Despite paying the ransom to cyber criminals, some internal Colonial Pipeline systems are still reportedly not functioning
The CEO of Colonial Pipeline has publicly confirmed what everyone already knew, that his firm had paid the DarkSide criminal gang its ransom demand.
Paying criminals like DarkSide goes against the advice of security experts and law enforcement agencies, as it only encourages other ransomware attacks and does not guarantee that systems will be recovered.
Earlier this week security researchers at London-based Eliptic identified the Bitcoin digital wallet used by DarkSide to extract ransoms from their victims.
Elliptic also revealed DarkSide and its affiliates had bagged at least $90 million in bitcoin ransom payments in total from various ransomware victims.
Ransom paid
And now Joseph Blount, Colonial Pipeline’s CEO, has admitted to adding to the coffers of the DarkSide criminals.
He told the Wall Street Journal he had authorised the ransom payment of $4.4 million (75 Bitcoin), because executives were unsure how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back.
“This decision was not made lightly,” but it was one that had to be made, a company spokesman was quoted by the Guardian newspaper as saying. “Tens of millions of Americans rely on Colonial: hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the traveling public.”
“I know that’s a highly controversial decision,” Blount reportedly said. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”
“But it was the right thing to do for the country,” he said.
Blount said Colonial had paid the ransom in consultation with experts who previously dealt with DarkSide, which rents out its ransomware to partners to carry out the actual attacks.
Various media reports have stated that despite Colonial paying the ransom, some systems are still offline, namely billing and communications systems.
Pipeline takedown
On Friday 7 May a major pipeline (Colonial Pipeline) in the United States was attacked by DarkSide, causing widespread fuel shortages on the US east coast.
Indeed, so serious was the attack that the US government engaged emergency powers and US President Joe Biden received “personal briefings” about the cyberattack.
The Colonial Pipeline runs between Texas and New Jersey and is 5,500 mile long.
It carries 2.5 million barrels a day, which translates to 45 percent of the fuel supply for the US East Coast. It includes diesel, petrol and jet fuel.
It serves 90 US military installations and 26 oil refineries, as well as Atlanta airport – a busy regional airhub for America.
The devastation after the attack caused DarkSide, a criminal gang located in either Russia or Eastern Europe, to publicly declare they were not carrying out the attack for political purposes, but rather were just seeking to make money.
The British Foreign Secretary Dominic Raab warned Russia that it cannot continue to shelter criminal gangs carrying out ransomware attacks on Western nations.
US retaliation?
Last week DarkSide reportedly closed down, after unknown actors shut down the servers of the group.
US cyber security firm Recorded Future said that Darkside had admitted in a web post that it lost access to certain servers used for its web blog and for payments.
Although there is speculation this may be an attempt by DarkSide to escape the heat that its pipeline hack has generated.
That said, it has been reported that the US military’s Cyber Command may have downed DarkSide, after the Twitter account of the Pentagon’s 780th Military Intelligence Brigade, a hacking unit, had retweeted the Recorded Future report shortly after it came out.