Does Colonial Pipeline Deserve Money Back From Government Investigation?

On June 7th, 2021, the Department of Justice rang the bells in announcing the recovery of $2.3 million of the ransom that was paid to cyber criminals by Colonial Pipeline. The investigation that led to the historical recovery was in no doubt unique on it's own, as it was the first time that amount of ransom was left sitting in the same Bitcoin account that it had been originally delivered and eventually hacked resulting in its recovery. 

As many tout on the recovery of funds for Colonial Pipeline, many are questioning if they should receive that money back. Should a company be rewarded for possible negligence in implementing standard cybersecurity protections against ransomware?  

Government Recovered About Half of Colonial Pipeline's ransom

On Monday June 7th, 2021, the Department of Justice announced the recovery of about half of the ransom amount that was collected by cyber criminals associated with DarkSide, a notorious Ransomware-as-a-Service company that gives tools to criminals to make hacks while charging a profit and undergoing attacks on their own. Court documents released in the Colonial Pipeline case say "the FBI got in using the encryption key linked to the Bitcoin account to which the ransom money was delivered."¹

It is very uncommon for Ransomware money to be recovered because criminals keep the money moving making it hard to track. These particular cyber criminals were caught making a huge mistake. The money was split into different crypto wallets with one in particular holding the $2.3 million, which sat in the account longer than usual, allowing it to be identified. Officials then somehow hacked into the private key that guarded the account, seizing the money and shouting for victory.

But is this a victory we should be boasting about when according to MarketWatch "roughly 1,000 businesses every week are being hit by hacks that lock up computer networks for ransom".² In addition to the frequency of these attacks, the cost of ransomware continues to rise to the point where cyber insurance companies could soon choose to shut its doors. 

Neither government intervention nor cyber insurance can solely be your security plan. 

Cybersecurity Negligence will Cost You

The CEO of Colonial Pipeline made the decision to pay the ransom that totaled $4.4 million in an attempt to get the business up and running as soon as possible. When asked if Colonial's cybersecurity response planning had a focus related to ransom, the CEO Joseph Blount stated  "Specifically no, no discussion on ransom".3 

Ransomware is finding a permanent spot in our news stories with now even the Federal Government rolling out an Executive Order and Memo to bring awareness to businesses to take action. We have seen an increase of attackers on infrastructure companies where we are now all being affected by the actions of cyber criminals and by irresponsible businesses that continue to operate while taking security protections for granted. 

How Businesses Can Take the First Step to Cyber Protection

Large or small, every business can work to improve where Colonial failed. In this case, the cyberattack victim failed in at least three of four best practice areas: 

1. Clean Copy of Data 
   It’s been reported that the intruder had stolen at least 100GB of data a week prior to the incident, indicating Colonial’s data was being stored in an insecure environment. Businesses can minimize their vulnerability to cyber threats and incidents with comprehensive data protection and verified backups. 
   
   
2. Proactive Threat Hunting 
   While Colonial may have been utilizing an MDR (Managed Detection and Response) program, the technology may not have been advanced enough to catch the threat. Businesses can strengthen their security posture by investing in modern SOCaaS threat detection services that actively and quickly contain the threat rather than simply alert. 
   
   
3. Visibility into Security Gaps 
   While threat hunting is important, the most secure businesses will also utilize recurring security scanning to better understand their security environment and how a threat could penetrate their system in the first place. Additionally, using network segmentation and vulnerability testing can limit the horizontal infiltration of ransomware. This is particularly important in situations where there are zero-day exploits, for which threat detection signatures may not yet be available.
   
   
4. Incident Response Planning 
   While Colonial Pipeline has stated that they are actively developing a Systems Restart Plan, businesses can stay ahead of the curve by already having a comprehensive disaster recovery and business continuity plan in place to respond quickly and efficiently to cyberattacks and other incidents. 

<sup>1. https://www.npr.org/2021/06/08/1004223000/how-a-new-team-of-feds-hacked-the-hackers-and-got-colonial-pipelines-bitcoin-bac
2. https://www.marketwatch.com/amp/story/ransomware-boom-comes-from-gangs-that-operate-like-cloud-software-unicorns-a-truly-incredible-business-model-11623168504
3. https://www.cnn.com/business/live-news/us-cyberattacks-cybersecurity-06-08-21/index.html</sup>