Colonial Pipeline’s operators reportedly paid $5m to regain control of their digital systems and get the pipeline pumping oil following last week’s ransomware infection.
News of the payoff was broken by Bloomberg – which not only cited anonymous sources but also mocked other news outlets’ anonymous sources for saying earlier this week that the American pipeline operator would never pay the ransom.
“On Wednesday, media outlets including the Washington Post and Reuters reported that the company had no immediate intention of paying the ransom. Those reports were based on anonymous sources,” gloated Bloomberg, while avoiding describing its unnamed “people familiar with the company’s efforts” in the same terms.
Media braggadocio aside, the Colonial Pipeline Company of Georgia is said to have paid $5m as a ransom to regain control of its systems. Bloomberg claimed, citing its familiar-yet-anonymous sources, that the decryption utility supplied by the criminals following this payment was so slow in operation that Colonial continued restoring its systems from backups, as it has been since the weekend.
Restoring from good, working backups isn’t such a bad idea, because you should wipe infected computers and start afresh anyway, just in case the ransomware hid something nasty in their file systems.
Speculation abounded as to precisely what led to the shutdown of the pipeline on Friday, May 7 though the most likely explanation is that rather than compromising the operational technology (OT) controlling the pipeline’s pumps and valves, the ransomware KO’d back-office systems used for monitoring oil flows and generating billing records based on those flows.
If you can pump oil but can’t tell who you’re pumping it to or how much they’re taking, your oil-as-a-service business will miss out on significant profits and your engineers will rapidly lose sight of how much wear and tear safety-critical systems are enduring. Hence the shutdown.
The Colonial Pipeline says it carries 100 million gallons a day of refined fuels between Houston, Texas, and New York Harbor, or 45 percent of all fuel needed on the United States’ East Coast. The pipeline carries fuel for cars and trucks, jet fuel, and heating oil, and there are reports of gasoline shortages. Today, the biz said it had restarted operations on Wednesday evening, and is now making “substantial progress” in delivery supplies to markets.
The Colonial Pipeline company’s website was offline at the time of writing, returning this error message. Click to enlarge if this interests you that much
Brett Callow of specialist anti-ransomware firm Emsisoft told The Register that the reported payoff was relatively small, saying: “The highest demand to have become publicly known is $50m and, given the massive disruption this incident is causing and its cost implications, $5m seems surprisingly modest. Still, if it really has been paid, it’ll certainly help keep critical infrastructure in the ransomware gangs’ crosshairs. If a sector proves to be profitable, they’ll attack it again and again and again.”
Colonial was hiring a new cybersecurity manager a month ago. Whoever gets that gig probably has a very interesting few days ahead of them.
The ransomware gang operates under the moniker Darkside and is tracked by Western infosec companies under at least a dozen different names. It is said to have been active since August last year and to have been responsible for around 80 compromises so far. When the pipeline stopped last week, and the FBI got involved, the Russian-speaking criminals behind the crew issued a statement via their Tor-hosted blog claiming they were just doing business and had no ulterior motive.
Translated, this seems to have been a desperate plea to the powers-that-be in their Russian-speaking homeland not to track them down and send them to the gulag for triggering international attention after knocking out a piece of critical technology supplying the US East Coast’s liquid hydrocarbon needs. ®