Global Ransomware Surge Claims U.S. Oil Pipeline Victim

The ransomware scourge sweeping through the globe claimed yet another high-profile victim this weekend: Cyberattackers shut down the U.S.’s Colonial Pipeline, which the company says carries 2.5 million barrels a day of diesel, gasoline and jet fuel from Texas to New Jersey — roughly 105 million gallons that is then dispersed throughout the East Coast, providing 45% of the area’s fuel.

On Sunday, government agencies and the energy industry scrambled to respond: The U.S. Department of Transportation issued a temporary exemption allowing truck drivers transporting those products to the East Coast to exceed their mandated “hours of service” limitations.[1] Meanwhile, commodities markets braced for potential price volatility in petroleum products stemming from the ransomware attack. Published reports noted that, even though the region’s gasoline inventory is high in anticipation of increased summer demand, shortages are likely to begin if the pipeline is down for five days or more.

Like more than 90% of cyberattacks, the initial ransomware compromise at Colonial most likely came into the organization through email. The cyber hacking group believed responsible, Darkside, typically delivers its ransomware payload through a PowerShell script after such an initial compromise, noted Carl Wearn, Head of Threat Intelligence, Risk and Resilience, Mimecast.

Energy Sector Not Even Most Targeted by Ransomware

Multiple research reports fielded in this year’s first quarter—including Mimecast’s own State of Email Security 2021 (SOES)—revealed a dramatic global ransomware surge, but showed the energy sector was well below average as a ransomware target. Six out of 10 (61%) companies surveyed in the SOES research said their business was disrupted by ransomware during the previous 12 months. That’s a notable increase from 51% of companies surveyed in the 2020 edition of SOES.

The FBI’s Internet Crime Report 2020, meanwhile, found more than a tripling year-over-year in financial losses from ransomware attacks reported to the bureau, to $29.1 million in 2020 from $8.9 million in 2019.[2]

Of responding SOES companies from the energy sector, however, only 15% reported a successful ransomware attack in the past year. The most-attacked sector by ransomware was information technology and telecoms at 75% of companies surveyed, followed by business and professional services (70%), financial services (49%), manufacturing and production (37%) and retail (36%). Despite repeatedly making headline news, ransomware attacks against healthcare organizations and government agencies lagged, at 22% and 27% of respondents, respectively — but that’s still more than one in five organizations disrupted by a successful ransomware exploit in a single year.   

“Our research found that companies impacted by ransomware lost an average of six working days to system downtime, with 37% saying downtime lasted one week or more,” said Francis Gaffney, Director of Threat Intelligence and Response at Mimecast, referring to the SOES 2021 survey. “This disruption forces many organizations to pay the ransom and our research shows that 52% of businesses did so. However, only 66% of those were able to recover their data. The remaining 34% never saw their data again, despite paying the ransom.”

Ransomware Called ‘Terrifying Threat’

Regardless of the average threat level in a given sector, IT security professionals consistently fear ransomware attacks the most. In interview after interview for multiple white papers, Mimecast customers in financial services and healthcare, for example, have told us this is the case because their businesses rely on information networks, and a ransomware attack can force those networks down — thus causing all operations to cease. Then, of course, comes potential reputational damage from inevitable news reports. 

“Ransomware is a terrifying sort of threat, and one we don’t always feel completely prepared for,” said a U.S. healthcare industry interviewee just this week. His organization takes the position that “ransomware probably will hit us” at some point in time and, therefore, they put energy into preparing to recover as rapidly and as fully as possible. “We increase our backups and redundancy, and business continuity. We ask ourselves, how would we restore, how would we get back to a functional level, even if we had to give up a week or so of data?” This is in addition to their cybersecurity awareness training and other cyber resilience efforts.

What Can You Do to Prevent Ransomware Attack?

Cybersecurity experts agree that regular backups — performed often, stored externally and disconnected from the company network — are one of the three main ways companies can try to thwart ransomware attacks. The others are:

• Keep software up to date: The three most important words in cybersecurity are update, update, update. The infamous 2017 global WannaCry infection could have been prevented if organizations had kept their Windows software up to date — the vulnerability WannaCry exploited had been patched two months earlier.
• Cybersecurity awareness training: Employees need to be regularly reminded of good cyber hygiene, particularly about email phishing, especially now that more workers are working remotely. They should never open unknown email attachments, and they should never click on any links that are at all suspicious.

“Organizations must start investing in cybersecurity preparedness and awareness training,” emphasized Gaffney. “It is recommended that organizations focus on prevention by implementing strong resiliency measures and ensuring that employees are properly trained in cyber awareness.”

Infrastructure Attacks Likely to Rise

Experts have been expecting a rise in cyberattacks on vulnerable infrastructure for many years, and it appears they were right. As Gaffney explains, it’s largely due to the integration of so-called operational technology — IT for manufacturing and production processes, aka industrial control systems (ICS) — and the internet protocol (IP) world of modern IT.

“ICS equipment's defenses against threats that are common today, such as malicious and recreational hackers, can be lacking because the dangers did not exist when the systems were first installed,” says Gaffney. ICS systems’ increased connectivity via the proliferation of 5G cellular, internet of things and industrial IoT networks makes them more vulnerable to cyberattack.

“With the convergence of these systems, it’s almost certain that data and networks are at heightened risk of both ransomware and data compromise attacks, and a danger that devices critical to a nation’s infrastructure may be used as a stepping stone for lateral movement within a compromised network,” Gaffney concludes.

The Bottom Line

It’s too early to tell how disruptive the ransomware attack this weekend on nearly half the petroleum supply to the U.S. East Coast will be, in the end. It could get sorted before damage is done, or it could cause catastrophic price volatility and gas station lines reminiscent of the infamous 1970s Oil Crisis. But every company, nonprofit and government agency in the world should take it as a siren call to up their cyber resilience in general, and their email security training in particular, in an effort to prevent their business from grave disruption.

[1] “U.S. Department of Transportation … Issues Temporary Hours of Service Exemption…” U.S. Dept. of Transportation

[2] Internet Crime Report 2020, FBI