Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom
Joseph Blount says he needed to quickly restore service after cyberattack threatened East Coast supply
(The Wall Street Journal)
The operator of the Colonial Pipeline learned it was in trouble at daybreak on May 7, when an employee found a ransom note from hackers on a control-room computer. By that night, the company’s chief executive came to a difficult conclusion: He had to pay.
Joseph Blount, CEO of Colonial Pipeline Co., told The Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back.
Mr. Blount acknowledged publicly for the first time that the company had paid the ransom, saying it was an option he felt he had to exercise, given the stakes involved in a shutdown of such critical energy infrastructure. The Colonial Pipeline provides roughly 45% of the fuel for the East Coast, according to the company.
“I know that’s a highly controversial decision,” he said. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”
“But it was the right thing to do for the country,” Blount added.
DarkSide operates a “ransomware as a service” business model where they find ways to breach private networks and install malicious software designed to block access to a computer system unless a ransom is paid.
The Federal Bureau of Investigation usually advises companies not to pay the ransom due to the uncertainty of receiving ransomware tools to restore computer systems after payment. Also, it would set precedence and make the ransomware business flourish.
However, Blount quickly paid the ransom after consultation with cybersecurity experts. The payment was made the same day the ransomware was discovered, on May 7, in the form of Bitcoin. The company then received a decryption tool from DarkSide. Still, it wasn’t enough the restore the entire 5,500-mile pipeline system from Gulf Coast to Linden, New Jersey, resulting in six days of fuel stoppage and the eventual gas shortage at fueling stations up and down the East Coast. This also rocketed fuel prices to a 6.5-year high.
Last Thursday, Bloomberg said Colonial paid the hackers within hours of the attack in “untraceable” Bitcoin.
Blount told WSJ that Colonial had had segments of its pipeline closed for days or weeks due to Gulf Coast hurricanes, but having the entire system closed for nearly a week was unprecedented. In many ways, it was more devastating than any natural disaster previously seen.
He said the ransomware was found on a control room computer at 0530 ET on May 7. When workers found the ransomware, it was quickly escalated up the company’s chain of command to Blount within 30 minutes.
A short time later, Colonial shut the entire system down, spanning 13 states and Washington, DC, to prevent the infection from spreading.
Over the day, Colonial executives were in constant contact with FBI’s offices in Atlanta and San Francisco and a Cybersecurity and Infrastructure Security Agency representative, Blount said.
The CEO went onto say, through the shutdown period, the Energy Department worked alongside Colonial to provide multiple federal agencies involved in the response effort with updates.
Blount’s quick action resolved what could’ve resulted in widespread chaos across the East Coast for weeks. The pipeline’s fuel flow has returned to normal, but Blount said restoration work to recover some business systems could take months and tens of millions of dollars.
“We were perfectly happy having no one know who Colonial Pipeline was, and unfortunately that’s not the case anymore,” he said. “Everybody in the world knows.”
Still, the lingering effects of the pipeline shutdown continue Wednesday, with as many as 9.5k fuel stations are without gas.
Big improvements! Gas outages by state, 8am CT, chg since last update:
AL 6% -1%
DC 60% -7%
DE 2% N/C
FL 14% -1%
GA 35% -3%
KY 2% N/C
LA 2% N/C
MD 19% -3%
MS 6% N/C
NC 41% -3%
NJ 1% N/C
SC 38% -3%
TN 21% -2%
TX 2% N/C
VA 21% -4%
WV 5% N/C
TOTAL 9,508 stns without gas
— Patrick De Haan ⛽️📊 (@GasBuddyGuy) May 19, 2021
In a blog post Tuesday, London-based blockchain analytics firm Elliptic who identified the bitcoin wallet used by DarkSide to collect ransom payments from its victims, said the group and its affiliates collected $90 million bitcoin ransom payments over the past nine months from 47 victims.
Following the money
Using Elliptic’s blockchain analytics we can follow the ransom payments and see where the bitcoins are being spent or exchanged. What we find is that the majority of the funds are being sent to cryptoasset exchanges, where they can be swapped for other cryptoassets, or fiat currency.
The majority of cryptoasset exchanges comply with anti money laundering regulations. They verify their customers’ identity and report suspicious activity. They also use blockchain analytics tools such as those offered by Elliptic, to check customer deposits for links to illicit activity such as ransomware.
However some jurisdictions do not enforce these regulations, and it is to exchanges in these locations that much of the DarkSide ransomware proceeds are being sent.
On Tuesday, Colonial experienced another round of issues where it issued a brief statement that read: “Colonial is currently experiencing network issues impacting customers’ ability to enter and update nominations.”
So after collecting nearly $90 million in ransomware payments over the nine months and then resulting in the grand finale of paralyzing almost 50% of the US East Coast fuel system, DarkSide appears to have closed down.
Header featured image (edited) credit: Pipe line/noonpost.com/
Stay tuned to …
The Liberty Beacon Project is now expanding at a near exponential rate, and for this we are grateful and excited! But we must also be practical. For 7 years we have not asked for any donations, and have built this project with our own funds as we grew. We are now experiencing ever increasing growing pains due to the large number of websites and projects we represent. So we have just installed donation buttons on our websites and ask that you consider this when you visit them. Nothing is too small. We thank you for all your support and your considerations … (TLB)
Comment Policy: As a privately owned web site, we reserve the right to remove comments that contain spam, advertising, vulgarity, threats of violence, racism, or personal/abusive attacks on other users. This also applies to trolling, the use of more than one alias, or just intentional mischief. Enforcement of this policy is at the discretion of this websites administrators. Repeat offenders may be blocked or permanently banned without prior warning.
Disclaimer: TLB websites contain copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to our readers under the provisions of “fair use” in an effort to advance a better understanding of political, health, economic and social issues. The material on this site is distributed without profit to those who have expressed a prior interest in receiving it for research and educational purposes. If you wish to use copyrighted material for purposes other than “fair use” you must request permission from the copyright owner.
Disclaimer: The information and opinions shared are for informational purposes only including, but not limited to, text, graphics, images and other material are not intended as medical advice or instruction. Nothing mentioned is intended to be a substitute for professional medical advice, diagnosis or treatment.