Colonial Pipeline Paid Nearly $5 Million in Ransom to Cybercriminals

Cyber Security

Colonial Pipeline on Thursday restored operations to its entire pipeline system nearly a week following a ransomware infection targeting its IT systems, forcing it to reportedly shell out nearly $5 million to restore control of its computer networks.

“Following this restart, it will take several days for the product delivery supply chain to return to normal,” the company said in a statement on Thursday evening. “Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during this start-up period. Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal.”

The company’s official website, however, has been taken offline as of writing with an access denied message “This request was blocked by the security rules.”

Bloomberg, citing “two people familiar with the transaction,” said the company made the payoff within hours after the DarkSide ransomware attack to get hold of a decryptor, which turned out to be so slow that Colonial instead used its own backups to recover systems rendered inoperational by the ransomware. Insurance Insider reported earlier this week the pipeline operator had about $15 million in cyber insurance cover.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) doesn’t condone paying a ransom to criminal actors, as doing so may embolden adversaries to target more organizations and encourage other cybercriminals to engage in the distribution of ransomware. But affected entities have often opted to heed to the attackers demands, as it’s the quickest way to resume normal function and prevent the risk of data exposure.

A 2019 ProPublica investigation revealed how insurance companies are fuelling the rise of ransomware threats by covering the cost minus a deductible, which is typically far less than the ransom demanded by attackers.

“Threat actors have become more proficient at conducting multifaceted extortion operations and that this success has directly contributed to the rapid increase in the number of high-impact ransomware incidents over the past few years,” said cybersecurity firm FireEye, whose Mandiant subsidiary is leading the incident response efforts. “Ransomware operators have incorporated additional extortion tactics designed to increase the likelihood that victims will acquiesce to paying the ransom prices.”

The company’s threat intelligence team is tracking five activity clusters associated with the deployment of DarkSide — UNC2628, UNC2659, and UNC2465 — some of which have been active at least since April 2019.

DarkSide, advertised by a Russian-speaking actor named “darksupp” on Russian-language forums exploit.in and xss.is, operates as a ransomware-as-a-service (RaaS) outfit, with its creators taking a 25% cut for ransom payments under $500,000, a fee that decreases to 10% for payments greater than $5 million, per FireEye.

In the wake of the Colonial Pipeline attack, the operators of the DarkSide ransomware issued a statement on their dark web extortion site, pledging it intends to vet the companies its affiliates are targeting going forward to “avoid social consequences in the future.” What’s more, xss.is today announced a unilateral ban on ransomware promotions on the darknet cybercrime forum, likely in a bid to avoid unwanted attention.

“Ransomware became political,” xss.is’s admin said in a post revealed by Advanced Intel’s Yelisey Boguslavskiy. “Peskov (Putin’s press secretary) is forced to make excuses to our overseas “friends” … It is now equated with unpleasant things – geopolitics, extortion, government hacking. This word has become dangerous and toxic.”

“RaaS partnerships lead to the establishment of a massive organic economy centered around top-Russian forums,” Boguslavskiy noted. “Now, this economy may be entirely disrupted.”

The recent wave of cyber assaults aimed at SolarWinds, Microsoft Exchange, and Colonial Pipeline has also prompted the U.S. government to take steps to shore up defenses by “protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.”