Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Colonial Pipeline Paid $5 Million to Ransomware Gang: Reports

Colonial Pipeline paid $5 million to Darkside cybercriminals

Colonial Pipeline paid $5 million to Darkside cybercriminals

Colonial Pipeline paid a $5 million ransom to the threat actors that recently breached its systems, according to media reports.

Bloomberg, which got the information from two people familiar with the transaction, reported on Thursday that the cybercriminals provided a decryption tool designed to restore systems encrypted by the ransomware, but the tool was too slow and Colonial used its own backups for the task. Bloomberg said the ransom was paid — in “untraceable cryptocurrency” — within hours after the attack was discovered.

CNN previously reported that Colonial Pipeline had not paid the ransom, but on Thursday CNN said it independently confirmed that the company did in fact pay the hackers. CNN learned from two sources that the cybercriminals had demanded nearly $5 million. It seems that the money was actually paid to “retrieve the stolen information” and the company was reportedly successful in recovering the most important data.

Ransomware gangs typically also promise not to disseminate the stolen files and delete all copies if their demands are met.

Contacted by SecurityWeek regarding the reports around the ransom demand and potential payment, Colonial Pipeline said it’s “not commenting at this time.”

Law enforcement agencies in the U.S. and elsewhere advise against paying the ransom, arguing that there is no guarantee the attackers will keep their end of the deal and that it only encourages cybercriminals to continue launching such attacks. However, even U.S. government organizations have been known to pay significant amounts of money to cybercriminals following ransomware attacks.

Colonial Pipeline, which is the largest refined products pipeline in the United States, was forced to shut down operations as a result of the incident. The attack had significant implications, including states declaring a state of emergency, temporary gas shortages, and gas prices rising.

The company said on Wednesday that it had initiated a restart of pipeline operations, but noted that it would take several days for the product delivery supply chain to return to normal.

Advertisement. Scroll to continue reading.

The FBI and CISA said this week there was no evidence that the hackers compromised operational technology (OT) systems at Colonial — the company reported that it had proactively disconnected some OT systems to ensure their safety.

The attack was carried out using a piece of ransomware named DarkSide, which has been linked to Russian cybercriminals and which has been offered through a ransomware-as-a-service model to multiple groups that get a share of the profit for delivering the malware to targeted organizations.

In attacks involving DarkSide, the hackers not only encrypt files on compromised systems — decrypting the files is currently impossible without a key provided by the attackers — they also steal valuable data and threaten to make it public to increase their chances of getting paid. While Colonial may have been able to recover encrypted files on its own, it appears that the company decided to pay up to make sure that the information stolen by the hackers isn’t made public.

Threat intelligence company Flashpoint believes — with moderate confidence based on code analysis — that the ransomware used in the Colonial Pipeline attack is a variant of the notorious REvil ransomware.

Bleeping Computer reported on Thursday that Germany-based chemical distribution firm Brenntag this week paid a $4.4 million ransom to DarkSide ransomware operators after they allegedly stole 150GB of data from the company.

Related: Tech Audit of Colonial Pipeline Found ‘Glaring’ Problems

Related: Industry Reactions to Ransomware Attack on Colonial Pipeline

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...