What Does Colonial Pipeline’s Ransom Payment Mean for the IT Industry?


In this Q&A session with Toolbox, Natalie PageOpens a new window , Cyber Threat Intelligence Analyst at Talion, explains whether ransom payments to threat actors is becoming a worrying trend, and should organizations pay a ransom to restore operations just like Colonial Pipeline did. She offers guidance on what organizations can do to mitigate the threat from ransomware.

Key Highlights

  • Discussing the willingness of critical infrastructure companies to pay a ransom
  • What message does Colonial Pipeline’s ransom payment send to the corporate sector?
  • If Colonial can pay and be upfront about it, why can’t I?
  • How should an organization prepare for the inevitable ransomware attack?

Read the full transcript of our conversation with Natalie Page here:

TOOLBOX: On May 7, US pipeline giant Colonial Pipeline suffered a ransomware attack perpetrated by the DarkSide hacker group. In response, the company had to shut all pipeline operations to mitigate the impact of the attack. A month on, CEO Joe Blount defended the payment of a ransom of $4.4 million to hackers, stating that it was the right decision to make for the country.

Does Colonial Pipeline CEO’s admission reflect a growing trend in the critical infrastructure sector of a willingness to pay vast amounts in ransom to restore operations? Natalie Page, Cyber Threat Intelligence Analyst at Talion, provides the answer.

NATALIE PAGE: I think the Colonial Pipeline admission reflects just how serious the threat of ransomware has become. Week after week, we are witnessing vital services and critical infrastructure being hit by ransomware, services known to be able to afford these 8 figure demands and that for any downtime to occur is not only catastrophic but can be potentially life threatening. And this means that meeting the ransom demand as quickly as possible is not only within the companies best interest, but also the publics.

All of this considered, it is not hard to understand why CEO’s in this sector would feel more obliged to pay up, regardless of government advise, but while we are amid a ransomware pandemic, it is hard for us to establish whether this is currently an outright trend. Given the vast amount of these attacks that we are now observing against this sector, it was always probable that we would see an uptick in the number of companies meeting the ransom demand, which makes it hard to pinpoint the exact reasoning for the uptick.

What this action should be is a reflection of an organization being transparent about their attack. For our community to develop and make real progress in this fight against ransomware, it is time for organizations across the globe to begin to be more clear, open, and honest about these attacks.

TOOLBOX: What message does Colonial’s ransom payment send to the corporate sector?

NATALIE PAGE: I hope that the message sent to the corporate sector from this ransom payment being made, shall be one which will trigger the sector to get more serious about their own security. Unfortunately, this is a sector know to lack in good network security, and this is an overriding factor as to why threat group specifically like to target this sector. Rather than focusing on the action of paying the ransom, I hope the corporate sector pivot towards the significant threat held by ransomware against their sector and instead hone in on their own network security’s posture.

TOOLBOX: Will the admission of a ransom payment by Blount lead to a mindset of “If Colonial can pay and be upfront about it, why can’t I”?

NATALIE PAGE: For corporations who have read these headlines and have felt the ‘why cant I?’ My advice would be to tread carefully. Just last month we saw the the statistic emerge that 92% of organization’s who paid a ransom, did not get all of their data back, and while in the case of Colonial Pipeline their CEO admitted that he paid the demand so quickly in an attempt to prevent as much downtime as possible for the organization and also the country, if valuable data is lost your organisation will struggle to recover from an attack at all, regardless of whether you pay the ransom or not.

TOOLBOX: So how should an organization prepare for the inevitable ransomware attack?

NATALIE PAGE: Prevention is always better than the cure, and organizations above all need to prioritize their own security and have a plan in place of exactly what they would do if they were to be compromised. Rather than ponder about the idea, it’s time to decide now, exactly what your organization would do in the situation. Utilise time now to think wisely, because at the moment your organization is hit, time will not be on your side.

It is essential organizations develop disaster recovery plans, continuity plans and make regular data back-ups, exercising your plan and performing trial runs until this strategy is perfected to ensure the smoothest possible recovery if your organization is ever to be compromised by one of these attacks.

Do you think the critical infrastructure sector is losing the battle against ransomware? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!