Colonial Pipeline paid $5 million to the DarkSide ransomware group to restore operations within hours after a ransomware attack paralysed fuel supplies across the U.S. eastern seaboard, Bloomberg has revealed.
Last Friday, Colonial Pipeline announced via a press release that it suffered a ransomware attack and had to take certain systems offline to contain the threat which, in turn, halted all pipeline operations and rendered some IT systems non-functional.
The company later said it was dedicating vast resources to restoring pipeline operations quickly and safely and was bringing back some of its pipelines online in a phased manner. “Restoring our network to normal operations is a process that requires the diligent remediation of our systems, and this takes time.
“While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach. This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week,” it said.
Soon after the ransomware attack became public, the FBI announced that it was the work of the DarkSide ransomware group but stopped short of stating how much ransom had been demanded by the group or if Colonial Pipeline intended to pay a ransom to quickly restore operations. “The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation,” the agency said.
Yesterday, Bloomberg reported that Colonial Pipeline paid a ransom of $5 million to the DarkSide hacker group, that too within hours after the ransomware attack took place. The money was transferred in hard-to-trace cryptocurrency and the hacker group shared a decryption key in return as promised. U.S. government agencies are reportedly aware that a ransom has been paid.
The fact that the company chose to pay a ransom so quickly indicates how urgently it wanted to restart operations, considering it is the largest refined products pipeline company in the U.S. and supplies around 45% of all fuel in the east coast region. Unfortunately, the ransom payment also exposes that the company was ill-prepared to prevent a ransomware attack or restore operations of its own in the aftermath of such an incident.
Commenting on the ransom paid by Colonial Pipeline, Mitch Mellard, Principal Threat Intelligence Analyst at Talion, says that considering the potential consequences of a long-term recovery operation and incident response process, it’s not surprising at all that Colonial paid the group responsible for deploying ransomware across their systems.
“For the criticality of the target, the figure appears to be relatively tame, especially when you take into consideration ransom demands for targets in the entertainment sector have been much higher recently, such as the ransoms demanded from Capcom and CD project Red for 11 and 7 million USD respectively.
“One would think that the ransom for a network handling such critical, and lucrative infrastructure, would be worth significantly more than video game development and digital IP theft. The low ransom amount could however simply be a tactic to make it more likely to obtain payment, by making it an easy decision for the company in terms of offset cost.
However pragmatic the decision to pay the attackers may seem, I would always caution against paying these criminals. For one thing, there is no guarantee that they will even decrypt your files or avoid leaking/selling them after the fact, in fact recent figures have highlighted an alarming number of ransomware groups which are paid off but never deliver a working decryptor.
“In my opinion, the biggest factor at play here is the feedback loop of malicious activity created by surrendering and paying the ransom, this allows the groups to achieve a greater level of sophistication during their next attacks, whether that be via training, new tooling, purchasing credentials, or recruitment. Feeding this industry only ensures that they become collectively more of a threat in the long run, facilitating more breaches, more payments, and thus the cycle continues,” he adds.