Many in mainstream media have characterized the DarkSide attack on Colonial Pipeline, which operates a significant portion of the nation\u2019s critical energy infrastructure, as a wake-up call for CIOs and CISOs. If that is the case, then they are hard of hearing as this klaxon has been sounding for many years, as company after company fends off ransomware attacks.A senior administration official, speaking on background, commented how \u201cthese incidents are a reminder that our adversaries will use multiple methods of attack, whether hunting for coding errors or compromising our supply chains to create opportunity.\u201d The official continued how incidents such as the SolarWinds, Microsoft Exchange and the Colonial Pipeline attacks share commonalities. The first being, \u201ca laissez-faire attitude toward cybersecurity.\u201d The second being \u201cpoor software security and current market development of \u2018build, sell, and maybe patch later.\u2019\u201dThe fallout from the attack is winding down with the company restarting operations the evening of May 12. Prior to the restart, the White House and the Cybersecurity and Infrastructure Security Agency (CISA) both issued updates and guidance for use by enterprises and small\/medium businesses.According to Bloomberg, $5 million in cryptocurrency was paid to the cybercriminal entity within hours of the attack, yet it still took Colonial days to bring their system online. Colonial in its most recent public statement makes no reference to having paid the ransom, focusing instead on assuring the markets that product was flowing and would be back to normal by end of day Thursday, May 13. Colonial PipelineThe morning of May 14, DarkSide allegedly began to experience \u201cissues\u201d that caused DarkSide to shutter its ransomware-as-a-service operations. It is reported that it lost access to the public portion of its infrastructure, which was followed by loss of access to its cryptocurrency wallets and payment server. It is further reported that other purveyors of ransomware-as-a-service have taken their offerings off Russian cybercrime forums. Before CISO\u2019s take a sigh of relief that ransomware cybercriminals may have met their match, Intel471 cautioned, \u201cA number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants.\u201d\u00a0President Biden noted that there was no evidence that DarkSide was operating at the behest of the Russian government. That said, the fact that Russia allows them to act with impunity should be enough for all to realize that these actions are advancing the Russian agenda of fomenting chaos. There is a reason these criminal groups aren\u2019t attacking Russia companies or government entities as to do so would remove their top cover which they currently enjoy. Even when indicted and global warrants issued, the individuals are not touchable by western law enforcement while they remain within the Russian Federation.Update:\u00a0The\u00a0Department of Justice's Ransomware and Digital Extortion Task Force, created to combat\u00a0the growing number of ransomware and digital extortion attacks, successfully recovered 63.7 of the 75 bitcoins paid by Colonial Pipeline to DarkSide.The\u00a0warrant for seizure was issued on June 7 and the acquisition\u00a0of the bitcoins followed. The DOJ advises that they had the "private key" used by the cyber criminals to access the bitcoins, which made the seizure possible. Deputy Attorney General Lisa O. Monaco highlighted how the DOJ would\u00a0continue to target the entire ransomware ecosystem and noted the importance of "early notification to law enforcement" when an entity falls victim to a ransomware attack.Colonial was reportedly unprepared for an attackColonial is alleged to have had a weak IT infrastructure according to the AP. The AP reporter interviewed Robert F. Smallwood of iMerge Consulting, who conducted a comprehensive operational audit in 2018. Smallwood characterized the Colonial network security as severely deficient, \u201c\u2026 an eighth-grader could have hacked into that system,\u201d he told the AP.Fast forward three years and we see that while Colonial may not have a CISO, it does have a CIO, Mary Mouchet, who has been in the seat since 2016, and a senior director of technology solutions Susan Adams, who was hired in late 2019. Smallwood claims the confidential report he provided to Colonial included recommendations, some of which he believed they had taken on board and implemented.US government response to DarkSide attackThe White House briefed the media last week on the physical aspects of the disruption of fuel delivery and stores in the southeastern United States. On the technical side of the house, the FBI and CISA issued an alert (see below). The Department of Energy in conjunction with the FBI and CISA are working to ensure the Industrial Control Systems Cybersecurity initiative is available and in the hands of other operators of critical infrastructure so they to do not fall victim.The evening of May 12 saw the President issue an Executive Order on Improving the Nation\u2019s Cybersecurity. Much of the content of the EO pre-dates the Colonial compromise, given the depth of actions required and recommended. The primary areas of focus which should be absorbed by information security teams within the EO are:Remove barriers to threat information sharing between government and the private sector.Modernize and implement stronger cybersecurity standards in the federal government.Improve software supply chain security.Establish a cybersecurity safety review board.Create a standard playbook for responding to cyber incidents.Improve detection of cybersecurity incidents on federal government networks.Improve investigative and remediation capabilities.Then on May 14 the takedown of DarkSide\u2019s infrastructure occurred. This allegedly included their service provider cooperating with an unidentified law enforcement entity. Whether this was the long-arm of US justice reaching out remains to be seen. What one can be certain of is that the US intelligence community was tasked with dissecting DarkSide (and other\u2019s) infrastructure and identifying the individuals behind this group. Furthermore, once identified one may expect the Department of Justice to pursue indictments and EO-14024 to be used to sanction the individuals and those who supported them.\u00a0CISA alert AA-21-131CISA's robust advisory alert AA-21-131\u00a0provides to CISOs a plethora of resources and advice on how to prepare and successfully weather a ransomware attack that does not include paying the ransom to the cybercriminals. CISA notes that there is no indication that DarkSide penetrated or corrupted the operational technology networks, aka SCADA, and the compromise is limited to the information technology network. Both CISA and the FBI recommend against paying a ransom, as it emboldens the criminals to target additional organizations.CISA and the FBI recommend that critical infrastructure owners take the following actions if they are victim of a ransomware attack:Isolate the infected system.Turn off other computers and devices.Secure your backups.Refer to AA-20-245A which is the CISA advisory on "Technical Approaches to Uncovering and Remediating Malicious Activity."CISA and the FBI recommend all owners of critical infrastructure immediately implement the following:Implement robust network segmentation between IT and OT (operational technology) networks.Organize OT assets into logical zones.Identify OT and IT network interdependencies and develop workarounds and manual controls.Regularly test manual controls.Implement regular data backupsEnsure backups are tested regularlyStore your backups separatelyMaintain regularly updated \u201cgold images\u201d of critical systems in the event of a need to rebuildRetain backup hardwareStore source code or executablesEnsure user and process accounts are limited.CISA's recommended steps to prevent a successful ransomware attack include:Require multi-factor authentication.Create strong spam filters to prevent phishing emails.Implement training programs to emulate spear phishing.Filter network traffic, blocking known malicious IP addresses.Limit access to resources over networks.Regularly execute antivirus\/antimalware scans.Implement unauthorized execution by:Disabling scripts within Microsoft OfficeImplementing application allowlisting to only allow systems to execute programs known and permitted by security policyMonitoring or blocking inbound connections from TOR exit nodes or other anonymization servicesDeploying signatures to detect or block Cobalt Strike servers and other exploitation toolsAs the White House administration official noted, to continue the status quo of rushing from one incident to the next is unacceptable. CIOs and CISOs will be well served to embrace the mandates found within the executive order, while taking on board the CISA recommendations on being prepared to repel a ransomware attack.Editor's note: This article, originally published on May 17, 2021, has been updated to include news of the US government's seizure of some of the ransom payment.