Will the colossal payout further embolden financially-motivated cybercrooks?
Reports that Colonial Pipeline paid a $5 million ransom to restore operations on the US’ largest fuel pipeline send cybercriminals an unfortunate signal, security professionals have told The Daily Swig.
Conducted by the DarkSide ransomware gang, last week’s attack on the Colonial Pipeline Company forced the organization to shut down around 5,500 miles of pipeline, disrupting fuel supplies to the east coast and causing gasoline shortages in the southeast.
Faced with the prospect of further disruption, it’s easy to see why a company generating annual revenues exceeding $500 million would pay the eye-watering sum (reportedly in cryptocurrency, within hours of the attack).
In doing so, however, the critical infrastructure company perpetuates a “feedback loop of malicious activity” that “allows the groups to achieve a greater level of sophistication during their next attacks, whether that be via training, new tooling, purchasing credentials, or recruitment,” according to Mitch Mellard, threat intelligence analyst at cybersecurity outfit Talion.
“There is no guarantee that they will even decrypt your files or avoid leaking them,” he told The Daily Swig. “Recent figures have highlighted an alarming number of ransomware groups that are paid off but never deliver a working decryptor.”
Indeed, a Kaspersky survey recently found that, of 56% of consumer ransomware victims who paid off extortionists, 17% still failed to get their data back.
Such concerns informed a joint advisory issued on Tuesday by the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) that once again urges victim organizations not to pay ransoms.
Rise in ransomware attacks
Yesterday (May 13), US telecoms multinational Verizon became the latest company to publish figures demonstrating an increase in ransomware attacks last year.
Often targeting organizations involved in the fight against Covid-19, ransomware attacks were a factor in 10% of data breaches analyzed by Verizon, more than double the proportion observed in 2019.
The telco’s 2021 Data Breach Investigations Report suggested “this may have less to do with” the global migration to a home-based workforce “than it does the shift in tactics of the actors who ‘named and shamed’ their victims.
Verizon was referring to the growing trend of ransomware gangs exfiltrating as well as encrypting compromised data and blackmailing victims with the threat of public data exposure.
However, Martin Jartelius, chief security officer at infosec assessment platform Outpost24, suggests the increase is also fueled by ransomware’s intrinsic ‘efficiency’.
“In a typical attack when hackers breach a system, they need to sift through the data, determine which data are valuable, exfiltrate the information back, cover their tracks, find a bidder who is prepared to pay for the information,” he told The Daily Swig.
“But with ransomware, the information they steal is so targeted they already know that the affected organization would be willing to pay for it.”
Meanwhile, Andy Norton, European cyber risk officer at enterprise security platform Armis, told The Daily Swig: “If I want to insure a car, I have to have an MOT, a third-party certificate of road worthiness. However, in cyber, I can have completely inappropriate levels of cybersecurity and still get cyber insurance.
“Colonial have been publicly embarrassed by the saga, and yet, have essentially got away scot free, and in doing so, have sent a message that it’s OK not to demonstrate any sort of compliance with a cybersecurity framework, as long as your insurer will cover the costs of an attack.”
The escalating ransomware crisis prompted the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) to warn companies last October that they risked US sanctions if they made ransomware payments paid to parties designated as malicious cyber actors under OFAC’s cyber-related sanctions program.
Verizon’s latest annual snapshot of the data breach landscape also spotlighted a rise in phishing attacks, and a 15-fold jump in breaches where attackers ‘misrepresented’ their identity to victims more generally.
Attacks on web applications, which last year became the number one attack vector in data breaches, were the main hacking vector in 80% of breaches this time round, following by desktop sharing.