Ransomware cyberattack unintentionally disrupts United States gasoline supply

A ransomware attack disrupted the gasoline supply for a large part of the United States. And the hackers weren’t even trying to do it

Lesson summary

Hi everyone, it’s Jeff—a nice cheery subject for this Thursday morning, I know—I’m Jeff in Chicago. JR is here, he’s the producer. And the full lesson is available on our web site at PlainEnglish.com/369.

Coming up today: In case you were looking for something else to worry about here in 2021, I’ve got one for you: Ransomware. This is when hackers take control of a company’s computer systems and demand payment before they give the data back. And a ransomware attack shut down a major gas pipeline in the eastern United States. The worst part of it is, the real damage was an accident.

We’ll review a phrasal verb today. That would be “lock out.” And JR’s taking it easy this week. I picked the song of the week for you. That’s all coming up—but first, let’s learn about ransomware boys and girls!

No good options for companies facing ransomware attacks

Ransomware comes from the word “ransom.” When a criminal kidnaps someone—a child or an adult—they demand payment from the person’s family. That payment is called “ransom.” So this kind of hacking is based on the same concept. A criminal group of hackers will gain access to a company’s computer systems or its data. They will then lock out the employees of the company, so the company can’t access their own data or systems. The hackers demand payment before they release control of the systems. The payment is usually in a cryptocurrency.

Ransomware attacks are a big deal. It’s impossible to know the full extent of ransomware attacks, since the victims don’t always reveal that they’ve been attacked. And companies are reluctant to say whether they’ve paid ransom to hackers because it’s embarrassing. But one estimate says that a company is a victim of a ransomware attack every 11 seconds.

And it’s not just big companies, either. In fact , the biggest companies with the most valuable data—think banks, insurance companies, health care companies—they have advanced cybersecurity programs to guard against these types of attacks. Ransomware attacks are most successful against medium-sized organizations that don’t have the budgets for robust cybersecurity programs, but nevertheless have enough money to pay the ransom.

Manufacturing companies, government agencies, and educational institutions are big targets. A well-publicized attack against the school district in Las Vegas threatened to disclose all student grades and sensitive information about employees. School officials declined to pay the ransom—and the personal information was leaked.

Organizations hit by such attacks are faced with a difficult choice. Most of the time, the data and systems can be recovered, even if it costs a lot of money to do so. The threat is that sensitive data is leaked, which could cause embarrassment, liability, or reveal secret commercial information to competitors and the world. And paying the ransom is the fastest way to recover critical systems. A company could lose a lot of money every day its systems are down.

But if companies regularly pay ransom, then they will only embolden the hackers and make the problem worse for everyone else.

That brings us to the Colonial Pipeline attack. Colonial Pipeline operates a pipeline that carries diesel fuel, gasoline, and jet fuel across eleven states. It supplies just under half the gasoline for drivers on America’s densely-populated east coast.

Colonial Pipeline was the victim of a ransomware attack, not on the computers that operate the pipeline, but on the computer systems that run their company. But without the management system online, the company proactively shut down the pipeline while they resolved the ransomware attack. As a result, large parts of the southeastern United States faced gasoline shortages, as fearful consumers rushed to fill up their tanks and hoard gas for themselves.

The hackers wanted to target a medium-sized company that few people had heard of. They just wanted their money. What they did, by mistake, was shut down a critical part of the United States’ energy infrastructure. Multiple national agencies of the US government sprang into action : the Department of Energy, the Department of Transportation, the Department of Homeland Security, and the Department of Defense all started planning how to respond to the shutdown and the attack.

The president was briefed. State governors took action to increase the gasoline supply. Taxes and regulations were loosened. Lines, hundreds of cars long, formed outside the gas stations that had not yet run dry. Flights had to be re-routed so they could refuel in areas not served by the pipeline. The attack turned into one of the most disruptive cyber-attacks in history.

Oops. The hackers tried to be smart—if that’s the right word—about their work. Acting like a corporation in a scandal, the hackers, an organization called DarkSide based in Russia, issued an apology, saying they never meant to target infrastructure and clarifying that their objectives were simply to make money. They were “apolitical,” they said, and didn’t care about geopolitics. The last thing they wanted was the attention of the US president—but that’s just what they got. Later, the DarkSide promised to disband.

It’s little comfort to companies facing cyberattacks. Colonial Pipeline is said to have paid $5 million to the hackers, according to anonymous reports. And hacking organizations are highly distributed. The organization known as DarkSide might be shutting down, but all the people involved will probably just re-organize in a different way and continue their lucrative work.

Quick stats

Couple quick stats on ransomware. The average amount paid for a ransomware attack by a small business? $5,900. That means nobody’s safe. That means that hackers are going after very small businesses and charging an amount that hurts, sure, but that most small businesses could come up with. The biggest ransom payment was €10 million by a French construction company. The average demand, $178,000. About a quarter of companies subjected to this type of attack pay the money. If you want to become a ransomware hacker, there are starter kits available on the internet, on the dark web. The starter kits give you most of the code you need to launch a ransomware attack. For just a single convenient payment of $50, anyone can start a ransomware hacking enterprise. Scary stuff.