Colonial Pipeline paid a $5 million ransom to the threat actors that recently breached its systems, according to media reports.
Bloomberg, which got the information from two people familiar with the transaction, reported on Thursday that the cybercriminals provided a decryption tool designed to restore systems encrypted by the ransomware, but the tool was too slow and Colonial used its own backups for the task. Bloomberg said the ransom was paid — in “untraceable cryptocurrency” — within hours after the attack was discovered.
CNN previously reported that Colonial Pipeline had not paid the ransom, but on Thursday CNN said it independently confirmed that the company did in fact pay the hackers. CNN learned from two sources that the cybercriminals had demanded nearly $5 million. It seems that the money was actually paid to “retrieve the stolen information” and the company was reportedly successful in recovering the most important data.
Ransomware gangs typically also promise not to disseminate the stolen files and delete all copies if their demands are met.
Contacted by SecurityWeek regarding the reports around the ransom demand and potential payment, Colonial Pipeline said it’s “not commenting at this time.”
Law enforcement agencies in the U.S. and elsewhere advise against paying the ransom, arguing that there is no guarantee the attackers will keep their end of the deal and that it only encourages cybercriminals to continue launching such attacks. However, even U.S. government organizations have been known to pay significant amounts of money to cybercriminals following ransomware attacks.
Colonial Pipeline, which is the largest refined products pipeline in the United States, was forced to shut down operations as a result of the incident. The attack had significant implications, including states declaring a state of emergency, temporary gas shortages, and gas prices rising.
The company said on Wednesday that it had initiated a restart of pipeline operations, but noted that it would take several days for the product delivery supply chain to return to normal.
The FBI and CISA said this week there was no evidence that the hackers compromised operational technology (OT) systems at Colonial — the company reported that it had proactively disconnected some OT systems to ensure their safety.
The attack was carried out using a piece of ransomware named DarkSide, which has been linked to Russian cybercriminals and which has been offered through a ransomware-as-a-service model to multiple groups that get a share of the profit for delivering the malware to targeted organizations.
In attacks involving DarkSide, the hackers not only encrypt files on compromised systems — decrypting the files is currently impossible without a key provided by the attackers — they also steal valuable data and threaten to make it public to increase their chances of getting paid. While Colonial may have been able to recover encrypted files on its own, it appears that the company decided to pay up to make sure that the information stolen by the hackers isn’t made public.
Threat intelligence company Flashpoint believes — with moderate confidence based on code analysis — that the ransomware used in the Colonial Pipeline attack is a variant of the notorious REvil ransomware.
Bleeping Computer reported on Thursday that Germany-based chemical distribution firm Brenntag this week paid a $4.4 million ransom to DarkSide ransomware operators after they allegedly stole 150GB of data from the company.
Related: Tech Audit of Colonial Pipeline Found ‘Glaring’ Problems
Related: Industry Reactions to Ransomware Attack on Colonial Pipeline