Colonial Pipeline paid $5 million in ransom to DarkSide ransomware group

ByPR 24

Colonial Pipeline paid $5 million to the DarkSide ransomware group to restore operations within hours after a ransomware attack paralysed fuel supplies across the U.S. eastern seaboard, Bloomberg has revealed.

Last Friday, Colonial Pipeline announced via a press release that it suffered a ransomware attack and had to take certain systems offline to contain the threat which, in turn, halted all pipeline operations and rendered some IT systems non-functional.

The company later said it was dedicating vast resources to restoring pipeline operations quickly and safely and was bringing back some of its pipelines online in a phased manner. “Restoring our network to normal operations is a process that requires the diligent remediation of our systems, and this takes time.

“While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach. This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week,” it said.

Soon after the ransomware attack became public, the FBI announced that it was the work of the DarkSide ransomware group but stopped short of stating how much ransom had been demanded by the group or if Colonial Pipeline intended to pay a ransom to quickly restore operations. “The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation,” the agency said.

Yesterday, Bloomberg reported that Colonial Pipeline paid a ransom of $5 million to the DarkSide hacker group, that too within hours after the ransomware attack took place. The money was transferred in hard-to-trace cryptocurrency and the hacker group shared a decryption key in return as promised. U.S. government agencies are reportedly aware that a ransom has been paid.

The fact that the company chose to pay a ransom so quickly indicates how urgently it wanted to restart operations, considering it is the largest refined products pipeline company in the U.S. and supplies around 45% of all fuel in the east coast region. Unfortunately, the ransom payment also exposes that the company was ill-prepared to prevent a ransomware attack or restore operations of its own in the aftermath of such an incident.

Commenting on the ransom paid by Colonial Pipeline, Mitch Mellard, Principal Threat Intelligence Analyst at Talion, says that considering the potential consequences of a long-term recovery operation and incident response process, it’s not surprising at all that Colonial paid the group responsible for deploying ransomware across their systems.

“For the criticality of the target, the figure appears to be relatively tame, especially when you take into consideration ransom demands for targets in the entertainment sector have been much higher recently, such as the ransoms demanded from Capcom and CD project Red for 11 and 7 million USD respectively.

“One would think that the ransom for a network handling such critical, and lucrative infrastructure, would be worth significantly more than video game development and digital IP theft. The low ransom amount could however simply be a tactic to make it more likely to obtain payment, by making it an easy decision for the company in terms of offset cost.

However pragmatic the decision to pay the attackers may seem, I would always caution against paying these criminals. For one thing, there is no guarantee that they will even decrypt your files or avoid leaking/selling them after the fact, in fact recent figures have highlighted an alarming number of ransomware groups which are paid off but never deliver a working decryptor.

“In my opinion, the biggest factor at play here is the feedback loop of malicious activity created by surrendering and paying the ransom, this allows the groups to achieve a greater level of sophistication during their next attacks, whether that be via training, new tooling, purchasing credentials, or recruitment. Feeding this industry only ensures that they become collectively more of a threat in the long run, facilitating more breaches, more payments, and thus the cycle continues,” he adds.

Similar Posts

US Govt sets aside US$750m for SolarWinds response – Security

US Govt sets aside US$750m for SolarWinds response – Security

ByPR 24

US President Joe Biden’s proposed budget includes US$750 million for the government agencies hit by the SolarWinds hack to pay for cybersecurity improvements to prevent another attack. The money comes on top of a US$500 million fund for federal cybersecurity as the U.S. government recovers from the cyber attack that hit nine agencies including the…

The Rise of Hydra Dark Web Marketplace and Its Cryptocurrency Ecosystem

The Rise of Hydra Dark Web Marketplace and Its Cryptocurrency Ecosystem

ByPR 24

According to new research published by Flashpoint analysts, Hydra marketplace has revealed increasing transaction volumes and a booming cryptocurrency ecosystem. The Russian dark web marketplace, mainly known for its illicit, high-traffic narcotics market, is now conducting illegal sales of stolen credit cards, SIM cards, counterfeit documents, and IDs, as well as covering its own digital…

Mobile App Developers Exposed 100 Million Android Users’ Data

Mobile App Developers Exposed 100 Million Android Users’ Data

ByPR 24

The Check Point Research team has recently discovered that in the last few months, mobile app developers potentially exposed the private data of over 100 million Android users, by not following best security practices when integrating third-party cloud services into their applications. The Check Point researchers analyzed 23 Android apps, including a screen recorder, a…

Constant Contact Email Service Used in Phishing Attack

Constant Contact Email Service Used in Phishing Attack

ByPR 24

Softpedia News / Security 1. June 2021 This article has been indexed from Softpedia News / Security Nobelium, the Russian hacking group responsible for last year’s big SolarWinds hack, has struck again. This time, it used cloud email marketing firm Constant Contact in a phishing attempt that compromised 3,000 email accounts across 150 companies, according…

Intel, AMD Dispute Findings on Chip Vulnerabilities

Intel, AMD Dispute Findings on Chip Vulnerabilities

ByPR 24

Endpoint Security , Hardware / Chip-level Security After Researchers Release Report, Chipmakers Assert That No New Defenses Are Needed Doug Olenick (DougOlenick) • May 6, 2021     Intel and AMD are disputing the findings of researchers from two universities who say they’ve discovered new attacks on Intel and AMD processors that can bypass most…

533 million Facebook users’ phone numbers leaked on hacker forum

533 million Facebook users’ phone numbers leaked on hacker forum

ByPR 24

The mobile phone numbers and other personal information for approximately 533 million Facebook users worldwide has been leaked on a popular hacker forum for free. The stolen data first surfaced on a hacking community in June 2020 when a member began selling the Facebook data to other members. What made this leak stand out was that…