The Colonial Pipeline Hack: How Does A Ransomware Attack Work?

The Colonial Pipeline Hack: How Does A Ransomware Attack Work?

You’ve seen the headlines.  You may even have panicked and topped off your gas tank this past week (yeah, I saw the lines at Sam’s Club – you freaks) – but what really happened at the Colonial Pipeline Company that caused gasoline to stop flowing in its massive pipeline which traverses the East Coast of the United States (and provides gasoline and other fuel to the entire southeastern corridor)?

Let’s start with some definitions here.  First, it’s important to understand exactly what a ransomware attack is.  This is when a nefarious actor (could be an individual, group, or government) gains illegal access into a person’s or company’s IT system, “locks” important files (by encrypting them), and then offers the key to “unlock” those files for a ransom payment.  These payments are usually asked for in Bitcoin (or some other cryptocurrency) so they can avoid tracking and detection.  Once the ransom is paid, the hackers will generally unlock the hijacked files (often within minutes), but there is no guarantee that they won’t hijack them again at a later date.

Hackers – both foreign and domestic – are always looking for ways to break into computer systems and steal or ransom data (image credit – bloomberg.com)

The FBI, Homeland Security, and other cyber-agencies often recommend that clients DO NOT pay the ransom demands (their take is that this behavior “rewards” the criminal activity), but making this decision often results in millions of dollars in money spent to replace hardware, software, and getting “clean” data back into a victim’s systems so that their IT processes can successfully restart again (not to mention the time it takes to do all of this work – which could be weeks or even months).  Therefore, it’s very tempting to pay, say a $50,000 ransom rather than spend $4,000,000 to rebuild/replace an entire IT infrastructure.  The hackers know this (which is why they do it).  For example, the City of Baltimore decided not to pay their ransomware ($80,000 in cryptocurrency) when they were hit in 2019, and it cost them over $18,000,000 to recover (and they are still addressing some systems two years later)[1].

Well, how do hackers gain access into a person’s or company’s systems?  Unfortunately, that’s easier than you might realize.  Businesses spend millions of dollars each year on securing and tightening their IT security, but in most cases, there are still old or outdated systems in a company’s network that aren’t on the latest patches or version.  Think of your own home PC, laptop, or workstation.  Do you keep up with all of the latest patches and downloads?  Odds are – the answer is “no”, and that’s just the sort of advantage a hacker needs.  They can exploit vulnerabilities in a system and drop in malware (malicious software) that collects or even transmits information from your system to theirs.  They can even send you an email that looks legitimate, but if you click on the link provided, you’ve basically given them permission to download malicious software into your system (this is called “phishing”).  This software can sit on a system for months or even years before a hacker decides to utilize it, but once they do, they can gain access to information on the target system and in some cases, even take over the system and run it remotely.

Now, let’s look at the United States in general.  Government systems are notorious for being old, running on backdated technology, and not keeping up with patches and security fixes, which is why they are an easy target for hackers.  Unfortunately, these systems also control some of the nation’s most critical infrastructure (like power grids, pipelines, traffic control systems, and other services).

In the case of Colonial Pipeline, it appears hackers got access to sensitive business data within their system and ransomed it, and in an effort to “stop the spread” of the digital intrusion, Colonial was forced to take the pipeline control systems offline as well (while they investigated the depth and breadth of the cyber-attack)[2].  There was nothing physically wrong with the pipeline itself, but until Colonial could verify that they had the hack under control, they could not risk “turning on” their pipeline control system again (until they knew it was not affected).  Even then (as it turns out), Colonial ended up paying the hacker’s ransom (75 bitcoins – @$5,000,000) to unlock their systems[3].

When the media reported this hack, most people in the southeast corridor interpreted this as “oh my God, no gas!” and made a run on their local gas stations to top off their tanks – or in many ridiculous examples – fill up plastic bags or other containers and “hoard” fuel.  This caused local gasoline shortages and outages, spiked prices, and created panic buying which exasperated the problem.  Add in the fact that fuel trucking companies are experiencing a shortage of drivers (due to the pandemic and other labor factors), and it will be a few weeks before things get back to normal, supply-wise.

Crazy images like these were showing up all over the southeast last week. Yes, that’s gasoline – being hoarded in plastic bags in a car’s trunk. The level of danger and stupidity exhibited by individuals in these situations is sometimes mind-boggling (image credit – carscoops.com)

The hackers taking responsibility for this latest event (a group called “Darkside”) even commented that causing a fuel shortage was not their intention (they just wanted the money from the data ransom), but it goes to show how a cyber-attack can lead to unintended negative consequences outside of the IT world.

So what does this mean for you, dear reader?  Well for one thing, I would strongly encourage you to take inventory of your own workstation, laptop, or mobile device and ensure that you have all of the required security patches and software updates downloaded into your home system.  Run a malware check on your workstation or laptop (if you don’t have one – get one – there are plenty on the internet – like Malwarebytes – which has a free version)

Second, you should always back up your data to an outside source (not connected to your system).  A “beefy” thumb drive (one with plenty of room for your data and photos) can easily be picked up for just a few dollars (there are also online services that can back up your data on a regular schedule), and executing scheduled backups will cause you to sleep easier at night and not to immediately break into a flop sweat should something happen to your system (even outside of a security breach).

Lastly – always be aware of your emails or other communications.  Think twice before mindlessly clicking on that link or responding to that online survey.  Hackers can make an email look like anything (an Amazon receipt, a communication from your bank, the IRS, your best friend, etc.).  ALWAYS be wary of any message with an embedded link or emails that ask for personal information.  If in doubt, call the source and ask if they sent you something.

Hackers are always out there – take some simple steps on your end to make sure you don’t become the victim of a ransomware attack!    


[1] “Baltimore, $18 Million Later: ‘This Is Why We Didn’t Pay the Ransom’”, secureworldexpo.com, June 12, 2019, accessed 5/13/21, https://www.secureworldexpo.com/industry-news/baltimore-ransomware-attack-2019

[2] “Colonial Pipeline Shutdown: Is There a Gas Shortage and When Will the Pipeline be Fixed?”, Wall Street Journal Online, 5/12/21, accessed 5/13/21, https://www.wsj.com/articles/colonial-pipeline-cyberattack-hack-11620668583

[3] “Colonial Pipeline Paid a $5M Ransom – And Kept a Vicious Cycle Turning”, Wired.com, 5/14/21, accessed 5/16/21, https://www.wired.com/story/colonial-pipeline-ransomware-payment/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.