Colonial Pipeline fallout: Thwarting ransomware attacks requires collective defense

For executive leadership teams, the key takeaway of the executive order, signed May 12, rests in this one sentence: “The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the federal government to foster a more secure cyberspace.”

The executive order further calls for the development of a “playbook”—standardized operational procedures addressing cyber-security vulnerability and incident response—by federal agencies that “will also provide the private sector with a template for its response efforts,” states a White House fact sheet.

The average ransom payment in the United States, Europe, and Canada was $312,493 in 2020—a 171 percent spike from the $115,123 average ransom payment in 2019.

The executive order imposes new obligations on federal contractors in particular. For example, information and communications technology service providers will be required to “promptly report” cyber-incidents “involving a software product or service” or “involving a support system for a software product or service” provided to federal agencies.

Additionally, new contract language will require software suppliers who partner with federal agencies “to comply with, and attest to complying with,” newly implemented security measures for critical software that will be outlined in forthcoming guidance.

But the executive order fails to address one critical underlying issue: skyrocketing ransomware demands and the payments of them. It is by no means trivial the executive order comes at a time when ransomware attacks continue to grow in scope and severity, like the one that targeted Colonial Pipeline on May 7, prompting the immediate shutdown of a 5,500-mile pipeline that carries roughly half of the fuel supply for the United States’ East Coast. 

In an interview with the Wall Street Journal, Colonial Pipeline CEO Joseph Blount acknowledged paying a $4.4 million ransom, reasoning it was unknown to what extent the hackers breached the company’s network and, thus, how long it would take to restore the pipeline. Blount said he did not make this “highly controversial decision” lightly but decided “it was the right thing to do for the country.”

The ransomware attack against Colonial Pipeline prompted the Department of Homeland Security’s Transportation Security Administration (TSA) to issue a cyber-security directive that will enable it “to better identify, protect against, and respond to threats to critical companies in the pipeline sector,” the agency stated. The directive will require critical pipeline owners and operators “to report confirmed and potential cyber-security incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and to designate a cyber-security coordinator, to be available 24 hours a day, seven days a week.”

Additionally, the directive will require critical pipeline owners and operators to review their current practices and identify any gaps and related remediation measures to address cyber-related risks and report the results to the TSA and CISA within 30 days. The TSA stated it is also considering “follow-on mandatory measures that will further support the pipeline industry in enhancing its cyber-security and that strengthen the public-private partnership so critical to the cyber-security of our homeland.”

Ransomware-as-a-service

According to a statement by the Federal Bureau of Investigation (FBI), the ransomware attack that targeted Colonial Pipeline was carried out by DarkSide, a criminal syndicate that maintains its lucrative operation by creating and renting its malware in exchange for a cut of ransoms obtained.

Thanks to the burgeoning “ransomware-as-a-service” market, cyber-criminals don’t even need technical skills to carry out a ransomware attack. “The barriers for entry are pretty low, and the return on investment is pretty high,” says Michael Daniel, former White House cyber-security coordinator during the Obama administration and now president of the Cyber Threat Alliance.

Without coming up with a collective solution to thwart them, ransomware attacks will continue to have devasting consequences on companies of all sizes in all sectors. According to Palo Alto Networks’ “Ransomware Threat Report,” the average ransom payment in the United States, Europe, and Canada was $312,493 in 2020—a 171 percent spike from the $115,123 average ransom payment in 2019.

Palo Alto Networks’ data also showed the highest publicly reported ransom payment doubled from $5 million in 2019 to $10 million in 2020, while the highest ransomware demand doubled to $30 million. Such figures represent only a baseline, however, as many ransomware attacks and payments go unreported.

If recent reports are any indication, 2021 ransom payments in the United States are already at an astronomical level. In addition to Colonial Pipeline, CNA Financial reportedly paid a $40 million ransom after it was attacked in March. Computer giants Acer and Apple each were hit with $50 million ransom demands in March and April, respectively. Both were carried out by REvil, another ransomware-as-a-service provider.

Cyber-criminals are as effective as they are because “they find a way to put a boot on the throat of organizations,” Raj Samani, chief scientist at cyber-security firm McAfee, said at the NOW + NEXT Cyber Conference held virtually on May 25. They know that critical infrastructures cannot afford to seize operations for very long or that healthcare organizations cannot afford to release sensitive patient data, for example, putting them in a vulnerable situation to just pay the ransom.

But paying a ransom also comes with compliance risks. As the Office of Foreign Assets Control (OFAC) warned in an October 2020 advisory, paying ransoms potentially results in compliance violations if the cyber-criminal demanding the payment has a sanctions nexus.

