Saturday marks the first anniversary of the ransomware attack that shut down Colonial Pipeline's operations.
Why it matters
Colonial was forced to pay millions of dollars in ransom to get its billing system unlocked, though some of that was later recovered. Its operations were shut down for five days, and gas prices jumped on the East Coast as consumers worried about shortages rushed to pumps.
The threat of massive ransomware attacks still looms, especially with the ongoing war in Ukraine. Several Russian criminal gangs have pledged to attack those who oppose Russia's invasion.
A year ago, gas prices on the East Coast surged after the operator of America's biggest fuel pipeline shut down amid a. The five-day-long cyber siege was a wakeup call: The country's infrastructure was vulnerable to criminals anywhere in the world.
Colonial Pipeline paid millions dollars to restore its systems, which had been frozen by alleged associates of the REvil ransomware gang. Some of the payment, made in bitcoin, was eventually recovered. But memories of panic buying at the pumps linger to this day.
Vincent D'Agostino, a former FBI agent who now leads cyber forensics and incident response at cybersecurity company BlueVoyant, says he knew Colonial Pipeline was going to be a big deal when he heard everyday people talking about it in the barber shop, adding that it was the first time he'd ever heard anyone there so much as mention bitcoin.
"That's a really bad thing when you're a criminal, when you have regular people talking about the hack, and you have people unable to get fuel," says D'Agostino, who investigated both traditional organized crime and cybercrime while at the FBI.
In the year since the Colonial attack, corporate America, the Biden administration and federal agencies like the Transportation Security Administration have taken steps to secure the country's critical infrastructure, which in addition to energy companies includes schools, cities and hospitals. They had to because Colonial Pipeline wasn't an outlier. Transit authorities, a meat processor and a business software company were all taken down as REvil roamed free for months on the internet.
The number of successful ransomware attacks surged to new highs last year. Sixty-six percent of the organizations surveyed by Sophos for its annual State of Ransomware report admitted that they were hit with a ransomware attack in 2021, up from 37% in the year before. And 65% of those attacks succeeded in encrypting their victims' data, up from 54% the year before.
After REvil was linked to Russia, President Joe Biden called Russian President Valdimir Putin to discuss the attacks. The administration also convened an international counter-ransomware event that drew representatives from more than 30 countries. Together, they pledged to share information and cooperate in tracking down and prosecuting the cybercriminals behind ransomware attacks.
In November, the Justice Department filed charges against a pair of men with alleged ties to REvil, seizing millions in purported ransomware payments. Law enforcement in the EU also said it had arrested alleged members of the gang. Russia itself in January arrested more than a dozen people it identified as REvil members.
The Justice Department also established a ransomware task force, and the Treasury Department started sanctioning cryptocurrency exchanges, insurance companies and financial institutions that facilitate ransomware payments.
Lotem Finkelsteen, who heads threat intelligence and research at Check Point Software Technologies, says the moves were enough to get members of REvil and other cybercriminals to shut down their operations, at least for some time.
Finkelsteen says US critical infrastructure remain top targets because they often have deep pockets to pay ransomware. Many have purchased ransomware insurance, which makes them even more tempting targets because of a guaranteed payment.
Colonial Pipeline was vulnerable because so many of its systems touched the internet. The attack locked up the company's billing systems, Finkelsteen notes, which forced it to halt other systems because it couldn't keep track of what it sold.
The hackers "had access to the crown jewels of the company," he said, adding that just the compromise of those networks shows that a lot more could be done to protect computer systems.
In a statement, Colonial thanked the Biden administration and federal agencies for the help during the attack. It called the hack a reminder that "we must continue to rigorously protect our critical infrastructure."
The Colonial attack prompted many companies, particularly midsize ones, to think of themselves as potential ransomware targets, D'Agostino says. The risks for midsize companies may also be higher because cybercriminals now see how going after big fish can bring unwanted attention.
"These companies are not a mom and pop, and they're not JP Morgan Chase, but they need to get comfortable with the fact that they've become targets," he said.
Often those companies are part of a larger supply chain, with their own operations hinged on the security of others, says Jim Guinn, who leads cybersecurity strategy and consulting related to critical infrastructure for the global consulting giant Accenture.
A shutdown at one company in the energy sector, for example, can have a vast ripple effect on others, he says. The same is true with food, pharmaceuticals and delivery services.
"All of those have parts of their supply chain that can be targets," he said.
It remains to be seen how the war will play out in regards to cyberattacks. Some experts had forecast that Russia would launch a cyberwar against Ukraine and countries supporting it, but not much in the way of large-scale cyber attacks has happened yet, at least that we know of.
Numerous ransomware and other cybercrime gangs have declared their allegiances to both Russia and Ukraine, threatening to attack those who oppose them.
Regardless of where they're coming from or what the motivation behind them is, Finkelsteen says, companies should remember that ransomware can be prevented, often by just putting in place basic cybersecurity best practices.
"It's all about investing now to prevent tomorrow's attacks," he said.