Colonial Pipeline Pays $5 Million Ransom

It has been announced that Colonial Pipeline reportedly paid the ransomware group responsible for a cyberattack last week close to $5 million to decrypt locked systems. On Thursday, Bloomberg reported that two people close to the matter said a blackmail demand was agreed to within hours of the cyberattack that has impacted the fuel giant’s systems for close to a week.

Notify of

9 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Edgard Capdevielle
InfoSec Expert
May 14, 2021 10:44 am

<p><span lang=\"EN-US\">I’m not surprised. Darkside has a reputation for extremely high ransom demands, some reportedly topping $10 million. According to the FBI,  ransomware attacks were up 20% in 2020, and even more telling, ransom demands rose 225%.  While it\’s entertaining to speculate on how big the ransom was or whether it was paid.  What\’s most important is that organisations who are struck with an attack contact the FBI and CISA whether they a pay a ransom or not.</span></p>

Last edited 1 year ago by Edgard Capdevielle
Robert Golladay
Robert Golladay , Strategic Director for EMEA and APAC
InfoSec Expert
May 14, 2021 11:19 am

<p>According to sources, Colonial Pipeline was insured, which shows how targeted these attacks have become. Hackers are figuring out who is insured, which tells them the company has assets that are valuable and will be in a position to pay.  And, as we see in the Colonial attack, instances of ransomware are growing in size and scale.  This type of attack is exploding because it works – it scales and is predictable – and it\’s a way for attackers to make easy money. And some of the criminal enterprises, like DarkSide, are funneling the money they make back into the tools they are using. </p> <p> </p> <p>It is worth pointing out, however, that many of these ransomware attacks are preventable. This is not to say that Capital Pipeline didn\’t follow due process, but the current approach to ransomware defence tends to be a passive one: Endpoint Detection and Response (EDR), patching, backing up regularly, protecting an increasingly hard to define perimeter. But attackers\’ creativity and resources require an equally creative, proactive and imaginative set of tactics.</p> <p> </p> <p>Lateral movement is one of the hallmarks of any advanced ransomware attack: it was the basis of the SolarWinds attack, and it is the reason why Capital Pipeline preventatively shut down its industrial control systems despite the attack being directed to its business operations. By using early detection tools and employing deception to catch attackers as they are attempting to move laterally in the network, organisations can have the upper hand. Thinking like an attacker is the only way organisations will be able to detect a ransomware attack before it\’s too late.</p> <p> </p> <p>Contingency and remediation planning are also critical. At the very least, all critical data/crown jewels should be backed up, at frequency dictated by sensitivity. Finally, people, process and technology are key battlegrounds against the attackers. Without education, security protections and new processes, many organisations won\’t be able to keep up with the sophistication and scale of today\’s cyber threats. <img class=\"CToWUd\" src=\"\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" /></p>

Last edited 1 year ago by Robert Golladay
Mitch Mellard
Mitch Mellard , Principal Threat Intelligence Analyst
InfoSec Expert
May 14, 2021 11:53 am

<p>Considering the potential consequences of a long term recovery operation and incident response process, I do not think its surprising at all that Colonial paid the group responsible for deploying ransomware across their systems.</p> <p> </p> <p>For the criticality of the target, the figure appears to be relatively tame, especially when you take into consideration ransom demands for targets in the entertainment sector have been much higher recently, such as the ransoms demanded from Capcom and CD project Red for 11 and 7 million USD respectively.</p> <p> </p> <p>One would think that the ransom for a network handling such critical, and lucrative infrastructure, would be worth significantly more than video game development and digital IP theft. The low ransom amount could however simply be a tactic to make it more likely to obtain payment,  by making it an easy decision for the company in terms of offset cost.</p> <p> </p> <p>However pragmatic the decision to pay the attackers may seem, I would always caution against paying these criminals. For one thing, there is no guarantee that they will even decrypt your files or avoid leaking/selling them after the fact, in fact recent figures have highlighted an alarming number of ransomware groups which are paid off but never deliver a working decryptor. In my opinion, the biggest factor at play here is the feedback loop of malicious activity created by surrendering and paying the ransom, this allows the groups to achieve a greater level of sophistication during their next attacks, whether that be via training, new tooling, purchasing credentials, or recruitment. Feeding this industry only ensures that they become collectively more of a threat in the long run, facilitating more breaches, more payments, and thus the cycle continues.</p>

Last edited 1 year ago by Mitch Mellard
Ziv Mador
Ziv Mador , VP of Security Research
InfoSec Expert
May 14, 2021 12:50 pm

