Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn't Very Useful

Illustration for article titled Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn't Very Useful
Photo: JIM WATSON / AFP (Getty Images)

About a week ago, Colonial Pipeline paid the ransomware group DarkSide approximately $5 million in exchange for a data decryption key that didn’t really decrypt that much data.

Advertisement

An investigation from Bloomberg found that, despite earlier reports suggesting the company had no intention of paying the cybercriminals, Colonial actually did just that “within hours of the attack,” using an untraceable cryptocurrency. In exchange for that fat stack of cash, Colonial received a decryption tool that was so slow that the company had to partially rely on its own back-ups to continue restoring service, the news outlet reports. New York Times reporter Nicole Perlroth later stated that the ransom was paid using 75 Bitcoin. Gizmodo sent multiple emails to Colonial representatives for comment and will update this story when we hear back.

The network-crippling attack on the energy giant brought the operation of its 5,500-mile oil pipeline system to an abrupt halt last week, swiftly spurring an energy crisis throughout many of the Southeastern cities to which it delivers oil. The incident led to shortages in multiple states and subsequently spurred a gas-buying binge, as panicked Americans flocked to stores and gas stations to purchase car fuel. The epidemic of End Times-type behavior even led the U.S. Consumer Product Safety Commission to helpfully remind consumers to “not fill plastic bags with gasoline,” always a good tip.

However, just as it looked like society might collapse, the pipeline came back online Wednesday night and began to churn oil back into America’s veins once more. In a statement published Thursday, the energy company iterated that it had regained almost full operational capacity—though getting back to a regular fuel flow is expected to take some time.

“Colonial Pipeline has made substantial progress in safely restarting our pipeline system and can report that product delivery has commenced in a majority of the markets we service. By mid-day today, we project that each market we service will be receiving product from our system,” the company said, while also providing a map of the areas that it said were currently operational, as of 9 a.m. EST. As of noon EST, the entire system was expected to have been fully operational.

Illustration for article titled Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn't Very Useful
Screenshot: Lucas Ropek/Colonial Pipeline

President Joe Biden also addressed the nation on Thursday, hoping to quell fears about surging gas prices and to update Americans about how the government was handling the incident. The President reiterated during his remarks that the White House did not believe that the Russian government had been involved in the ransomware attack but that it would be communicating with the Kremlin to more effectively target the criminals responsible.

Advertisement

“We do not believe that the Russian government was involved in this attack—but we do have strong reason to believe that the criminals who did the attack are living in Russia,” said the President. “We have been in direct communications with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks. We’re also going to pursue a measure to disrupt their ability to operate.”

Biden also referenced an executive order he passed Wednesday night, designed to bolster America’s defenses against cybercriminal networks. The order requires the creation of a Cyber Safety Review Board, a Department of Homeland Security team that will be in charge of investigating major cyber incidents. It also introduces measures to increase information sharing between private industry and the U.S. government on cyberattacks. And it creates a mandate for federal agencies to introduce multi-factor authentication and data encryption within a period of six months.

Advertisement

Biden did not comment at all on any financial exchange that may have occurred between Colonial and the hackers. Several high-level federal officials also refused to talk about it: “I have no knowledge of whether a ransom was paid, how much was paid, if it was paid, when it was paid,” said Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, which has been working with the embattled gas company since the attack last week.

One of the oft-made arguments for not paying ransomware gangs is that there is no guarantee that hackers will actually make good on their word to assist with decryption once money has been paid. While the ransomware business model largely hinges on criminals sticking to their promise, in many cases, decryption can be a slow, hugely imperfect process—as the Colonial episode may well demonstrate. At the same time, payment also legitimates the business model, encouraging criminals to continue seeking out new victims.

Advertisement

Staff writer at Gizmodo

DISCUSSION

Ken-Moromisato
Ken.Moromisato

how many of these will have to keep happening until they make hacking drills mandatory like fire drills?