Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Colonial Pipeline CEO Explains $4.4M Ransomware Payment

Colonial Pipeline chief executive Joseph Blount has confirmed the company shelled out $4.4 million to purchase a decryption key to recover from the disruptive ransomware attack that caused gasoline shortages in parts of the U.S.

Colonial Pipeline chief executive Joseph Blount has confirmed the company shelled out $4.4 million to purchase a decryption key to recover from the disruptive ransomware attack that caused gasoline shortages in parts of the U.S.

A Wall Street Journal (WSJ) report said Colonial Pipeline made the $4.4 million payment on the evening of May 7 in the form of bitcoin. The company did receive a decryption tool to retrieve the locked data but white the tool was somewhat useful, it was ultimately not enough to immediately restore the pipeline’s systems, the newspaper said.

While the pipline operator did not confirm the amount of the payment, it did confirm to SecurityWeek that it had paid the ransom.

“Colonial Pipeline is critical to the economic and national security of our nation,” a company spokesperson told SecurityWeek. “When we were attacked on May 7, a decision was quickly made to take our entire system offline. We needed to do everything in our power to restart the system quickly and safely. The decision was made to pay the ransom. This decision was not made lightly, however, one that had to be made. Tens of millions of Americans rely on Colonial – hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the traveling public. Our focus remains on continued operations to safely deliver refined products to communities we serve.”

The Colonial Pipeline CEO told the WSJ that making the ransom payment was “the right thing to do for the country.”

“I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this,” Blount said, noting that the multi-million payment to the ransomware-as-a-service group was a “highly controversial decision.”

[ READ: Colonial Pipeline Paid $5 Million to Ransomware Gang ] 

The ransomware attack has already led to ‘state of emergency’ declarations, temporary lines at gas pumps and rising gas prices.

The U.S. Federal Bureau of Investigation (FBI) and law enforcement agencies typically advise against ransom payments to cybercriminals, especially since some payments may be subject to international sanctions violations.

Additionally, there are no guarantees the data decryption key will work to retrieve encrypted data and no way to be sure the data wasn’t stolen and resold on darkweb marketplaces.

However, even U.S. government organizations have been known to pay significant amounts of money to cybercriminals following ransomware attacks. 

*Updated with commentary from Colonial Pipeline

Related: Tech Audit of Colonial Pipeline Found ‘Glaring’ Problems

Related: Industry Reactions to Ransomware Attack on Colonial Pipeline

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.