On Saturday, May 8, 2021, major media outlets reported that Colonial Pipeline, whose fuel pipeline network supplies gasoline, jet fuel, and other petroleum necessities to over 50 million Americans, had suffered a ransomware attack and shut down its pipeline as a precaution. The disruption in supply sent gasoline prices rising over the weekend, with financial markets on edge in anticipation of economic impacts in the coming weeks.
Colonial, which is one of the largest pipeline operators in the US, has hired Mandiant, a division of FireEye, to investigate the attack. The FBI and Critical Infrastructure Security Agency (CISA) are also investigating the incident to determine the source of the ransom attack. Their goal is to help Colonial understand the nature of the malware that has affected its operations. According to the company, the attack only affected its business systems, not the pipeline management technology itself. However, they shut down the pipeline as a precaution.
The source of the attack has not been confirmed, but according to government sources, an Eastern European cybercrime gang known as DarkSide is a leading suspect. At this point, it is unclear who is behind DarkSide. In some cases, such criminal gangs operate either with the consent of nation-state actors or even under their direct instruction. By having a criminal group perpetrate an attack on another country, nation-state actors preserve deniability. The vulnerabilities that were exploited by the attackers are unknown at this time.
Detecting and Preventing Ransomware Attacks
IT Central Station members would not be surprised by the Colonial attack. Many of them have spent their careers detecting and preventing such events, using anti malware solutions as well as tools for endpoint protection and more. Hasnae A., presales engineer at DataProtect, uses Cisco Umbrella for ransomware protection. As a system integrator, they implemented Umbrella to protect the network of a client in Morocco against ransomware and phishing attacks. Hasnae characterized the solution as “easy to use” and valued its ability to integrate with eBay.
Network security solutions are just one of many countermeasures that IT and security professionals are deploying to combat the ransomware threat. Email defense, endpoint protection, and secure browsers can also help mitigate ransomware risks. Backup and disaster recovery solutions fit into the ransomware defense mix as well.
Reducing Ransomware by Protecting Email
Ransomware malware needs to enter a target’s network in order to encrypt data and hold it for ransom. Email, especially phishing attacks, is one of the most potent vectors of attack. For this reason, security managers often try to stop ransomware as it enters the organization through email. An IT manager at a mid-sized healthcare company, for instance, uses Forcepoint for email filtering. He explained that “the spam filter is very effective. It does a good job of detecting ransomware links in email and then blocking them.”
Protecting End Users by Securing their Browsers
Ransomware attackers may deliver their malicious payload through infected websites. An end user might click on a link and accidentally download ransomware onto their device in the process. To reduce this risk, some security teams deploy secure browsers, such as Comodo, on end user devices. Principal enterprise architect Donald B. takes this approach at Aurenav Sweden AB, a business services company. As he put it, “If you open up an application or a web browser, it [Comodo] runs within a container (sandbox). So if there's some malicious code, it will be contained within the sandbox.”
He further noted that “ransomware prevention and zero-day exploits were a driver for adopting Comodo. From our research lab results working with live ransomware, Comodo has been very effective in preventing infection. We've done a lot of tests with numerous types of live malware, and it works really well.”
Protecting Endpoints to Stop Ransomware
The endpoint is a logical place to fight against ransomware. After all, if the security team can kill ransomware on the end user’s device, they’ve gone a long way toward winning the battle against the attacker. IT Central Station members discussed their experiences with a variety of endpoint protection solutions that help them with ransomware. These include a technical manager at a small tech services company who uses Malwarebytes to prevent ransomware and malware. He also deploys the solution’s endpoint detection and response (EDR) functionality. He related, “This means if the data is attacked, I'll be able to recover my data - that is, roll back the data and go to the pre-attack state.”
“The most valuable feature is its ability to detect and eradicate ransomware using non-signature-based methods. It is not a traditional EDR,” said the owner of a small software company. He added, “We think of this product as a fishing net that fits into the computer and has all of the capabilities and understanding of what ransomware and malware look like. It reacts to the look of ransomware, as opposed to trying to detect it by using a signature.”
For Imad T., group CIO at a large construction company, the Carbon Black solution “ensures the probability that any ransomware will be stopped before spreading.” It is an endpoint line of defense against malware and ransomware with scheduled network scans. A senior security consultant for Checkpoint Technologies at a small tech services firm had a similar use case. He remarked, “We had a ransomware attack and the SandBlast agent automatically picked up the ransomware. It automatically deleted the ransomware and restored the encrypted files.”
Mitigating the Impact of Ransomware with Backup and DR
As the Colonial attack reveals, even strong defenses can be breached. Ransomware is able to get through and wreak havoc on important systems. Anticipating this potential, some organizations prepare to respond to an attack by restoring lost data through backup. This way, they can ignore the ransom demand. Anti-ransomware processes should be part of a thorough Disaster Recovery (DR) plan. Such an approach has been taken by Sastra Network Solution Inc. Pvt. Ltd. As their CTO, Shrijendra S., noted, they use Quorum OnQ for backup, cloud service, and disaster recovery as a service [DRaaS]. In particular, they have found that Quorum OnQ has a good ransomware protection feature. Deven S., director at a small tech services company, similarly relies on Acronis as a file- and data-backup solution. In his view, Acronis is “easy to use, performs well, and provides built-in ransomware protection.” He described this as “a great advantage.”
The attack on Colonial Pipeline is getting attention because it is a piece of critical infrastructure that can affect the general public. However, as security experts know, it is just one of thousands of such attacks that have occurred in the US in the last year. Many more are likely coming. Security teams must be eternally vigilant against increasingly brazen and sophisticated attackers. As the IT Central Station reviews show, many validated solutions are available. The challenge is to deploy them effectively in order to detect and prevent ransomware attacks over the long term.