DHS Says Ransomware Hit US Gas Pipeline Operator (Feb 18, 2020)
The United States Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory about a ransomware attack targeting a US based natural gas compression facility. Using a spearphishing link, an unnamed threat actor was able to gain access to the IT network, which was then used to gain access to it’s operational network (OT) to deploy ransomware. This ransomware encrypted data on the IT and OT networks. The gas operator shut down operations as a precautionary measure as a result. The ransomware used in the attack was not named, and the actor had no control over physical operations.
Recommendation: It is crucial for organizations to have cyber security protocols in place, to help prevent an attack. Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.