Press "Enter" to skip to content

Ransomware shuts down pipeline; the hidden insight into their operation

After thinking I was doing too much security incident coverage, I was going to try and do less, as we don’t need a parade of the same story over and over again.  And then the Colonial Pipeline was forced to be shutdown due to a ransomware attack, and a regional emergency declaration was issued for 17 states and DC.    There are now relaxed fuel transport rules to compensate.   The attack was believed to have been initiated by an Eastern European-based gang.     This was reported on Friday into the weekend.

Then today, CNBC reported on a new statement from the group.   

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” the statement said. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

The group has even posted its own code of conduct for its customers telling them who and what targets are acceptable to attack.     The group is known for being professional, offering a help desk and a call-in phone number for victims.

Why do we care?

There are three reasons this is different.  First, this is major enough incident to require an emergency declaration and consumers will understand.   While it’s not expected to impact prices…. Will that matter for perceptions?    

Second, the group is invoking moderation and using the same language the IT channel does.  These are their partners.    Let that sink in – they have built a multi tier distribution model, just like the IT channel.

Finally, even if you dismiss the code of conduct, we can add a help desk and customer service functions to the list of how these criminal organizations operate.    They are arguably better run organizations than some IT services companies.