Client Advisory: Colonial Pipeline Ransomware Attack

Author: John Farley

On May 7, 2021, Colonial Pipeline, one of the largest U.S. distributors of fuel, became victim of a ransomware attack. This led to an immediate system-wide shut down as efforts were made to contain the attack. On May 9, Colonial reported that some of its lateral lines between terminals and delivery points are once again online, but mainlines are still not operating.¹ This attack is significant in that Colonial Pipeline transfers 2.5 million barrels of diesel, gasoline and jet fuel a day, amounting to 45% of the East Coast's supply. The repercussions for the transportation industry and those that rely on it may be significant, and will largely depend on the length of time it takes to get Colonial’s systems back online.

U.S. Commerce Department reported that it is working closely with Colonial and with state and local officials in efforts to recover from the attack. In the meantime, the U.S. Department of Transportation issued a regional emergency declaration that relaxes rules and allows fuel to be transported by road.

What we know so far about the Colonial Pipeline attack

Many of the details of the incident are unfolding, and the investigation is in the early stages. While we don’t know the specifics of the method used by the hackers, multiple sources are reporting that a criminal organization known as DarkSide was behind the ransomware attack. They reportedly took nearly 100GB of data hostage, demanded ransom payment for its return, and are threatening to make the information public if payment is not made. According to security researchers, DarkSide is a sophisticated criminal enterprise that carry out its crimes via "ransomware-as-a-service." They create software used to encrypt and steal data and provide templates and training to affiliates to carry out additional attacks. The affiliate hackers then pay DarkSide a percentage of their earnings from any successful ransomware attacks.²

Preventing and mitigating ransomware attacks

We expect DarkSide and other criminal cyber groups to continue attacks for the foreseeable future. Therefore, we suggest the following prevention and mitigation strategies in the heightened ransomware threat landscape:

• Use multi-factor authentication (MFA) – including whether MFA is required for access (1) to the network (2) to privileged accounts, (3) to web or cloud-based email, (4) by vendors, and (5) to online backups.
• Employ regular patch management practices.
• Perform employee training to help staff recognize phishing attacks.
• Be sure to properly set up of Remote Desktop Protocol (RDP) for remote access controls.
• Manage End-of-Life (EOL) software.
• Configure email/web filtering and response systems Intrusion Detection Systems and Endpoint Protection Products (EPP).
• Have data backup practices in place – consider use of encryption; maintenance of backups online, offline, onsite and offsite; testing of restoration from backups and network segmentation.
• Prepare an incident response plan and test it via table-top exercises.

Cyber insurance solutions

In the event your organization or a key vendor in your supply chain becomes a victim of a ransomware attack, it is important that you leverage the resources that typically come with applicable insurance policies.

Many cyber insurance policies provide 24/7 access to outside experts, including breach coaches, IT forensics investigators, extortion negotiators, credit monitoring firms, public relations experts, data asset restoration experts and others. Some policies also provide contingent business interruption coverage that may pay claims for business interruption costs due to an attack on a vendor. Be mindful of policy claim reporting provisions that mandate formal notice of incidents and/or claims. In addition, policy wording that may require insureds to utilize only pre-approved insurance panel experts.

For additional information regarding cyber insurance coverage, please contact your Gallagher team member.