It turns out Colonial Pipeline paid the hackers soon after the attack began but it wasn’t enough to stop the disruption or the company could not reverse the impact.
The Russian-speaking ransomware group conducted a cyberattack against the pipeline company last week which forced the company to temporarily close down its operations and freeze IT systems. Fears of supply shortages have caused panic buying in some US cities.
Today, Bloomberg reported that two people close to the matter said within hours of the cyberattack, the company paid the DarkSide ransomware gang $5 million to decrypt its locked systems. Yet the attack impacted the fuel giant’s systems and cut supplies for close to a week.
While pipelines are now restored, the company says days are necessary to restore normal service.
The article says that the payment was made to DarkSide in cryptocurrency. In return, the hackers provided a decryption key for restoring systems that the ransomware had shut down. However, the restoration process was delayed because the decryptor was “slow.” To speed up the process, the company used backups in its restoration efforts.
Today, the pipeline company said it “has made substantial progress in safely restarting our pipeline system and can report that product delivery has commenced in a majority of the markets we service.”
The DarkSide is a ransomware-as-a-service (RaaS) operation variant that provides its affiliates with access to malware, and in return, the group gets a slice of profits from ransom payments. DarkSide members use double-extortion tactics when they steal corporate files during an attack and iIf a company refuses to pay a ransom, they threaten to leak the stolen files publicly.
FireEye researchers say that DarkSide’s developers take a profit cut of 25% for ransom payments under $500,000, and this reduces to 10% for payments made over $5 million.
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) issued an alert this week in which they say they do not condone paying ransom demands made by cybercriminals.
Apparently, it wasn’t hard for Colonial Pipeline to pay the $5 million ransom because, according to Reuters, the company has cyber insurance of at least $15 million.