Colonial Pipeline has confirmed that it paid a $4.4m ransom demand to receive a decryption tool from the cybercriminal gang that infiltrated its IT network, but it was reportedly insufficient to immediately restore its systems.
The operator of the biggest US fuel pipeline took its IT systems offline on Friday 7 May after they were infected with file-encrypting malware. It forced a five-day closure of the line carrying 45% of the East Coast’s fuel supply, sparking a jump in fuel prices and shortages at the petrol pump.
Joseph Blount, CEO of Colonial Pipeline, said he made the decision to pay the ransom demand on that same day because he did not know how long it would take to get the pipeline running again.
“I know that’s a highly controversial decision,” Blount told the Wall Street Journal. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this. But it was the right thing to do for the country.”
Blount’s comments confirm reports last week that Colonial Pipeline had made a ransom payment of nearly $5m.
A company employee found a ransom note on 7 May at 5:30am. An hour later the company had shut down the pipeline that typically transports around 2.5 million barrels of fuel per day along a 5,500 mile stretch of pipe.
Operational systems responsible for transporting fuel along the pipeline were not affected by the attack but were shut down as a precaution while investigators determined how far the attackers had got into Colonial’s system.
On 10 May the FBI confirmed that DarkSide ransomware was used in the attack. The file-encrypting malware operates in a ransomware-as-a-service model, in which affiliate gangs pay a cut of their earnings to the criminals in control of the software and underlying infrastructure.
Shortly after the attack DarkSide appeared to distance itself from the operation, saying it will in future “check each company that our partners want to encrypt to avoid social consequences.”
The DarkSide ransomware does not target systems where the language is set to Russian. Russia has denied any involvement in the attack.
DarkSide has reportedly received a total of $90m in bitcoin payments, according to London-based blockchain analytics company Elliptic, which claims to have identified the wallet used by affiliated gangs. Elliptic said that it had seen a 75 BTC payment made to a bitcoin wallet associated with DarkSide that is believed to have come from Colonial Pipeline.
According to a recent report from eSentire, six ransomware gangs have made up to $45m this year from over 290 victims.
Colonial Pipeline sparks debate on ransom payments
Lewis Jones, threat intelligence analyst at Talion, said that Blount speaking publicly about the ransom payment is a “very positive step.”
He added: “The more companies open up about attacks and are transparent on the action they took when under attack, the more we can learn about cybercriminal techniques and build better defences.”
Cybersecurity experts advise against paying ransom demands because there is no guarantee that files will be unlocked and because it can make the organisation a target for future attacks. Or in the case of the Colonial Pipeline attack, the decryption tools provided by attackers are not guaranteed to work well. Verdict has contacted Colonial for more details on the ransom key it paid for but did not receive a reply at the time of publication.
Law enforcement agencies tend to advise against payments because it funds criminal activities, although in most countries it is not illegal to pay the demand.
Last week UK Home Secretary Priti Patel said the government had a “strong position” against paying ransomware demands.
Jake Moore, cybersecurity specialist at internet security company ESET, said: “Prevention remains the strongest line of defence and there is still so much organisations can do achieve better protection. But whilst ransomware is still profitable and the risks fail to outweigh the potential profits, it will remain prevalent in our daily lives echoing the new mindset that crime really can pay.”
For more information on ransomware and what to do in the event of an attack, read our explainer here.