The Colonial Pipeline ransomware attack took down the largest fuel pipeline in the United States and resulted in consumer hoarding of fuel and a short-term shortage of gasoline on the east coast of the U.S.. While pipeline systems were not directly infected with ransomware, the pipeline was shut down as a precaution during the investigation and ransom negotiation.

What happened?

1. A cybercrime group named, DarkSide, has taken responsibility for the ransomware attack according to Vice.

2. The cybercriminals discovered a username and password associated with a VPN that the Colonial Pipeline used to allow an employee to gain remote access to the Colonial Pipeline network, reports Bloomberg. This account was not using multi-factor authentication to prevent unauthorized access if the password is guessed or cracked.

3. Once the cybercriminals gained access to the Colonial Pipeline network, they installed ransomware on devices that encrypted data and demanded a ransom.

4. When the ransomware was discovered, the Colonial Pipeline shut down their computing systems, including those that ran the pipeline itself.

5. A ransom of nearly $5 million in bitcoin was paid to the criminals but the decryption tool that Colonial Pipeline received in exchange for the ransom was too slow so Colonial Pipeline also had to restore data from backup, reports Mashable.

How could this have been prevented?

Basic cybersecurity hygiene would have prevented this attack from being successful and the good news is that all three of these tips are free or very inexpensive to execute.

1. Use a password manager: The VPN user account owner probably re-used a password so they likely didn’t use a password manager which would give them the ability to use long, complex and unique passwords.

2. Enable multi-factor authentication (MFA) everywhere possible and especially where users gain access to sensitive information from the public Internet. MFA was not enabled on the VPN account which would have prevented successful access to the network, even with a compromised password.

3. Disable unused accounts. The VPN account was supposedly no longer being used but was not disabled.

In addition to these three steps, keeping regular, verified, offline backups is important in both preventing the need to pay a ransom, and in this case, recovering from the attack in a more timely manner. Also consider cyber insurance that will assist in the recovery of a ransomware attack and the possible ransom negotiation.