Almost a week after a Colonial Pipeline ransomware attack at stop fuel distribution on the east coast, reports emerged Friday that the company paid a ransom of 75 bitcoins – worth up to $ 5 million, depending on the time of payment – in an attempt to restore service more quickly. And while the company was able to restart of operations Wednesday evening, the decision to give in to hackers’ demands will only embolden other groups in the future. Real progress against the ransomware epidemic will force more companies to say no, experts say.
That doesn’t mean it’s easy. The FBI and other law enforcement groups have long discouraged ransomware victims from paying digital extortion fees, but in practice many organizations resort to payment. Either they don’t have the backups and other infrastructure needed to recover otherwise, can’t or won’t take the time to recover on their own, or decide that it’s cheaper to just quietly pay the ransom and move on. to something else. Ransomware groups control the finances of their victims more and more before setting their traps, which allows them to set the highest possible price that their victims can still afford.
In the case of Colonial Pipeline, ransomware group DarkSide attacked the company’s business network rather than the more sensitive operational technology networks that control the pipeline. But Colonial also cut its OT network in an attempt to contain the damage, increasing the pressure to resolve the issue and resume the flow of fuel along the East Coast. Another potential factor in the decision, first reported by Zero Day, was that the company’s billing system had been infected with ransomware, so it had no way of tracking fuel distribution and billing customers.
Proponents of zero tolerance for ransom payments hoped that the proactive shutdown of Colonial Pipeline was a sign that the company would refuse to pay. Reports Wednesday reported that the company had a plan to hang in there, but numerous subsequent reports on Thursday, led by Bloomberg, confirmed that the ransom of 75 bitcoins had been paid. Colonial Pipeline did not return a request for comment from WIRED regarding the payment. It is still unclear whether the company paid the ransom soon after the attack or a few days later, as fuel prices rose and gas station lines rose.
“I can’t say I’m surprised, but it’s certainly disappointing,” said Brett Callow, threat analyst at antivirus company Emsisoft. “Unfortunately, this will help keep US critical infrastructure providers in the spotlight. If an industry turns out to be profitable, they will keep hitting it. “
In a briefing Thursday, White House press secretary Jen Pskai generally stressed that the US government encourages victims not to pay. Other members of the administration struck a more measured note. “Colonial is a private company and we will defer information regarding their decision to pay them a ransom,” Anne Neuberger, deputy national security adviser for cyber and emerging technologies said Monday. She added that ransomware victims “face a very difficult situation and often have to balance cost-benefit when they have no choice but to pay a ransom.”
Researchers and policymakers have struggled to produce comprehensive advice on ransom payments. If every victim in the world suddenly stopped paying ransoms and stood firm, the attacks would cease quickly, as there would be no incentive for the criminals to continue. But coordinating a mandatory boycott seems impractical, researchers say, and would likely result in more secret payments. When the ransomware gang Evil Corp attacked Garmin last summer, the company paid the ransom through an intermediary. It’s not unusual for large corporations to use a payment intermediary, but Garmin’s situation was particularly noteworthy because Evil Corp had been sanctioned by the US government.