Worse yet, as the FBI noted, ransom payments often fund other types of organized crime, including human trafficking, child exploitation, and terrorism. The FBI recommends never paying a ransom, “as there is no guarantee that the scammer will send you the decryption key.”

Cyber-defense measures

While preventing every ransomware attack might not be possible, companies can reduce their risk by taking steps to strengthen their networks. These steps include patching known vulnerabilities; limiting user privileges; and perhaps most importantly, not only maintaining data backups but keeping those backups offline, advises Jeffrey Gorton, a senior principal consultant at ACA Aponix.

Cyber-liability insurance comes with a catch: It may make you more vulnerable to a ransomware attack.

Failure to keep data backups is a common reason why many organizations are forced to pay ransoms. “A number of organizations don’t have good backups, so they’re at the mercy of these criminals,” said Harry W., technical director for incident management at the National Cybersecurity Center, speaking on a panel at the NOW + NEXT Cyber Conference.

Palo Alto Networks further recommends having an appropriate recovery process in place, in addition to data backups. “Recovery processes must be implemented and rehearsed with critical stakeholders to minimize downtime and cost to the organization in the event of a ransomware attack,” its threat report states.

Companies should also consider having in place cyber-liability insurance, as there are options that cover at least a portion of the expenses associated with a ransomware attack. “I view cyber-liability insurance as a safety net, not as a frontline defense,” says Jeff Dennis, who heads the Privacy and Data Security practice at law firm Newmeyer Dillion. “Cyber-liability insurance goes hand-in-fist with strong cyber-security defenses.”

Cyber-liability insurance comes with a catch, however: It may make you more vulnerable to a ransomware attack. When cyber-criminals target cyber-insurance companies, they then have access to a list of their insured clients, which cyber-criminals can then use to their advantage to demand a ransom payment that mirrors the limit of a company’s coverage. “One of the things I counsel my clients is, if you do have cyber-liability insurance, don’t keep it online,” Dennis says.

The long-term solution may be for the cyber-insurance industry to start requiring their insureds to meet minimum standards to qualify for ransomware coverage. “It would force companies to have a little skin in the game and improve their defenses while still having that safety net,” Dennis says.

The alternative, if the cyber-insurance industry continues to get hit with large ransom payouts, is that carriers may begin dropping ransomware coverage. There has been at least once instance of this, when insurance giant AXA Group announced on May 6 that it will no longer reimburse ransomware payments for its customers in France.

Collective defense

One of the most contentious debates in the cyber-security community is whether banning ransom payments altogether is the answer. The argument for such a ban is that if everybody stops paying ransoms, cyber-criminals would stop launching ransomware attacks, because it would no longer be profitable.

“Ultimately, we want to get to a place where we can prohibit ransomware payments, but we’re not in a position to do that yet because there are a lot of policies and structures that need to be put in place to make that a realistic possibility,” Daniel says. “Right now, we would put companies in an impossible situation.”

This is particularly so because ransomware attacks increasingly are targeting organizations that traditionally do not on their own have the time or resources necessary to strengthen their cyber-defenses—such as hospitals, schools, and local governments. While there are free resources available, like nomoreransom.org, that offer a depository of keys and applications that can decrypt data locked by various types of ransomware, just having these resources doesn’t go far enough.

“If you’re going to think about banning payments, you have to do it in a way where you have a safety net,” says Jen Ellis, an executive at cyber-security firm Rapid7. Ellis is one of more than 60 members of an international coalition from industry, government, law enforcement, civil society, and international organizations working together toward the collective goal of advocating for “a unified, aggressive, comprehensive, public-private anti-ransomware campaign.”

In some ways, the efforts of the taskforce mirror President Biden’s executive order, but they are specific to ransomware attacks. “The United States should lead by example and execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House,” the taskforce stated in a report published April 2 by the Institute for Security and Technology.

In that report, the taskforce came up with 48 recommendations that should be made before the banning of ransomware payments can be a viable option. Among those recommendations, the report states, governments should “establish cyber response and recovery funds to support ransomware response and other cyber-security activities; mandate that organizations report ransom payments; and require organizations to consider alternatives before making payments.”

Another recommendation calls for an “internationally coordinated effort” to “develop a clear, accessible, and broadly adopted framework to help organizations prepare for, and respond to, ransomware attacks. In some under-resourced and more critical sectors, incentives (such as fine relief and funding) or regulation may be required to drive adoption.”

The taskforce’s recommendations fill a void not addressed by the executive order and might encourage a stronger collective defense to ransomware attacks when considered together. “Are we ever going to drive ransomware completely out of the digital ecosystem? I don’t think so,” Daniel says. “But can we reduce it from being a national health and public safety threat? Yes, we can definitely do that.”