The Colonial Pipeline Ransomware Attack: Lessons Learned

The Colonial Pipeline Ransomware Attack: Lessons Learned

By now, most are familiar with the ransomware attack committed against Colonial Pipeline. While the aftershock of this event will last for years, there are immediate lessons we can – and should – learn from this cybersecurity incident. In this article, we will examine what happened and what Colonial did in response. We will also look at what we can do to reduce the likelihood of becoming another ransomware victim.


Anatomy of the Colonial Ransomware Attack

As reported by multiple news outlets, Colonial Pipeline fell victim to a ransomware attack on May 7, 2021. The hacking group DarkSide claimed responsibility for the attack, which forced Colonial to shut down a major pipeline that carries gasoline, diesel fuel, and jet fuel throughout the Southeast and Atlantic Seaboard portions of the United States. As a result, millions in affected states experienced fuel, food, and other materials shortages. Colonial has not disclosed how the ransomware infiltrated the network. However, DarkSide purportedly stole 100 gigabytes of data from Colonial the day before the attack and allegedly threatened to leak portions of that data unless the Colonial paid the ransom.

Colonial paid $5 million in ransom within several hours of the attack and received the necessary tools from Darkside to begin recovery operations. However, the tools provided ran too slowly to be effective. Therefore, Colonial pivoted to restoring the network using company-made backups. On May 12, Colonial indicated that they had begun restoring pipeline operations, and all pipeline operations were running normally as of May 15.

What Is Ransomware?

Ransomware is a form of malware that infects a computer or a network, encrypting the data, rendering it unusable. Generally, the attack’s perpetrators offer to provide a “key” to the victim so they can unencrypt the data and return it to a usable state. However, to receive the key, the victim must pay a ransom. The perpetrators typically require the victim to pay the ransom with cryptocurrency. This requirement exists because of the presumed untraceable nature of cryptocurrency. If the victim pays the ransom and the hackers provide the key in return, the victim can recover their data. Unfortunately, in some cases, the hackers receive the ransom but do not provide the recovery key, leaving the victim without their data and the money paid.

Lessons Learned from the Colonial Incident

We can learn many lessons from the Colonial Pipeline ransomware event, and these lessons extend to individuals and businesses alike. First and perhaps most importantly, we should understand that no individual, company, computer, or network is immune from the threat of ransomware. In fact, ransomware attacks increased 62% from 2019 to 2020, with 304,000,000 attacks reported in 2020, according to Statista. In business environments, ransomware knows no boundaries, impacting businesses of all sizes in virtually all industries. Therefore, if your company has not yet developed a response plan, now is time to do so.

Ransomware Attacks Often Result from Phishing Emails

One of the most common means used by cybercriminals in ransomware attacks is phishing emails. With this attack vector, the criminals send emails containing malicious links or attachments, and if recipients click those links or attachments, they become yet another ransomware victim. Therefore, do not click links or attachments in emails received from persons you do not know or if you were not expecting links or attachments in the message. Better still, enable spam filtering to block inbound emails containing links or attachments.

Ransomware Often Evades Anti-Malware Tools

The nature of ransomware is such that it often evades anti-malware tools. Ever-evolving strains of ransomware frequently morph so that new versions of the malicious software continually appear. Because these versions are fresh and the anti-malware tools have not yet seen them, they do not classify them as dangerous and block them. Therefore, recently-introduced strains of ransomware often go undetected by anti-malware software. To help address this issue, consider enabling “white-listing” software, which only allows pre-authorized applications to run on your computer. In this scenario, unless the ransomware is on a device’s white-list, it cannot execute on that device.

AppLocker and Controlled Folder Access are two forms of white-listing tools, and Microsoft includes both these tools in business-oriented versions of Windows 10. AppLocker is a tool usually administered by IT staffers. With this tool, you can specify all the approved applications authorized to run on a given device. If ransomware gets installed onto the device – by clicking a malicious link, for example – AppLocker should block it from running because the ransomware will not be on the approved software list.

Similarly, Controlled Folder Access blocks unapproved applications from making changes to data files in folders designated explicitly by a user. By doin so, Controlled Folder Access minimizes the risk that ransomware compromises your data. Of course, no method of preventing ransomware is fool-proof. However, using one or both of these techniques may reduce your chances of becoming another victim of a ransomware attack.

Prepare for the Eventuality that You May Become a Victim

Despite our best efforts, it is altogether possible that you or your organization may become a victim of ransomware. If you do, the malware will encrypt your data and hold it hostage until such time you pay the ransom. The best way to recover is by restoring your data from a recent backup. As identified above, this is the strategy Colonial reportedly used to recover their data, even though the company paid the ransom.

Of course, restoring from a backup is only an option if you have a backup strategy that is appropriate and all-encompassing. To that end, ensure that that your backups capture all necessary data files. Further, your backups should have an “air gap.” In this context, an air gap is a backup configuration that ensures companies store their backups offline, disconnected from the network. This step is necessary to ensure that the same ransomware that affects the data does not encrypt the backup media. Without an appropriate air gap, ransomware can compromise a company’s data and its backups.


Ransomware, unfortunately, remains a real and persistent threat. If you fall victim to ransomware, you have three options: 1) recover your data from a backup, 2) pay the ransom, or 3) lose your data forever. To effectively mitigate ransomware risk, ensure that you do not click on links or attachments in suspicious emails. Further, do not get lulled into a sense of false security that your anti-malware tools will prevent such an attack. Additionally, take advantage of tools such as AppLocker and Controlled Folder Access, both of which can mitigate the risk associated with ransomware. Finally, despite all your best efforts, you should assume you will become yet another victim of ransomware and, given this assumption, ensure that your backup strategy will allow you to recover your data files. It’s your data, and it’s your decision. Choose wisely because the future of your business may hinge on your decision.


Concerned about cybersecurity? Consider one of the cybersecurity learning options available from K2 Enterprises.