After a devastating and deeply embarrassing cyberattack on one of the United States’ largest oil pipelines, one that forced many gas stations to shut down and reportedly caused average national gas prices to rise above $3 for the first time since 2014, the oil is flowing again. But Bloomberg is reporting that Colonial Pipeline had to pay a nearly $5 million ransom to get there, and it paid that ransom within mere hours. The Wall Street Journal’s sources have now also confirmed that Colonial Pipeline paid the ransom.
That’s striking, because it’s the opposite of what Reuters, CNN, and others reported in the wake of the attack. “Sources familiar with the company’s response,” a phrase often used when the company itself is responding but doesn’t want to be named, suggested the pipeline had no plans to pay hackers. CNN’s sources insisted Colonial Pipeline had not yet paid the ransom, and would probably not need to pay, suggesting it had already “managed to retrieve the most important data that was stolen” with help from the US government.
The news is also a little worrying because of how a successful ransom might encourage hackers in future. Over the years, we’ve heard reports of smaller companies and local government entities paying ransoms to regain access to their computers, but this is perhaps one of the most high-profile examples of ransomware yet, and the news might inspire copycats.
On the plus side, a digital forensics expert who spoke to Bloomberg suggested that $5 million isn’t a particularly large sum of money for something like this: “Ransom is usually around $25 million to $35 million for such a company. I think the threat actor realized they stepped on the wrong company and triggered a massive government response,” LIFARS CEO Ondrej Krehel told the publication. On Monday, the Colonial Pipeline hackers apologized for the “social consequences” and promised to ransom less controversial targets in the future.
It’s not clear which parts of the Colonial Pipeline were at risk: a spokesperson suggested there was no evidence the company’s operational systems were compromised; CNN had three sources yesterday say that the pipeline shut down because its billing system was affected, and the company wasn’t sure it’d be able to charge properly for fuel. Reporting by cybersecurity journalist Kim Zetter suggests the decision was likely more complicated than that, as other entities in the oil distribution system were also worried the ransomware could spread to their computers as well.
Yesterday, President Biden signed an executive order aimed at improving national cybersecurity, with the White House specifically naming the Colonial Pipeline, the SolarWinds hack, and the Microsoft Exchange server vulnerabilities as the kinds of infrastructure failures the government hopes to address.
The Colonial Pipeline began resuming operations on Wednesday evening, with President Biden saying it should be “reaching full operational capacity as we speak” in a briefing early Thursday afternoon. Oil supplies should be “seeing a region-by-region return to normalcy beginning this weekend,” he says.
Still, he warns, “this is not like flicking on a light switch — this pipeline is five thousand five hundred miles long, it had never been shut down in its history... it’s going to take some time, and there may be some hiccups along the way here.”
Biden says the US isn’t blaming Russia directly: “We do not believe the Russian government was involved in this attack, but we do have strong reason to believe that the criminals who did the attack are living in Russia,” he says.
He also announced a specific measure against ransomware: “Our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.”
President Biden declined to comment on whether Colonial Pipeline paid the ransom.
Update, 5:06 PM ET: Added WSJ corroboration that Colonial Pipeline paid the ransom.
Correction: Biden said the pipeline is five thousand five hundred miles long, not five hundred thousand miles long. We regret the error.