Colonial Pipeline Paid a $5 Million Ransom To Get Things Back Online

Contrary to earlier reports, Colonial Pipeline cooperated with demands for payment from the DarkSide ransomware group.

Pipeline Cybersecurity Attack
AP Images

News this week has centered around fuel shortages in states across the southeast, as the shutdown of the Colonial Pipeline sparked panic buying of fuel across the region. The pipeline ceased operations in the wake of a cyberattack last Friday, in which the company's systems were compromised by a ransomware from a hacker group known as DarkSide. Now it turns out the company gave into the hacker's demands and paid up just hours after the attack began, according to new reports from Bloomberg.

Colonial Pipeline paid the equivalent of nearly $5 million in cryptocurrency to the hacker group, contradicting earlier reports that the company had no intention of paying a ransom. Cryptocurrency is the favored method for such payments, as it avoids dangerous standoffs at cash exchanges or traceable financial transactions in the mainstream banking system. The payment was made within hours of the initial attack, with the hacker group providing a decryption tool in exchange for the ransom. The tool was slow to recover data, however, and the company also relied on its own backups to restore their networks, sources familiar with the situation said. 

AP Images

Ransomware attacks involve installing malware in target systems to encrypt data, locking it up and making it unusable. Hackers then demand payment in exchange for a password or tool to decrypt and recover the files. Alternatively, hackers may also steal sensitive data, and threaten to release it publicly if their demands aren't met. Such attacks are becoming increasingly common, with hackers targeting everything from universities to football teams.

The FBI provides official guidance on dealing with ransomware, and discourages companies from complying with demands from criminal hacker groups. The agency notes that there's no guarantee that hackers will actually decrypt files upon receiving payment, and that the practice of paying ransoms only spurs on more hackers to pursue ransomware attacks. However, many companies find themselves poorly prepared. In many cases, internal backups can be encrypted along with other machines on company networks, leaving these organizations little option but to comply.

Interestingly, despite paying the ransom on Friday just hours after the attack commenced, pipeline operations did not restart until Wednesday. The pipeline is reported to be running at just half capacity at this stage according to Bloomberg. GasBuddy analyst Patrick De Haan has stated that sporadic outages are likely to last another 7 to 14 days in the worst affected areas, due to the sheer number of filling stations that have run dry.  The problem of panic buying has spread beyond the area served by the Colonial Pipeline, too—with over 39 percent of Miami gas stations running out of fuel, despite the fact that the city receives its fuel from its ports

It's likely we haven't seen the last of the turmoil from the Colonial Pipeline cyberattack, even if most of the chaos was caused by the panicked response rather than as a result of the pipeline shutdown itself. With flows gradually being restored, hopefully calm will reign sooner rather than later. 

Got a tip? Let us know: tips@thedrive.com