Colonial Pipeline CEO Confirms $4.4 Million Ransom Payment

Colonial Pipeline Co.’s CEO, Joseph Blount, said Wednesday that he authorized the payment of a $4.4 million ransom just hours after the company was hit by a DarkSide ransomware attack, according to The Wall Street Journal.

See Also: Stronger Security Through Context-aware Change Management: A Case Study

While Blount said the decision was difficult to make, he told the newspaper, “It was the right thing to do for the country.”

Following the attack, Colonial Pipeline temporarily shut down its pipeline operation, crippling the distribution of gasoline and other fuel supplies along the East Coast through the company’s 5,500 miles of pipeline and leaving gas stations in several states dry as panicky motorists filled up their cars (see: Colonial Pipeline Restarts Operations Following Attack).

“I know that’s a highly controversial decision,” Blount says of the ransom payment, The Wall Street Journal reports. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”

The cybersecurity research firm Elliptic said earlier that it had confirmed that Colonial Pipeline had paid a ransom of more than $5 million, based on its analysis of cryptocurrency wallet activity (see: Tracking DarkSide Ransomware Gang’s Profits).

The DarkSide gang said May 13 that it had shut down its ransomware-as-a-service operation.

Attack Details

Blount told the newspaper the company saw the first signs of the attack at 5:30 a.m. on May 7, and he was brought up to speed on the situation about 30 minutes later. Within an hour, the company had stopped the flow of fuel to 260 delivery points across 13 states. Company employees were told to not use their computers, and calls were made to federal authorities, he said.

The decision to pay the ransom the attackers demanded was made on May 7, and the payment was made that night after consulting with an outside firm familiar with the ransomware gang, Blount told the Journal. A decryptor key was received in return, but it took too long to use it to restore operations, so the company manually restarted systems and relied on backups, Blount said.

The decision to pay the ransom angered lawmakers. Speaker of the House Nancy Pelosi, D-Calif., and Rep. John Katko, R-N.Y., said on May 13 that ransomware victims should not pay ransoms because that incentivizes others to attack (see: Paying a Ransom: Does It Really Encourage More Attacks?).

Congressional leaders have also expressed their displeasure with the scant amount of details that Colonial Pipeline released since the incident first came to light. On Monday, Rep. Carolyn Maloney, D-N.Y., the chairwoman of the House Committee on Oversight and Reform, and Rep. Bennie Thompson, D-Miss., the chairman of the House Homeland Security Committee, blasted the company following a closed-door briefing.

“It is deeply troubling that cybercriminals were able to use a ransomware attack to disrupt gas supply on the East Coast and reportedly extort millions of dollars,” Maloney and Thompson noted. “We’re disappointed that the company refused to share any specific information regarding the reported payment of ransom during today’s briefing. In order for Congress to legislate effectively on ransomware, we need this information.”

The Ransom Issue

The FBI has long recommended that organizations should not pay any ransoms demanded by attackers because making the payment “doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”

During a White House briefing earlier this month about the Colonial Pipeline attack, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, noted that the decision to pay a ransom rests with the victimized organization (see: FBI: DarkSide Ransomware Used in Colonial Pipeline Attack).

“We recognize, though, that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data,” Neuberger said.

Making a Business Decision

“The decision to pay – or not to pay – is a business decision that is amplified 100X because of the time constraints and potential impact,” says Austin P. Berglas, formerly an assistant special agent in charge of cyber investigations at the FBI’s New York office. “Colonial was faced with the fact that significant downtime for the company would have massive negative economic impact,” adds Berglas, who is now global head of professional services at the security firm BlueVoyant.

Chris Pierson, CEO and founder of the security company BlackCloak, notes that Colonial Pipeline is a large company with facilities spanning more than a dozen states, which complicates the decision-making process.

“Reaching an answer is made a lot easier if the company does not have a large number of impacted systems, has backups and a way to rapidly refresh their IT infrastructure, and has time – sometimes the most important factor,” Pierson says. “A strong negative in any one of these areas can limit the options that a CEO has.”

Mike Hamilton, founder of CI Security, notes that the original DarkSide ransom demand was likely much higher and negotiated down by Colonial Pipeline or a third party.

“The business model of cyber insurance is to get out as cheaply as possible, and if the company deemed that payoff was the way out and they were able to negotiate it down, that was the exit they chose,” he says.

Managing Editor Scott Ferguson contributed to this report.