[BreachExchange] Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom

[Destry Winant]

https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom

Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers on
Friday, contradicting reports earlier this week that the company had no
intention of paying an extortion fee to help restore the country’s largest
fuel pipeline, according to two people familiar with the transaction.

The company paid the hefty ransom in difficult-to-trace cryptocurrency
within hours after the attack, underscoring the immense pressure faced by
the Georgia-based operator to get gasoline and jet fuel flowing again to
major cities along the Eastern Seaboard, those people said. A third person
familiar with the situation said U.S. government officials are aware that
Colonial made the payment.

Once they received the payment, the hackers provided the operator with a
decrypting tool to restore its disabled computer network. The tool was so
slow that the company continued using its own backups to help restore the
system, one of the people familiar with the company’s efforts said.

A representative from Colonial declined to comment. Colonial said it began
to resume fuel shipments around 5 p.m. Eastern time Wednesday.

When Bloomberg News asked President Joe Biden if he was briefed on the
company’s ransom payment, the president paused, then said: “I have no
comment on that.”

The hackers, which the FBI said are linked to a group called DarkSide,
specialize in digital extortion and are believed to be located in Russia or
Eastern Europe.

On Wednesday, media outlets including the Washington Post and Reuters, also
based on anonymous sources, reported that the company had no immediate
intention of paying the ransom.

Ransomware is a type of malware that locks up a victim’s files, which the
attackers promise to unlock for a payment. More recently, some ransomware
groups have also stolen victims’ data and threatened to release it unless
paid -- a kind of double extortion.

The FBI discourages organizations from paying ransom to hackers, saying
there is no guarantee they will follow through on promises to unlock files.
It also provides incentive to other would-be hackers, the agency says.

However, Anne Neuberger, the White House’s top cybersecurity official,
pointedly declined to say whether companies should pay cyber ransoms at a
briefing earlier this week. “We recognize, though, that companies are often
in a difficult position if their data is encrypted and they do not have
backups and cannot recover the data,” she told reporters Monday.

Such guidance provides a quandary for victims who have to weigh the risks
of not paying with the costs of lost or exposed records. The reality is
that many choose to pay, in part because the costs may be covered if they
have cyber-insurance policies.

“They had to pay,” said Ondrej Krehel, chief executive officer and founder
of digital forensics firm LIFARS and a former cyber expert at Loews Corp.,
which owns Boardwalk Pipeline. “This is a cyber cancer. You want to die or
you want to live? It’s not a situation where you can wait.”

Krehel said a $5 million ransom for a pipeline was “very low.” “Ransom is
usually around $25 million to $35 million for such a company. I think the
threat actor realized they stepped on the wrong company and triggered a
massive government response,” he said.

A report released last month by a ransomware task force said the amount
paid by victims increased by 311% in 2020, reaching about $350 million in
cryptocurrency. The average ransom paid by organizations in 2020 was
$312,493, according to report.

Colonial, which operates the largest fuel pipeline in the U.S., became
aware of the hack around May 7 and shut down its operations, which led to
fuel shortages and lines at gas stations along the East Coast.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210514/0323c545/attachment.html>