The Critical Infrastructure and Ransomware Attacks

Posted by Trevagh Stankard on Tue, Jun 1st, 2021

The critical infrastructure of a country is crucial to maintaining our way of life. These critical moving parts of a nation cover many areas, from the electricity to light our homes, the gas to keep us warm, financial infrastructures, healthcare services, and so on. Keeping these systems operational is vital to the health, wealth, and security of a nation.

Ransomware attacks, can, and do, target critical infrastructures (CIs): examples include the WannaCry attack on healthcare systems and the Netstalker ransomware attack on Pakistan’s largest power supply company. A recent, very high-profile cyber-attack on a critical infrastructure, was the DarkSide ransomware attack on the Colonial Pipeline company in the USA.

What Happened in the Ransomware Attack on Colonial Pipeline?

The Colonial Pipeline company is the largest refined product pipeline in the USA. The company is responsible for around 45% of all fuel consumed on the East Coast of the U.S. This behemoth of a company, and its status as a critical infrastructure, made it a perfect target for the ransomware hacking group, DarkSide.

On the 7th of May 2021, Colonial Pipeline paid the ransomware hackers’ demand of the equivalent of around $5 million in bitcoin. The previous day, the hackers had exfiltrated 100 gigabytes of data before initiating a system-wide computer lockdown and issuing the ransomware demand.

At this early stage, no public details of how the attack occurred are available. However, ransomware and phishing often go together. Spear phishing, the highly targeted variant of phishing, was behind a massive ransomware campaign in December 2020. This series of ransomware attacks targeted around 50 organizations, including several critical infrastructure industries. The attackers used sophisticated spear-phishing campaigns to initiate a ransomware infection.

The Colonial Pipeline ransomware attack resulted in chaos across the East Coast of the USA.  In a now archived press release, the company stated that:

“In response, (to the attack) we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”

The company quickly went into disaster recovery mode, minimizing the impact by using alternative pipeline delivery points and preparing for a backup restore of IT systems. However, the wider impact of the ransomware attack spilled out to consumers with over 1000 running out of fuel because of panic buying. Subsequently, the price of fuel rocketed, and the Whitehouse put out a notice about the attack, urging restraint and asking companies not to take advantage of the situation. The notice also said:

“And finally, let me say that this event is providing an urgent reminder of why we need to harden our infrastructure and make it more resilient against all threats — natural and manmade.”

Ransomware-as-a-Service: The Affiliate model

DarkSide is part of a growing trend to commercialize ransomware. Ransomware-as-a-Service (RaaS), also known as, Ransomware-as-a-Corporation (RaaC) is a growing movement where ransomware is productized and distributed via affiliates. The model is similar to a SaaS model, where distributors of the ransomware, license the malware and any associated components such as malicious phishing websites or email templates. This model makes ransomware attacks much easier to carry out. RaaS facilitates the delivery of a ransomware attack by anyone with a criminal urge to use digital means to extort money. The affiliates who carry out the attack pay a % of the ransom to the individual or gang behind the RaaS. Blockchain traceability experts, Elliptic, were able to trace the DarkSide crypto wallets. The company discovered that DarkSide ransomware had been used to infect 99 organizations, with 47% of those organizations paying the ransom; the average ransom payment was $1.9 million.

Can Ransomware Attacks on CI be Prevented?

On the 11th of May, the FBI issued an advisory on DarkSide ransomware. The notice states that:

“Prevention is the most effective defense against ransomware.”

Critical Infrastructures are where Operational Technology (OT) and IT dovetail. This is part of the digital transformation of industry to streamline services and improve efficiencies. However, it also increases the attack surface and the impact of malware on a critical system. Ransomware can be prevented but there is not a single solution to the problem. The Center for Internet Security (CIS) sets out a series of best practices used to protect against ransomware attacks, which include:

• Maintain an incident response plan
• Use prompt and regular patches
• Have multiple iterative backups
• Control internet access and prevent employees from navigating to malicious websites
• A layered security approach: an email filter and content filtering solutions to prevent phishing emails

Ransomware is a lucrative business for cybercriminals, and using the RaaS model, opens cybercrime opportunities to a wider audience. Our critical infrastructures are the beating heart of society and must be protected with vigor. This takes an approach that includes people, processes, and technology. A recent Executive Order from President Biden was released soon after the attack on Colonial Pipeline. The order is an attempt to respond to attacks on public and private infrastructures. The Executive Order sums up by saying:

It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security. 

Ransomware prevention is a priority for any organization that is involved in delivering critical infrastructure services, including supply chain vendors. Cutting off the source of ransomware by enforcing best practices is imperative across the CI of all our nations.

Protect and prevent ransomware attacks with TitanHQ multi-layered security. A combination of email protection and DNS filtering will ensure no human error is made in clicking on a harmful phishing email. Speak to a TitanHQ security expert to discover how we can protect your organization.  Talk to an expert today.