Colonial’s Ransom Payment Indicates Severity of Threats

Last week Joseph Blount, the CEO of Colonial Pipeline, told The Wall Street Journal that he authorized the ransom payment of $4.4. million to the hackers who broke into computer systems and caused major disruption to the East Coast’s gas supply.

In the interview, Blount acknowledged the “highly controversial” nature of the decision, and admitted the decision did not come easy.

“I didn’t make it lightly,” he said in the interview. “I will admit that I wasn’t comfortable seeing money go out the door to people like this.”

Blount’s high-profile interview, and the revelation that the ransom had been paid to restore access to systems controlling critical infrastructure, highlights just how serious the threat from hackers is, and offers insights into the ways in which organizations could be forced to deal with ransomware.

“We require CEOs to act in the best financial interest of their companies,” John Bambenek, threat intelligence advisor at Netenrich, explained. “Ransomware, as a general rule, is able to construct the economics in their favor. Consumers probably paid more than $4.4 million in higher gas prices during the incident.”

He said that if the economics are in favor of paying, most companies will pay, but he noted that while even though Colonial paid, the decryption was still too slow. In other words, paying ransoms doesn’t guarantee results.

“Because of the unique response to this attack, some ransomware operators may quit or simply re-emerge under a new brand,” Bambenk noted. “There are simply too many vulnerable targets for this threat go away, and for every major incident you hear about, there are 100 that are unnoticed.”

Andrew Barratt, managing principal, solutions and investigations at Coalfire, a provider of cybersecurity advisory services, said he was impressed by the humility of a leader who openly acknowledged he was willing to do this, despite knowing he would be lambasted widely in the media and subjected to lots of “hindsight” expertise.

“These are incredibly tense, high stress situations – and that’s just what we see as an incident responder. When a CEO is facing a quick route to free-flowing fuel supply again that buys them time, I can’t blame them for taking it,” he said. “The stakes are high, millions of people were affected or becoming concerned about energy security. The value amounts to a fraction of a percent of their annual revenue – the reality is, it was a very simple decision in the moment.”

Barratt said this ransomware attack shows that this type of threat is becoming more and more commercialized and hyper localized, and that criminals are getting more brazen with their ransom requests.

“This will continue to be a cash-out vehicle for them,” he said. “It’s cheaper and easier than many alternatives, and my experience in this area tells us that often, the fastest path to a pay day is the one selected. We’re getting better at protecting our data from theft, not least because of the legal frameworks that insist on a multitude of security controls, so criminals have to target other assets that they can leverage for financial return.”

Organizations should ensure they have good legal counsel, depending on the jurisdiction they are in – and, in some cases, the jurisdiction where the insurance carriers are based – as there are variety of legal considerations as to whether there is exposure.

“Generally, corporations rely on insurance companies and/or their IR providers to handle this,” Netenrich explained. “Organizations should make sure their vendors can handle this, and have handled this before.”

In Barratt’s mind, there should always be a plan, that plan should include your cybersecurity advisors – and your treasurer, in the event a payment is made – as well as an understanding of the way crypto currencies are handled.

“However, this is like deciding whether to learn how to fight or how to deal with a severe trauma wound before accepting your first boxing match,” he said.

He predicted ransomware perpetrators would continue to follow the money, and with the global retail economy hit so hard during the COVID-19 pandemic, a pivot toward other cash-rich industries has been undertaken.

Overall, organizations must take ransomware more seriously as it will continue to be one of the most prevalent cyberthreats, and it continues to be very costly for many businesses – the price you pay for not being prepared is on the rise.

“As the world reboots from the COVID-19 pandemic, I’d expect to see ransomware follow similar trends, but focusing on, in particular, middle market companies that are perhaps light on cyber capability, yet still relatively cash rich,” he said.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy