Colonial Pipeline restores operations, $5 million ransom demanded

Update 5/14/21: The DarkSide ransomware has shut down their operation out of concern for US law enforcement.

Colonial Pipeline has recovered quickly from the ransomware attack suffered less than a week ago and expects all its infrastructure to be fully operational today.

The company has already brought much of the pipeline system online and is currently delivering refined petroleum products to most of the markets it services.

Quick restoration

Colonial Pipeline manages the largest pipeline system in the U.S., supplying almost half of all the fuel consumed on the East Coast.

The decision to shut down its infrastructure as a precaution after the ransomware attack was followed by the U.S. Department of Transportation’s Federal Motor Carrier Safety Administration (FMCSA) declaring a state of emergency in 17 states and the District of Columbia.

According to multiple media reports, the shortage caused by Colonial Pipeline suspending product delivery led to an increase in gas prices.

Given this context, the company was under considerable pressure to restart activity and announced today that it “made substantial progress in safely restarting our pipeline system.”

The map below shows in green the segments that are currently operational. Parts of the network that should be operational today are marked with blue lines.

Colonial Pipeline learned of the cyberattack on May 7th, less than a week ago. It was soon confirmed that it was a ransomware attack from the DarkSide cybercriminal gang created by former affiliates of other ransomware operations that wanted their own operation.

Considering the experience of the attackers, the size of the company, and its importance in the U.S., restoring operations this quick would suggest that Colonial Pipeline paid the attackers for the decryption key and to not leak stolen data.

Ransom payment unclear

Multiple media publications on Wednesday, citing people familiar with the matter, reported that the company had no plan to pay the ransom, albeit Colonial Pipeline did not communicate its official position on this.

However, Bloomberg today reports that Colonial Pipeline paid the hackers almost $5 million in cryptocurrency to get a decryption key and restore its systems. Because the tool was too slow, the company used its backups to restore the systems.

While this move would explain the fast restoration of operations, CNN informs that Colonial Pipeline’s quick recovery was possible after retrieving “the most important data” from intermediary servers in the U.S. that the attackers used to store stolen info.

After getting the data back, the company could have also used its backup system to restore the systems and resume pipeline operations without paying the ransom.

Without important files in hand that could negatively impact the company, the hackers may never leak any data from Colonial Pipeline.

Update [May 13, 16:53 EST]: Colonial Pipeline has updated its annoucement today confirming that its entire pipeline system is currently operational and that product is being delivered to all its markets: