May 19, 2021 - Technology

Colonial Pipeline CEO says company paid hacker group $4.4 million

Colonial Pipeline fuel tanks at a junction near Woodbine, Maryland.
Colonial Pipeline fuel tanks at a junction near Woodbine, Maryland. Photo: Drew Angerer/Getty Images

CEO of Colonial Pipeline Joseph Blount told the Wall Street Journal he authorized a ransom payment of $4.4 million to the DarkSide cybercrime group on May 7 in an attempt to restore the services of the largest refined fuels pipeline in the U.S.

Why it matters: The federal government for years has recommended that companies do not pay criminals during ransomware attacks over fears that the transactions would only encourage more groups to conduct future attacks.

Context: The breach of the pipeline triggered new concerns about the vulnerability of the country's increasingly digitized energy systems.

  • As a result of the ransomware attack, gas stations in at least 12 states and the District of Columbia experienced gas shortages, which have persisted even after the pipeline resumed normal operations on Saturday, according to crowdsourced data collected by GasBuddy.

What they're saying: Blount told WSJ that Colonial paid the ransom after consulting experts who had dealt with DarkSide in the past.

  • “I know that’s a highly controversial decision,” Blount said. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”
  • “But it was the right thing to do for the country."

The big picture: In exchange for the millions of dollars in the form of bitcoin, Colonial Pipeline received from DarkSide a decryption tool that ultimately did not immediately restore its computer systems, a person involved with the transaction told the WSJ.

  • DarkSide claimed last week that it would be shutting down after it had lost access to the infrastructure needed to carry out its extortion operations and that a cryptocurrency account it uses to pay its affiliates had been drained.
  • Security experts say cyber criminal groups often disband only to return under different names, and it therefore can't be determined if the disruption to DarkSide's infrastructure is legitimate or permanent.

Go deeper: The new digital extortion

Go deeper