Colonial Pipeline paid close to $5 million in ransomware blackmail payment

The payment was reportedly made soon after the attack began. It wasn’t enough to stop the disruption.

Colonial Pipeline reportedly paid the ransomware group responsible for a cyberattack last week close to $5 million to decrypt locked systems.

On Thursday, Bloomberg reported that two people close to the matter said a blackmail demand was agreed to within hours of the cyberattack that has impacted the fuel giant's systems for close to a week.

On May 7, Colonial Pipeline experienced a ransomware attack which forced the company to temporarily close down its operations and freeze IT systems to isolate the infection. 

While pipelines are now back in business, it will be days before normal service resumes -- and the issues surrounding supply have already caused panic buying across some cities in the United States. 

The publication says that the payment was made to DarkSide malware operators in cryptocurrency in order to secure a decryption key and restore systems rendered inoperational by the ransomware. 

See also: Colonial Pipeline attack: Everything you need to know

However, the decryptor was reported to be "so slow" that backups were also used in restoration efforts. 

The cyberattack was the work of DarkSide, a ransomware-as-a-service (RaaS) outfit. The DarkSide ransomware variant is provided to affiliates who sign up, and in return, partner groups give the malware's developers a slice of any profits made through successful ransomware extortion attempts. 

DarkSide affiliates may also use double-extortion tactics, in which corporate files are also stolen during an attack. If a company refuses to pay up to decrypt their systems, they are then threatened with the public leak of stolen data. 

FireEye researchers say that DarkSide's developers take a profit cut of 25% for ransom payments under $500,000, and this reduces to 10% for payments made over $5 million.

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) issued an alert this week warning businesses of the ongoing threat of RaaS operations. Federal agencies do not condone paying ransom demands made by cybercriminals. 

According to Reuters, Colonial Pipeline has cyber insurance coverage of at least $15 million.

On Thursday, the organization said in an update that it "has made substantial progress in safely restarting our pipeline system and can report that product delivery has commenced in a majority of the markets we service."

ZDNet has reached out to Colonial Pipeline and we will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0