In early May, Colonial Pipeline, the largest refined products pipeline company in the United States, became a victim of a ransomware attack that forced it to shut all of its pipeline operations in the United States. The attack was carried out by the DarkSide ransomware gang which also targeted German chemical distribution company Brenntag around the same time.
In the middle of May, Bloomberg reported that soon after it detected the ransomware attack and shut all operations, Colonial Pipeline chose to pay $4.4 million to the DarkSide ransomware gang in ransom in exchange for a decryption key to quickly restore operations. The money was transferred in hard-to-trace cryptocurrency and the hacker group shared a decryption key in return as promised.
Recently, Joe Blount, the CEO of Colonial Pipeline, spoke to NPR to share his side of the story on why the company paid such a large ransom to the hackers, whether the company has been able to restore all affected operations and services, and how the company responded after detecting the ransomware attack early on May 7.
Not only did Blount confirm that Colonial Pipeline paid a ransom of $4.4 million to DarkSide, he said paying the hackers was the right thing to do as the company’s foremost priority was to restore operations as quickly as possible.
“So once we identified the risk and contained the risk by shutting the pipeline system down and immediately called in cyber experts to help us with identifying further what had been done to our system, one of the things that came up, ultimately, was the ransom and whether to pay the ransom or not,” he told NPR.
“The conversation went like this: Do you pay the ransom or not? And of course, the initial thought is: You don’t want to pay the ransom. You don’t want to encourage [hackers], you don’t want to pay these contemptible criminals. But our job and our duty is to the American public. So when you know that you have 100 million gallons of gasoline and diesel fuels and jet fuels that are going to go across the Southeastern and Eastern seaboard of the United States, it’s a very critical decision to make.
“And if owning that de-encryption tool gets you there quicker, then it’s the decision that had to be made. And I did make that decision that day. It was the right decision to make for the country,” he added.
Even though the cybersecurity industry (and also governments) scoffs at the idea of engaging with hackers or paying a ransom in the aftermath of an attack, Mitch Mellard, Principal Threat Intelligence Analyst at Talion, previously told TEISS that it is understandable why Colonial Pipeline chose to pay a ransom, considering the potential consequences of a long-term recovery operation and incident response process.
“One would think that the ransom for a network handling such critical, and lucrative infrastructure, would be worth significantly more than video game development and digital IP theft. The low ransom amount could however simply be a tactic to make it more likely to obtain payment, by making it an easy decision for the company in terms of offset cost.
“However pragmatic the decision to pay the attackers may seem, I would always caution against paying these criminals. For one thing, there is no guarantee that they will even decrypt your files or avoid leaking/selling them after the fact, in fact recent figures have highlighted an alarming number of ransomware groups which are paid off but never deliver a working decryptor.
“In my opinion, the biggest factor at play here is the feedback loop of malicious activity created by surrendering and paying the ransom, this allows the groups to achieve a greater level of sophistication during their next attacks, whether that be via training, new tooling, purchasing credentials, or recruitment.
“Feeding this industry only ensures that they become collectively more of a threat in the long run, facilitating more breaches, more payments, and thus the cycle continues,” he added.