Expert commentary - Colonial Pipeline pay $5million ransom
May 2021 by Trustwave
The commentary from two security professionals at Trustwave on the recent news that Colonial Pipeline have paid the $5million ransom to hacking group Darkside.
Ziv Mador, VP of Security Research, Trustwave:
“Organizations are caught between a rock and a hard place when faced with the decision of paying ransomware. If more organizations don’t pay the ransom, the hackers’ business model becomes less profitable, and we can slowly edge closer to killing their line of work. The issue is that today, each organization uses its own judgement on whether or not to pay – based on their need to recoup their valuable data or keep their critical operations afloat. Sometimes paying the ransom is much cheaper than the direct and indirect damages from not paying. Governments can try to pass laws that will disallow companies to pay, but that could be troublesome because they would be forcing companies to lose money and intentionally hurt their own business.
The ideal scenario is that through international collaboration, cybersecurity companies and government agencies can work to arrest and charge these ransomware actors. Making an example out of those that are caught may deter some attackers. But the issue with this approach is that some of the larger, more advanced ransomware gangs are operating from what seem to be safe haven regions, where such international collaboration just doesn’t happen. The cure for the ransomware pandemic very well might lay in the hands of country leaders and their willingness to ban together to put immense pressure on safe-haven regions.”
Darren Van Booven, Lead Principal Consultant, Trustwave and former CISO of the U.S. House of Representatives:
“Colonial Pipeline initially said the pipeline shutdown was precautionary in nature. If the OT environment around the pipeline operations was properly segregated and secured apart from the Colonial administrative systems, then the pipeline shouldn’t have been in any danger. If the ransomware infiltrated the administrative networks only, Colonial might have been greatly impacted, but the pipeline could have continued to run. The alleged payment of $5M in ransom seems excessive in the situation where the pipeline wasn’t in any real danger. The OT environment could have been somehow affected due to poor security, separation of OT from IT admin systems, or otherwise.”