by Dave Moore, CISSP, 05/16/2021
The nations largest pipeline, and Oklahoma’s second largest city, have been hammered by Internet criminals using well-known, preventable ransomware scams and hacking techniques.
The Colonial Pipeline, largest pipeline in the United States, shut down when, according to an official statement, “On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware.”
“Ransomware” refers to criminals taking your computer files and locking them into an encryption scheme, preventing you from using your own data. The crooks then demand a “ransom” payment for release of the “hostage.” In the case of Colonial Pipeline, over 100 gigabytes of company data was also copied and “exfiltrated” (geek talk for “stolen”), with the Russian criminal gang called “Darkside” demanding payment to keep them from making Colonial’s private company files public.
The 5,500 mile long, 59-year old pipeline, stretching from Houston, TX to the Port of New York and New Jersey, carries 45% of the East Coast’s fuel. As a result of the shutdown, fuel in some areas of the eastern US became scarcer, and prices spiked. Refineries eyed cutting production, as the main tool for moving their product had been cut off.
How was Colonial victimized by Darkside’s ransomware scheme? While Colonial is reticent to say, Jason Jarnigan, FBI Supervisory Special Agent for Cyber Crimes, interviewed by Memphis’s WREG News, stated, “Either someone clicked a link that they weren’t supposed to, or they receive an email from someone that they know or trust, whose email account may have been compromised.”
In other words, someone working at Colonial did something stupid, which opened the door for the Darkside gang to enter Colonial’s network. It was all downhill, after that.
After six days of denials, insisting they would not pay the Darkside ransom, Colonial admitted Thursday, May 13 they had indeed paid a ransom of almost $5 million on May 7, the day of the attack.
Hoping to avert a national crisis, the White House issued an emergency declaration, lifting federal regulations on certain long-haul truck drivers carrying fuel, granting them more overtime hours and less sleep than normal. The EPA, with the concurrence of the Department of Energy, also declared, “an extreme and unusual fuel supply circumstance exists that will prevent the distribution of an adequate supply of compliant gasoline to consumers,” and decided to lift certain pollution standards until things get back to normal.
President Biden declined to comment on whether he knew Colonial had paid the ransom, despite their denials.
Closer to home, the government of the City of Tulsa was also crippled by ransomware criminals. “The City of Tulsa is having to relearn how to do their jobs without computers,” reported KTUL-TV. City officials resorted to posting a notice on Facebook in an effort to inform the public.
“We have shut our computer systems at the city down to prevent any spread of that malware on our networks,” said Tulsa Mayor George Bynum. The city announced on Monday, May 10, that ransomware criminals had been inside their networks since April 21.
According to WJRH-2 News, officials believe the ransomware entered the city’s computers through an email that was sent to an employee. A number of City of Tulsa services have been affected, including fire and police response times. With computers being unavailable, radios and phones are being used in an effort to keep things going. Utility payment sites have also crashed, along with employee and City Council email service.
“The process of public safety and of everything else that we do at the city of Tulsa is impacted by this,” said Mayor Bynum, as the city attempts to scan, repair and secure its 3,500 computers.
City officials, saying Tulsa will not pay any ransom demands, also say they have no idea when systems will be back up again. They have said, though, they are working with a “security advisor.” An announcement at cityoftulsa.org says, “The City of Tulsa website, along with Tulsa City Council, Tulsa Police, and the Tulsa 311 websites, are currently down for maintenance.” Maintenance, indeed.
Statistics for 2020 show more than 113 federal, state and municipal agencies were ransomware victims, along with over 500 health care facilities, and more than 2,400 school systems, colleges and universities. Secretary of Homeland Security Alejandro Mayorkas recently stated, “Ransomware now poses a national security threat.” The FBI reported cybercrime losses exceeded $4.1 billion last year alone.
The methods Internet criminals use to launch ransomware campaigns are well-known, thoroughly documented, and completely preventable. Whether it’s email phishing/spamming scams (the most common ransomware in-road), remote desktop hacks, or neglected software updates and patches, it is inexcusable that major enterprises like pipelines and city governments fall victim to scams and hacks that never should have happened, in the first place.
Preventing ransomware boils down to two things: businesses of all sizes providing proper Internet safety training of computer users, and hiring true security experts to build, maintain and configure computer network systems. Just because someone is a good network or “I.T.” person doesn’t mean they know squat about cybersecurity, just as auto transmission mechanics may not know anything about painting a car. This means a shift in thinking for many individuals and companies. No more putting out fires, and waiting for the next one to pop up.
For more information, go to www.normantranscript.com, search for Dave Moore Ransomware, and study my three-part series titled, “Ransomware-proof your files now, while you can,” beginning 01/03/2021.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or internetsafetygroup.org