Report: Colonial Pipeline paid ransomware attackers $5 million, but still had to rely on its own backups

Tool DarkSide gang provided to decrypt IT systems wasn’t good enough.

Graham Cluley
@gcluley

Report: Colonial Pipeline paid ransomware attackers $5 million, but still had to rely on its own backups

If Bloomberg is to believed1, Colonial Pipeline paid out a ransom of almost $5 million last week in an attempt to help it restore the operation of its massive East Coast fuel pipeline.

According to the news outlet, anonymous sources confirmed that the DarkSide ransomware gang were paid a ransom of approximately 75 Bitcoin within hours of the company shutting down its pipeline in response to the attack.

The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment.

Was it worth paying the ransom? Well, that’s debatable. Because according to Bloomberg, the recovery tool DarkSide provided – to supposedly decrypt systems that had been earlier garbled – proved too slow, and so Colonial Pipeline continued to rely upon its own backups:

Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.

That’s not a great advert for the DarkSide ransomware gang. If I were them I wouldn’t be too happy. Mind you, maybe they’re not having the best week of their lives anyway – regardless of the cryptocurrency they may have received.

Interestingly, before the news from Bloomberg broke, bReuters claimed that Colonial Pipeline was not planning to pay a ransom (again, relying on anonymous sources for their information.)

Sign up to our newsletter
Security news, advice, and tips.

To be honest, if I were Colonial Pipeline and I had paid the ransom, it’s not necessarily something I would want to shout from the rooftops. After all, it tells all the other cybercriminals in the world that you’re the type of organisation that’s prepared to reach deep into its wallets when threatened.

So, unless Colonial Pipeline officially confirms whether it paid the money or not – it’s hard to be certain.

What isn’t in dispute is that in the past the FBI has urged corporate victims to not pay ransoms, claiming that it simply fuels more ransomware attacks.

Of course, we have to be realistic. There is no sign that ransomware attacks are going to stop anytime soon, and there are some organisations who will understandably feel that they have no choice but to make the painful decision to pay their attackers.

Footnotes:
1 The accuracy of past cybersecurity reporting from Bloomberg has been called into question.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.