Colonial Pipeline Co., operator of the largest U.S. fuel pipeline, reportedly paid $5 million to criminals behind a ransomware attack that has sent fuel prices spiking up and down the East Coast.
Sources familiar with the payout told Bloomberg that representatives of Colonial Pipeline paid the cybergang known as DarkSide the ransom it demanded in return for a decryption tool that allowed the firm to restore its computer network disabled in last week’s attack.
On Wednesday, the energy firm restarted its pipeline operations after five days of being shut down: a shutdown done proactively following the ransomware attack.
News of the payment is an about-face: according to reports on Wednesday, the company had no intention of paying the ransom.
“The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard,” Bloomberg reporters William Turton, Michael Riley and Jennifer Jacobs wrote.
Colonial Pipeline did not reply to Threatpost’s inquiries seeking confirmation of the Bloomberg report.
Ransomware Surge: Criminals Go Big-Game Hunting
The alleged payout comes amid a global surge in ransomware attacks, with incidents up 102 percent compared with the beginning of 2020, according to Check Point Software.
In a Wednesday report by Kaspersky, researchers noted that in 2020 a number of high-profile ransomware groups emerged around the world. The report sheds light on the state-of-the-art ransomware playbook.
“Criminals discovered victims would be more likely to pay ransoms if they could establish some form of reputability beforehand. To ensure that their ability to restore encrypted files would never be questioned, they cultivated an online presence, wrote press releases and generally made sure their name would be known to all potential victims,” Kaspersky researcher Dmitry Galovwrote wrote.
True to form, the DarkSide cybergang believed to be behind the Colonial Pipeline attack is a known threat actor. Mandiant FireEye released a new report on DarkSide. In its report, researchers said DarkSide and its ransomware-as-a-service (RaaS) affiliates have launched campaigns in more than a dozen countries and targeted multiple industries.
RaaS programs typically leverage financially motivated partners in crime to execute cyberattacks.
To Pay Ransomware or Not To Pay?
With regards to the larger question of whether or not victims of ransomware attacks should pay extortion demands, opinions are mixed.
In 2020, the US Treasury Department’s Office of Foreign Assets Control (OFAC) warned (PDF) organizations making ransomware payments that they risk violating economic sanctions imposed by the government against cybercriminal groups or state-sponsored hackers.
That warning echoed a 2019 bulletin by the FBI stating that it did “not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data.”
Still, reporting by the non-profit ProPublica investigative journalism organization found cyber-insurance companies often advise their customers to pay the ransoms. It found organizations believe that paying the ransom is less expensive than the alternative: namely, loss of business continuity, rebuilding systems and restoring endpoints from backups.
In an exclusive Threatpost poll of 120 respondents, the consensus was that paying a ransom is a bad idea. A full 78 percent argued against giving into extortion demands, for a range of reasons. The top reason cited, by 42 percent, is that cybercriminals aren’t trustworthy and that paying the ransom doesn’t guarantee a decryption key.
(For the full story on Ransomware, DOWNLOAD Threatpost’s free ebook “2021: The Evolution of Ransomware”)