Ransomware attacks are no longer simply a malware infection. Today’s ransomware threat actor groups are comprised of skilled hackers who are well-versed in infiltrating their victims’ networks. Once inside the target network, these attackers perform reconnaissance to identify critical accounts, systems and even sensitive data stored within the network. Since the mid-2010s, we have observed a steady rise in ransomware-as-a-service (RaaS) attacks, in which ransomware gangs sell access to their tools and infrastructure to third parties. In 2020, we noted a particularly steep shift, as many ransomware gangs began stealing data from their victims’ networks prior to deploying ransomware, which is often utilized to double-extort victims. A variety of trip wires are present throughout these attacks, which victims either fail to recognize or cannot identify due to insufficient detective controls.
This weekend, the world learned of a ransomware attack against one of the largest pipeline operators in the United States, Colonial Pipeline. Reports suggest that ransomware known as DarkSide was responsible for the attack. RSM’s incident response team has investigated attacks carried out by this group, but is not in a position to speculate on the details of this particular attack at this time. We are confident that we will learn more about the attack as the investigation is carried out.
In the past few days, the DarkSide group’s RaaS has been linked to the attack on Colonial Pipeline. Given the geopolitical implications of this attack, the group released a statement on their website noting that they were not associated with any nation-state government. The group itself has also implied that they would be more rigorous in vetting their RaaS partners in the future.
If 2021 has taught us anything, it is that no organization is impenetrable. Between the US government, industry-leading cyber security firms affected by the SolarWinds supply chain attack, thousands of organizations impacted by Exchange Hafnium vulnerabilities reported in March 2021, and now Colonial Pipeline, there is no safe zone. Few ransomware attacks will have quite the impact that this attack had, as this incident resulted in the shutdown of pipeline operations for five days at the time this article was published. This attack has impacted more than just the organization and its direct customers; however, reports indicate that Colonial Pipeline took aggressive actions to contain the event, and is currently working with “all hands on deck” to safely and methodically restore operations.
Unfortunately, this event spotlights the dire need for organizations to mature their security programs, which will improve both their defenses and their ability to identify, detect and contain cyber-attacks within Information and Operational Technology (IT/OT) environments. It is important for organizations to understand the risks posed by today’s threat landscape, create foundational IT/OT security programs, determine what protective and detective controls need to be in place, assess which critical cyber assets possess the highest degree of operational exposure, and evaluate what risks a compromise in the environment may pose.
Luke Emrich (luke.emrich@rsmus.com)
Wanda Archy (Wanda.Archy@rsmus.com)
