Security Experts:

Connect with us

Hi, what are you looking for?



Colonial Pipeline Paid $5 Million to Ransomware Gang: Reports

Colonial Pipeline paid $5 million to Darkside cybercriminals

Colonial Pipeline paid $5 million to Darkside cybercriminals

Colonial Pipeline paid a $5 million ransom to the threat actors that recently breached its systems, according to media reports.

Bloomberg, which got the information from two people familiar with the transaction, reported on Thursday that the cybercriminals provided a decryption tool designed to restore systems encrypted by the ransomware, but the tool was too slow and Colonial used its own backups for the task. Bloomberg said the ransom was paid — in “untraceable cryptocurrency” — within hours after the attack was discovered.

CNN previously reported that Colonial Pipeline had not paid the ransom, but on Thursday CNN said it independently confirmed that the company did in fact pay the hackers. CNN learned from two sources that the cybercriminals had demanded nearly $5 million. It seems that the money was actually paid to “retrieve the stolen information” and the company was reportedly successful in recovering the most important data.

Ransomware gangs typically also promise not to disseminate the stolen files and delete all copies if their demands are met.

Contacted by SecurityWeek regarding the reports around the ransom demand and potential payment, Colonial Pipeline said it’s “not commenting at this time.”

Law enforcement agencies in the U.S. and elsewhere advise against paying the ransom, arguing that there is no guarantee the attackers will keep their end of the deal and that it only encourages cybercriminals to continue launching such attacks. However, even U.S. government organizations have been known to pay significant amounts of money to cybercriminals following ransomware attacks.

Colonial Pipeline, which is the largest refined products pipeline in the United States, was forced to shut down operations as a result of the incident. The attack had significant implications, including states declaring a state of emergency, temporary gas shortages, and gas prices rising.

The company said on Wednesday that it had initiated a restart of pipeline operations, but noted that it would take several days for the product delivery supply chain to return to normal.

The FBI and CISA said this week there was no evidence that the hackers compromised operational technology (OT) systems at Colonial — the company reported that it had proactively disconnected some OT systems to ensure their safety.

The attack was carried out using a piece of ransomware named DarkSide, which has been linked to Russian cybercriminals and which has been offered through a ransomware-as-a-service model to multiple groups that get a share of the profit for delivering the malware to targeted organizations.

In attacks involving DarkSide, the hackers not only encrypt files on compromised systems — decrypting the files is currently impossible without a key provided by the attackers — they also steal valuable data and threaten to make it public to increase their chances of getting paid. While Colonial may have been able to recover encrypted files on its own, it appears that the company decided to pay up to make sure that the information stolen by the hackers isn’t made public.

Threat intelligence company Flashpoint believes — with moderate confidence based on code analysis — that the ransomware used in the Colonial Pipeline attack is a variant of the notorious REvil ransomware.

Bleeping Computer reported on Thursday that Germany-based chemical distribution firm Brenntag this week paid a $4.4 million ransom to DarkSide ransomware operators after they allegedly stole 150GB of data from the company.

Related: Tech Audit of Colonial Pipeline Found ‘Glaring’ Problems

Related: Industry Reactions to Ransomware Attack on Colonial Pipeline

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.