We're sorry but your browser is not supported by Marsh.com.au

For the best experience, please upgrade to a supported browser:

X
Australia AUS
Americas
Asia Pacific
Europe
Middle East & Africa
English ENG

RESEARCH AND BRIEFINGS

What the DarkSide Ransomware Attack Means for Companies

 


What happened?

On May 10, the US Federal Bureau of Investigation issued a statement confirming that the DarkSide ransomware network was responsible for an attack that seized operations of Colonial Pipeline. Reports indicate that DarkSide’s ransomware attack breached Colonial’s IT system on May 7, causing Colonial to shut down pipeline operations.

The Colonial Pipeline is the largest fuel pipeline in the US, carrying more than 100 million gallons along the East Coast every day and reaching around 50 million Americans. This accounts for 45% of the East Coast's supply, according to Colonial Pipeline.

What is the impact?

The DarkSide attack demonstrates how impactful malicious cyber-attacks can be. This attack also shines a spotlight on the rise in what is known as ransomware franchises, which provide hackers with sophisticated tools that can be used to conduct cyber-attacks. By providing threat actors with hacking tools, ransomware-as-a-service has created a lower barrier to entry for attackers, leading to a rise in attacks.

In the energy sector, owners and operators protect critical infrastructure from a relentless stream of sophisticated threats. A hacker targeting a company in the energy supply chain can expose pressure points that will give rise to massive ripple effects when disrupted, even if this was not the attacker’s intention. Had ransomware successfully breached industrial control systems, the outcome could have been far more devastating and potentially resulted in physical outcomes.

More striking, however, is that when separated from its potential massive impact, the DarkSide pipeline attack was a relatively routine occurrence in today’s business environment. A well-known threat actor, DarkSide provided ransomware-as-a-service to an affiliated network of attackers. And they are not alone.

Ransomware remains a scourge across all industries, including the energy sector, and will persist so long as:

  1. Networks remain vulnerable from either flaws in code or human error.
  2. Criminal organisations remain safe-harbored in jurisdictions that promote their efforts.
  3. Cryptocurrency allows for anonymous payment of the threat actors’ demands.

What can companies do?

While organisations cannot eliminate ransomware as a risk, they can — and should — take steps proactively to prepare for an attack. Consider in advance how you would manage a ransomware attack: before, during, and after.

Below you will find a high-level set of recommendations to help you do so:

  • Bring together key stakeholders – risk management; information security, including both the operational and information technology teams; treasury/finance; and legal, among others — to ensure there is alignment in how you would manage an attack.
  • Evaluate existing controls and address identified network and security vulnerabilities. The most common ransomware attack vectors in the first quarter of 2021 included remote desktop protocol (RDP) compromise and email phishing. (DarkSide actors, for instance, have been gaining access through phishing, public-facing applications, and external remote services.) As such, implementing appropriate controls can help to thwart an attack — or at least identify one before threat actors can move laterally within your network. For example, early identification can allow you to take operational technology offline once corporate networks are known to have been compromised, but before any industrial control systems are compromised.
  • Assess and test your cyber incident response plan, ensuring that it accounts for a ransomware attack. You may want to develop a ransomware “playbook” of activities focused on response to such a threat. If your organisation does not have an incident response plan, or does not spell out ransomware procedures specifically, create one. The plan should be re-evaluated following an incident with real-life lessons learned.
  • Measure your organisation’s cyber risk exposure in financial terms. This will help you prioritise the cyber risks presenting the greatest exposure to your balance sheet, and allow you to determine if such risks fall outside of your appetite and/or tolerance for risk. This also enables you to evaluate the return on investment (ROI) of cybersecurity products – as well as how much risk to retain versus transfer.
  • Evaluate your entire insurance portfolio, including your cyber insurance coverage, to assess whether the various programs are aligned. Verify that coverage includes various material costs incurred as a result of a ransomware attack, including an attack that leads to physical damage and/or bodily injury.

You can find step-by-step guidance on preparing for a ransomware attack here.

What does this mean moving forward?

You cannot completely eliminate the risk of ransomware attacks, but you can — and should — plan for them. Preparation is essential, and its importance cannot be overstated. Having a well thought-out plan will enable your organisation to reduce the impact of an attack through appropriate cybersecurity controls and potentially transfer residual risk via cyber insurance. Effective preparation can help you build a cyber-resilient organisation that is well prepared to manage cyber-attacks.

How can the industry respond?

Companies can start by implementing some of the basic cyber measures to help. The Australian Signals Directorate (ASD), in conjunction with the Australian Cyber Security Centre (ACSC), has recommended eight mitigation strategies as a minimum foundation, known as the Essential Eight, to help address cybersecurity concerns, reduce the impact of cyber-attacks, and improve security controls. Companies should also have a documented and rehearsed incident response plan in case of a breach. The above strategies are only a few strategies companies can implement to help minimise their cyber risk. Please speak to Marsh’s Cyber team to understand more.

The information contained in this alert is based on sources we believe reliable, but we do not guarantee its accuracy. This information provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such.
Copyright 2021 Marsh Pty Ltd (ABN 86 004 651 512). All rights reserved.

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.

Marsh.com Login

Please log in to access the full marsh.com site.

Click here to login as colleague

Forgot password Register

*Required