priority issue. The House Homeland Security Committee held a hearing on ransomware Wednesday, in which members discussed the findings of the ransomware report and considered whether CISA should receive more funding.
Ransomware Raises Security Issues
More WSJ coverage of cyberattacks, selected by the editors
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8