Anatomy of the Colonial Ransomware Attack
Colonial paid $5 million in ransom within several hours of the attack and received the necessary tools from Darkside to begin recovery operations. However, the tools provided ran too slowly to be effective. Therefore, Colonial pivoted to restoring the network using company-made backups. On May 12, Colonial indicated that they had begun restoring pipeline operations, and all pipeline operations were running normally as of May 15.
What is Ransomware?
Lessons Learned from the Colonial Incident
Ransomware Attacks Often Result from Phishing Emails
Ransomware Often Evades Anti-Malware Tools
AppLocker and Controlled Folder Access are two forms of white-listing tools, and Microsoft includes both these tools in business-oriented versions of Windows 10. AppLocker is a tool usually administered by IT staffers. With this tool, you can specify all the approved applications authorized to run on a given device. If ransomware gets installed onto the device – by clicking a malicious link, for example – AppLocker should block it from running because the ransomware will not be on the approved software list.
Similarly, Controlled Folder Access blocks unapproved applications from making changes to data files in folders designated explicitly by a user. By doin so, Controlled Folder Access minimizes the risk that ransomware compromises your data. Of course, no method of preventing ransomware is fool-proof. However, using one or both of these techniques may reduce your chances of becoming another victim of a ransomware attack.
Prepare for the Eventuality that You May Become a Victim
Of course, restoring from a backup is only an option if you have a backup strategy that is appropriate and all-encompassing. To that end, ensure that that your backups capture all necessary data files. Further, your backups should have an “air gap.” In this context, an air gap is a backup configuration that ensures companies store their backups offline, disconnected from the network. This step is necessary to ensure that the same ransomware that affects the data does not encrypt the backup media. Without an appropriate air gap, ransomware can compromise a company’s data and its backups.