In our last entry, we looked at a broad overview of ransomware attacks, how they work, and some of the special challenges associated with combating them. We mentioned in that piece that one of the few silver linings is that such breaches have become much less prominent, though no less damaging, in the last few years. To punctuate that assessment, today we’re going to look at two very recent, high-profile incidents: the Colonial Pipeline and JBS attacks. The stories are surprisingly similar and paint a clear picture of how deeply ransomware can cut.
In early May 2021, suspected representatives of Eastern European cybercrime outfit DarkSide breached Colonial Pipeline’s billing system, encrypted and stole roughly 100 gigabytes (GB) of data, and then threatened to both withhold the decryption tool and release the data publicly unless they were paid 75 bitcoins (equivalent to about USD 5 million at that time). Because Colonial could not bill customers and was unsure what other facets of operational security had been compromised, they were forced to shut down the pipeline—which carries fuel to most of the Southeast—for nearly a week. They also had to pay the ransom to prevent their compromised data from being leaked or lost, though the FBI has subsequently recovered a large portion of it.
Nearly a month later to the day, JBS, the world’s largest beef supplier, was victimized by a similar attack. Cybercriminals suspected to represent Eastern European outfit REvil—believed to be either a parent or sister organization to DarkSide—breached JBS’s systems and encrypted vital operational data (the company has declined to publicly specify what sort of data was compromised or whether there were other threats made, like public disclosure of said data). As with Colonial Pipeline the month before, JBS was forced to shut down large parts of their operation for several days, primarily processing plants in the US and Australia. They also paid the ransom to protect and preserve their data, this time to the tune of about USD 11 million.
These instances may signal some kind of a return to prominence for ransomware schemes, or at least a sharp uptick in the size of associated demands and scope of potential targets. They also belie how best cybersecurity practices may have been upended by the pandemic, especially in the case of the Colonial Pipeline breach and the compromised password that may have been to blame. Unfortunately, we won’t know for certain what implications these attacks have until much later.
From a national security standpoint, the attacks Colonial Pipeline and JBS directly affected the food and fuel supplies in the United States, both of which have been identified as prime targets for maximum damage by experts; there is some concern that these latest incidents could portend a larger cyber assault. Whether that’s the case or not, it’s clear that our cybersecurity standards—even in vulnerable segments—are not what they could or should be. Change is necessary, but it will only be effective if the private sector is fully on board.