Colonial Pipeline paid the Eastern European hackers who attacked its network 75 Bitcoin, worth almost $5 million at the time of the ransom payment, The New York Times and The Wall Street Journal reported Thursday evening, backing up a report in Bloomberg News. The ransom payment to DarkSide, a group of cybercriminals in or near Russia, allowed Colonial to start restoring its network and work to reopen its massive pipeline from Texas to the East Coast, where gas stations are running out of gas amid panic buying of constrained supplies. Full restoration of gas service will take several days.
The federal government discourages such payments on the grounds they encourage further ransomware attacks. But many companies, local governments, and other organizations opt to pay the ransom because not doing so — leaving company data locked in encryption or leaked or sold on the web — would cost more, and because insurance often covers the payments.
Ransomware attacks are a big and growing problem for businesses of all size and scope. A report last month from a ransomware task force said payments rose by 311 percent in 2020 to about $350 million, paid in cryptocurrency, and the average payout was $312,493, Bloomberg reports. But ransom for large corporations like Colonial tends to be much larger, and DarkSide in particular boasts of going after the big fish.
Colonial "had to pay," cyber expert and digital forensics executive Ondrej Krehel told Bloomberg. “This is a cyber cancer. You want to die or you want to live? It’s not a situation where you can wait.” But the $5 million ransom was "very low," he added. "Ransom is usually around $25 million to $35 million for such a company. I think the threat actor realized they stepped on the wrong company and triggered a massive government response."
President Biden, under attack from Republicans over the gas shortages, signed an executive order to beef up cybersecurity after the Colonial attack, and he told reporters Thursday the U.S. might retaliate against the cybercriminals and pursue "a measure to disrupt their ability to operate." Eight websites associated with DarkSide were down Thursday, the Times reports, though it wasn't clear if the U.S was involved.
“We do not believe the Russian government was involved in this attack, but we do have strong reason to believe that the criminals who did the attack are living in Russia,” Biden said, adding that "responsible countries" take "decisive action against these ransomware networks."