Ransomware, although alarming, scary, and costly, typically unfolds as an uneventful occurrence. In such cases, a company experiences file encryption, and it must decide to either pay the ransom or restore the files from the backup before moving forward. However, there are occasions when a ransomware attack unleashes destructive waves and impacts millions of people worldwide. The 2021 ransomware attack on Colonial Pipeline serves as a prime example of such a catastrophic event
Background
Colonial Pipeline is the largest pipeline in the United States for gasoline, jet fuel, and home heating oil. Supplying refined oil products to the majority of the Southeast United States, the pipeline originates in Houston, Texas and ultimately terminates at the vital ports of New York and New Jersey. It serves as a crucial source of jet fuel for major transportation hubs like Atlanta, Nashville, Raleigh-Durham, Dulles, and Philadelphia and plays a pivotal role in providing the majority of commercial gasoline to Washington, DC, Georgia, Pennsylvania, Virginia, Maryland, New Jersey, Tennessee, North Carolina, South Carolina, and Alabama
In 2020, a significant breach occurred at SolarWinds, a supplier of network monitoring software to the U.S. government. It led to one of the most severe acts of cyber espionage in U.S. history. This breach compromised data for major institutions, including NATO, the UK government, the European Parliament, the U.S. Executive Branch, Microsoft, and various government bodies.
It raised concerns about cybercriminals targeting critical infrastructure, laying the groundwork for the Colonial Pipeline attack.
The Attack
Cybercriminals often gain unauthorized access to businesses and engage in the sharing or selling of stolen information on the Dark Web, an online hub for illegal activities and tools. In the case of the Colonial Pipeline, these criminals successfully uncovered the username and password of an active but unused VPN account, enabling them to infiltrate the network. They subsequently posted these credentials for sale on the Dark Web, where DarkSide, an Eastern European cyber-criminal gang specializing in ransomware attacks, eventually acquired them.
Utilizing the obtained credentials, DarkSide specifically targeted Colonial Pipeline’s billing systems, effectively encrypting their files and rendering them inaccessible. To contain the spread of the attack, Colonial Pipeline made the decision to suspend operations across its entire pipeline network. The following day, they paid a ransom of $4.4 million in Bitcoin to DarkSide, in exchange for a decryption tool to unlock their files and resume operations. Unfortunately, due to the extensive reach and rapid spread of the initial ransomware attack, the decryption process proved to be slow and ineffective.
Consequently, the pipeline was shut down for a duration of six days.
The Impact
Three days following the attack, President Joe Biden declared a State of Emergency. This act combined with ominous news reports, of potential gasoline scarcity, led to panic buying, resulting in a frenzy of individuals rushing to gas stations, eager to fill up not only their vehicles but also unconventional containers such as garbage cans, storage containers, and even grocery store plastic bags. The impact was particularly significant in Washington D.C., where an astonishing 87% of gas stations completely ran out of fuel reserves. Elsewhere in the southeast, many international flights were forced to change course or take on additional fueling stops due to jet fuel shortages at major transportation hubs.
The scenes witnessed throughout the week resembled scenes from disaster movies, as gas stations prominently displayed cardboard signs proclaiming “out of gas.” Long queues of vehicles stretched for miles, extending away from fueling stations, as thousands of individuals desperately tried to secure the perceived, yet inaccurate, last drops of gasoline in the United States. People resorted to carrying gasoline-filled garbage bags slung over their shoulders, and airport arrival boards were filled with countless rows of “delayed” or “cancelled” notices, showcasing the extensive disruption to flights heading into the southeast.
All of these extraordinary events occurred due to one single VPN account that Colonial Pipeline’s IT team failed to deactivate.
The Aftermath
The attack highlighted the lack of preparedness among organizations facing ransomware threats. Since 2021, businesses have implemented sophisticated detection tools and recovery plans, recognizing the inevitability of ransomware incidents.
A key focus is robust backup and archiving solutions for data safeguarding and quick restoration. Nexsan offers advanced storage and data protection solutions to strengthen cybersecurity defenses. By leveraging Nexsan’s technologies, organizations can reduce the impact of ransomware and enhance resilience against evolving threats.
Conclusion
Nexsan strengthens cybersecurity defenses and mitigates ransomware risks for organizations. Our advanced storage and data protection solutions provide robust backup and archiving capabilities, safeguarding critical data and enabling swift restoration. By leveraging Nexsan’s technologies, businesses can ensure data integrity, reduce the impact of ransomware incidents, and enhance resilience against evolving threats. To learn how Nexsan can help protect your organization from ransomware, contact us today!