Colonial Pipeline, the US operator of fossil fuel distribution infrastructure that was hit by a DarkSide ransomware attack last week, may have paid a $5m ransom to the ransomware operators within hours of being locked out of critical systems, according to reports.
According to anonymous sources close to the incident, Colonial Pipeline paid the ransom in an anonymous cryptocurrency and received the decryption tool. However, this tool allegedly worked so slowly that the company restored a good amount of its data from backups, which somewhat negated the point of paying.
Bloomberg, the first to report the apparent payment, also said the US government was aware a ransom had been paid.
Fuel deliveries across the Colonial Pipeline infrastructure are understood to have resumed on Wednesday, 12 May. According to CNN, the resumption of operations was delayed because the ransomware attack hit the firm’s billing system. Therefore, it was forced to shut off supplies because it could not guarantee its customers would pay it.
At the time of writing, Colonial Pipeline’s security partner Imperva is blocking legitimate access to its website from outside the US using its Cloud Application Service. It has therefore not been possible at the time of writing to establish any response from the company.
Armis’ European cyber-risk officer, Andy Norton, said: “I don’t think we are at the end of this story; there is no clear winner here. DarkSide may have been paid $5m to destroy the data they hold and unencrypt the affected files, but in doing so, they became a global news story and consequently a bargaining chip in future US and Russia dealings.
“Darkside clearly knows it is public enemy number one right now, even issuing an apology about the collateral damage to their attack [and] other criminal affiliates will be trying to distance themselves from Darkside, to avoid getting rolled up in the future law enforcement investigations,” he said. “If there is a loser, it’s the cyber insurance company behind Colonial, who now have to cover the costs.”
Robert Golladay, EMEA and APAC director at Illusive, said that the fact Colonial Pipeline may have had insurance against ransomware could have been a factor in why it was targeted, to begin with. “Hackers are figuring out who is insured, which tells them the company has assets that are valuable and will be in a position to pay,” he said.
“As we see in the Colonial attack, instances of ransomware are growing in size and scale. This type of attack is exploding because it works, scales and is predictable, and it’s a way for attackers to make easy money. Some of the criminal enterprises, like DarkSide, are funneling the money they make back into the tools they are using.”
In further development, unconfirmed reports have emerged today (Friday 14 May) that the DarkSide ransomware infrastructure has been seized and taken offline, possibly in a law enforcement response.