The Colonial Pipeline ransomware incident became a real-world disruption because a basic access control failed: remote access without multi-factor authentication (MFA) on a legacy VPN account.
The durable lesson is not about one company or one gang. It is about how ransomware operators convert credential access into operational leverage.
Stabilize access first
- Find and disable legacy remote access paths you no longer need, especially old VPNs and admin portals.
- Require two-factor authentication (2FA) for all remote access and privileged accounts.
- Force password resets for remote access accounts and remove shared or reused credentials.
- Review logs for suspicious remote logins, then add alerting for unusual geolocation, new devices, and impossible travel.
- Confirm you can restore from clean backups and that backups are not reachable from the same admin credentials as production.
Rule of thumb: If a system can reach your network from the internet and it does not enforce MFA, treat it as already compromised and fix it first.
What the CEO testimony clarified
In 2021 testimony, Colonial Pipeline’s CEO described a legacy VPN that only supported single-factor authentication. That detail matters because it maps directly to a common ransomware entry pattern: stolen credentials plus a remote access path that accepts passwords alone.
Primary source excerpt (Senate committee site): Testimony of Joseph Blount (PDF).
How ransomware turns one login into a shutdown
Ransomware crews rarely start with encryption. They start with access, then escalate privileges, then spread, then decide what will create the most pressure. Once the operator believes you cannot restore quickly, encryption becomes a negotiation tool.
| Control | What it breaks for attackers | What to implement |
|---|---|---|
| MFA on VPN and admin | Password-only access and many credential stuffing attempts | Require MFA everywhere remote access exists, not only on email |
| Account lifecycle hygiene | Abuse of old accounts that no longer have a real owner | Disable unused accounts, rotate secrets, remove shared logins |
| Segmentation | Fast lateral movement to domain-wide control | Separate business IT from operational systems and restrict admin reach |
| Immutable or offline backups | Deletion of backups as a precursor to encryption | Store backups out of band and test restores regularly |
| Incident response plan | Confusion that buys attackers time | Define who isolates systems, who talks to law enforcement, and who owns comms |
If you are hit anyway
Containment comes first. Isolate affected systems, preserve evidence, and bring in the right escalation paths early. Government guidance is a useful baseline when you need a neutral checklist: CISA StopRansomware. The FBI also publishes practical ransomware guidance for victims: FBI ransomware.
For a deeper defensive playbook, see how to protect your business from ransomware and ransomware.
Colonial Pipeline is a reminder that security rarely fails at the fancy layer first. It fails at the forgotten layer: legacy remote access, uneven MFA coverage, and accounts that no longer have an owner. Fix those, and you remove the easiest path to the worst day.