As usual, if something is repeated often enough it just becomes the truth. I saw even posts here referring to the “ransomware attacks”.
While even as they happened it already emerged that a) it was just your usual incompetence in operating IT infrastructure, b) it has nothing to do with Russia, Russia RUSSIA, as ever, and most importantly c) the pipeline was shut down deliberately by the operator! The malware only ruined the accounting system. The stop was a business decision to avoid potentially ship stuff without billing. (We had a thread on that at the time it was recent story with links and everything.)
The narrative succeeded, no one talks about the responsibility of the company. And they can pose as victims to evil enemy hackers and governments. And customers should not ask trivial questions like how hard it is to make backups these days when any rando is offered gigs for just entering an email address. Or how much time should recovery take (and never mind avoid using vulnerable exchange services with critical bugs exposed years ago with available patches and alternatives…)
At the time I recall claim that ~ $5M worth of BTC was paid as ransom, then they just recovered the systems from their backups anyway due to “decryption going too slow”. Another super fishy story on many levels.
First, you don’t pay ransom out of principle, period. And I would not expect to get anything from paying anyway. Then, in the miracle case you actually get the decryption keys for your data, then it takes almost no time to decrypt. If it’s slow, then they just got some generic brute-force decryptor. Meh.
Even at the time I raised suspicion that some insiders could not resist the opportunity and offer their own address to pay the “ransom” to, nice free money.
Now I read this:
https://www.france24.com/en/americas/20210607-us-recovers-most-of-ransom-paid-to-colonial-pipeline-hackers
Read it carefully. The FBI figured out some BTC secret keys involved. That is certainly not possible for keys held by “russian hackers”. They only wish the blockchain worked that way. Only for domestic POIs. In this case someone in California. Not exactly Putin’s neighbor.
And it’s so appalling that even the article that writes about these things can’t resist to turn back to the original narrative it just refuted. Just as Snowball lurking in the shadows and stealing the produce during the night.
3 replies on “The ransomware hoax gets more interesting”
Great post, good explanation.
When this happened, I thought, well, so they’ll restore their daily (or hourly) backup and restart. What’s the big deal?
Then I read that they had shut it down voluntarily “just in case,” or something–that article may have even mentioned the billing issue, don’t remember.
Then I read that, as Dale points out below, this is the same pipeline where they can’t seem to identify a leak in an environmentally protected area that’s been going on for months.
I was pretty sure at that point that there was more to the story.
THEN the rumors start that the company and/or the federal government paid the ransom.
wait, what???
Remember Whittle’s Law: when something happens with such appalling optics that you can’t believe they did that, it’s because there’s an alternative that’s even worse which they are trying to avoid.
Wasn’t this the same gasoline pipeline that has been leaking millions of gallons into a conservation district for months. Nice way to “recover” and then cover your losses and redirect the negative press to victimhood status.
https://www.wcnc.com/article/news/local/ncdeq-colonial-pipeline-spill-huntersville/275-70e16fb6-c945-4634-b933-3975d0573f2e
Yep it is the same one….
https://www.npr.org/2021/06/08/1004223000/how-a-new-team-of-feds-hacked-the-hackers-and-got-colonial-pipelines-bitcoin-bac
Wow, what a great piece of investigative journalism, maybe we should get an award……
As a computer person, I’ve said it for years. If someone hacks you, you are doing something wrong, or not doing something right. 1) Change default passwords. You would be surprised how often that occurs. 2) Keep your security patches up to date. Again, happens more than you think. 3) Backup, backup, and backup again, in more than one place. Daily at least. Put on cloud. Put on tape.(only internally hackable) Put on hard drive that has no internet connection. Double copies (or more) of each media in separate means of backup. Have and keep your fiewall robust ans up to date.Do these, and if you get, hacked, your hacker is either really good, and/or is internal.