Marsh on what the DarkSide ransomware attack means for companies

By Spiros Fatouros, Marsh Africa CEO

Johannesburg, 21 Jun 2021
Read time 4min 30sec
Spiros Fatouros, CEO, Marsh Africa
Spiros Fatouros, CEO, Marsh Africa

On 10 May, the US Federal Bureau of Investigation issued a statement confirming the DarkSide ransomware network was responsible for an attack that seized operations of Colonial Pipeline.

Reports indicate DarkSide’s ransomware attack breached Colonial’s IT system on 7 May, causing Colonial to shut down pipeline operations.

The Colonial Pipeline is the largest fuel pipeline in the US, carrying more than 100 million gallons along the East Coast every day and reaching around 50 million Americans. This accounts for 45% of the East Coast's supply, according to Colonial Pipeline.

What is the impact?

Marsh Africa CEO Spiros Fatouros says: “The DarkSide attack demonstrates how impactful malicious cyber attacks can be. This attack also shines a spotlight on the rise in what is known as ransomware franchises, which provide hackers with sophisticated tools that can be used to conduct cyber attacks. By providing threat actors with hacking tools, ransomware-as-a-service has created a lower barrier to entry for attackers, leading to a rise in attacks.”

In the energy sector, owners and operators protect critical infrastructure from a relentless stream of sophisticated threats. A hacker targeting a company in the energy supply chain can expose pressure points that will give rise to massive ripple effects when disrupted, even if this was not the attacker’s intention. Had ransomware successfully breached industrial control systems, the outcome could have been far more devastating and potentially resulted in physical outcomes.

More striking, however, is that when separated from its potential massive impact, the DarkSide pipeline attack was a relatively routine occurrence in today’s business environment. A well-known threat actor, DarkSide provided ransomware-as-a-service to an affiliated network of attackers. And they are not alone.

Marsh says ransomware remains a scourge across all industries, including the energy sector, and will persist so long as:

  1. Networks remain vulnerable from either flaws in code or human error.
  2. Criminal organisations remain safe-harboured in jurisdictions that promote their efforts.
  3. Crypto-currency allows for anonymous payment of the threat actors’ demands.

What can companies do?

While organisations cannot eliminate ransomware as a risk, they can — and should — take steps proactively to prepare for an attack. Consider in advance how you would manage a ransomware attack: before, during and after.

Below you will find a high-level set of recommendations to help you do so:

  • Bring together key stakeholders – risk management; information security, including both the operational and information technology teams; treasury/finance; and legal, among others — to ensure there is alignment in how you would manage an attack.
  • Evaluate existing controls and address identified network and security vulnerabilities. The most common ransomware attack vectors in the first quarter of 2021 included remote desktop protocol (RDP) compromise and e-mail phishing. (DarkSide actors, for instance, have been gaining access through phishing, public-facing applications and external remote services.) As such, implementing appropriate controls can help to thwart an attack — or at least identify one before threat actors can move laterally within your network. For example, early identification can allow you to take operational technology offline once corporate networks are known to have been compromised, but before any industrial control systems are compromised.
  • Assess and test your cyber incident response plan, ensuring it accounts for a ransomware attack. You may want to develop a ransomware “playbook” of activities focused on response to such a threat. If your organisation does not have an incident response plan, or does not spell out ransomware procedures specifically, create one. The plan should be re-evaluated following an incident with real-life lessons learned.
  • Measure your organisation’s cyber risk exposure in financial terms. This will help you prioritise the cyber risks presenting the greatest exposure to your balance sheet, and allow you to determine if such risks fall outside of your appetite and/or tolerance for risk. This also enables you to evaluate the return on investment (ROI) of cyber security products – as well as how much risk to retain versus transfer.
  • Evaluate your entire insurance portfolio, including your cyber insurance coverage, to assess whether the various programmes are aligned. Verify that coverage includes various material costs incurred as a result of a ransomware attack, including an attack that leads to physical damage and/or bodily injury.

What does this mean moving forward?

You cannot completely eliminate the risk of ransomware attacks, but you can — and should — plan for them. Preparation is essential, and its importance cannot be overstated. Having a well thought-out plan will enable your organisation to reduce the impact of an attack through appropriate cyber security controls and potentially transfer residual risk via cyber insurance. Effective preparation can help you build a cyber-resilient organisation that is well-prepared to manage cyber attacks.

Marsh participated in the ITWeb Security Summit on 2 June on the topic of cyber risk quantification – from risk management to risk transfer.

See also