Are You Sure It's Handled?

Show Notes

• Spelling mistakes in the ransom note and grammatical constructs of the sentences suggest that the writers are not native English speakers.
• The malware checks the default language of the system to avoid infecting systems based in the countries of the former Soviet Union.
• The design of the ransom note, wallpaper, file encryption extension and details, and inner workings bear similarities to “REvil” ransomware, which is of Russian origin and has an extensive affiliate program. This shows the evolution path of this ransomware and ties it to other Russian-origin ransomware families.
• The affiliate program is offered on Russian-language forums XSS and Exploit.

• Thursday, May 6, 2021 – Hackers Launch Colonial Pipeline Cyberattack: stealing 100 gigabytes of data before locking computers with ransomware and demanding payment (undisclosed original amount, estimated ~$100mill).  Breached through phishing attack.  Encrypted Sales and billing network.  They then hired FireEye.
• Friday, May 7, 2021: Colonial Pipeline paid $4.4mil to Eastern European hackers on May 7, 2021, contradicting reports that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline
• Saturday, May 8, 2021: U.S. Government Assists Attack Response: Colonial Pipeline, unnamed U.S. companies and several U.S. government organizations (including the White House, the FBI, CISA and NSA) shut off key servers operated by the hackers. The steps stopped the flow of stolen Colonial Pipeline data from the United States to alleged hacker locations in Russia.
• Tuesday, May 11, 2021: CISA-FBI Advisory: The CSIA and FBI issued a cybersecurity advisory that described DarkSide ransomware and associated risk mitigation strategies.
  Colonial Pipeline’s Website Offline: The company’s site was offline for a portion of the day.
  Colonial Pipeline Statement 5: The company described alternative fuel shipping strategies that are now in place amid the effort to safely restore the pipeline.
• Monday, May 10, 2021: Alleged Russia Connection: President Biden directly blames Russia in the Colonial Pipeline attack as a "State-hack", then in a later statement took it back and suggested that Russia may deserve some blame for the attack since the hackers and/or their software are allegedly located within Russia’s borders.
  FBI Statement: The FBI confirmed that DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks.
  Sec of Energy issues emergency waiver, allowing non-EPA emissions standards gasoline to be stored, moved, and sold. 3 million barrels (125mil gallons) came in not meeting regulations requiring EPA guidelines on emissions on May 11th.  Did not report how much has been obtained during the EPA emissions waiver timeline, to May 18th.
• Wednesday, May 12, 2021: Colonial Pipeline Restarts Pipeline Operations: The restart began at about 5:00 p.m. ET, though it will take several days for the delivery supply chain to return to normal, the company indicated. The update did not mention the cyber incident investigation.
• Thursday, May 13: Full system restart
  Biden signs Executive order that: removes contractual terms that may limit "information sharing" with CISA, NSA, FBI, require service providers (including cloud service providers) to preserve data it will name later, provide said information, and share all related information, including proprietary network and security information, with federal government| also to begin discussing zero-trust framework for federal government, as practical.  They are also creating a Cyber Safety Review Board, to convene after "major" incidences, made of FBI, DOJ, DOD, NSA, FBI, and select Private sector.  They will also appoint a National Cyber Director. They will also require FCEB networks to employ  tools for host-level visibility, attribution, and response, without authorization.
• May 15th: Biden spoke with Putin, blamed him for SolarWinds hack, 2020 election interference, and imposed sanctions and expulsion of diplomats