<p><span lang=\"EN-US\">Organizations are caught between a rock and a hard place when faced with the decision of paying ransomware. If more organizations don’t pay the ransom, the hackers’ business model becomes less profitable, and we can slowly edge closer to killing their line of work. The issue is that today, each organization uses its own judgment on whether or not to pay – based on their need to recoup their valuable data or keep their critical operations afloat. Sometimes paying the ransom is much cheaper than the direct and indirect damages from not paying. Governments can try to pass laws that will disallow companies to pay, but that could be troublesome because they would be forcing companies to lose money and intentionally hurt their own business.<u></u><u></u></span></p> <p> </p> <p><span lang=\"EN-US\">The ideal scenario is that through international collaboration, cybersecurity companies and government agencies can work to arrest and charge these ransomware actors. Making an example out of those that are caught may deter some attackers. But the issue with this approach is that some of the larger, more advanced ransomware gangs are operating from what seem to be safe haven regions, where such international collaboration just doesn\’t happen. The cure for the ransomware pandemic very well might lay in the hands of country leaders and their willingness to ban together to put immense pressure on safe-haven regions.</span></p>

Last edited 1 year ago by Ziv Mador
Darren Van Booven
Darren Van Booven , Lead Principal Consultant
InfoSec Expert
May 14, 2021 1:28 pm

<p>Colonial Pipeline initially said the pipeline shutdown was precautionary in nature. If the OT environment around the pipeline operations was properly segregated and secured apart from the Colonial administrative systems, then the pipeline shouldn’t have been in any danger. If the ransomware infiltrated the administrative networks only, Colonial might have been greatly impacted, but the pipeline could have continued to run. The alleged payment of $5M in ransom seems excessive in the situation where the pipeline wasn’t in any real danger. The OT environment could have been somehow affected due to poor security, separation of OT from IT admin systems, or otherwise.</p>

Last edited 1 year ago by Darren Van Booven
Nikos Mantas
Nikos Mantas , Incident Response Expert
InfoSec Expert
May 17, 2021 10:49 am

<p><span lang=\"EN-US\">Not only did this attack affect the operations of Colonial Pipeline, it also impacted the lives of millions of American citizens, so it is not surprising the company decided to pay the ransom, however early reports indicate that the decryption tool did not work. While the demand does seem high, it was actually a lot lower than many in the security industry have expected, so it may set a benchmark for future ransom requests. Protecting against ransomware is all about cyber resilience and carrying out tests to prior to attacks to understand damages and limit them. Network segmentation is always critical, especially keeping operational technology separate from IT infrastructure, which is more likely to be attacked.</span></p>

Last edited 1 year ago by Nikos Mantas
Andy Norton
Andy Norton , European Cyber Risk Officer
InfoSec Expert
May 17, 2021 10:51 am

<p>I don’t think we are at the end of this story, there is no clear winner here. Darkside may of been paid $5 million to Destroy the data they hold and unencrypt the affected files, but in doing so, they became a global news story and consequently a bargaining chip in future US and Russia dealings. Darkside clearly know they are public enemy number 1 right now, even issuing an apology about the collateral damage to their attack. Other criminal affiliates will be trying to distance themselves from Darkside, to avoid getting rolled up in the future law enforcement investigations. If there is a loser, it\’s the cyber insurance company behind Colonial, who now have to cover the costs. If I want to insure a car, I have to have an MOT, a third party certificate of road worthiness. However, in cyber, I can have completely inappropriate levels of cyber security and still get cyber insurance. At the other end, we have Colonial who have been publicly embarrassed by the saga, and yet, have essentially got away scot free, and in doing so, have sent a message that, it’s OK not to demonstrate any sort of compliance with a cyber security framework, as long as your insurer will cover the costs of an attack.</p>

Last edited 1 year ago by Andy Norton
Lewis Jones
Lewis Jones , Threat Intelligence Analyst
InfoSec Expert
May 20, 2021 9:40 am

<p>Getting hit with ransomware does not mean a company has failed, the threat is an unfortunate fact of life today and it doesn’t matter how strong your defences are, attackers will continue to be creative and adapt new techniques to infiltrate defences. The fact that the CEO of Colonial Pipeline is speaking publicly about the company’s recent ransom payment is a very positive step and more companies should follow suit. The more companies open up about attacks and are transparent on the action they took when under attack, the more we can learn about cybercriminal techniques and build better defences. While paying cybercriminals is an outcome no CEO desires, especially when there is no guarantee that the attackers will fully delete data and it will not appear for sale later down the line, however sometimes when the impact of an attack is so significant, it can seem like the only choice. No company or CEO should be shamed for this. Instead, we should learn from these incidents to understand how attackers got in, what data was actually returned and what could have been done differently to secure a different outcome. Attackers collaborate on their attacks, and the only way to get ahead of them is to collaborate on our defences.</p> <p> </p> <p>Whilst it appears the CEO felt they had no further option, the surrendering and paying of ransom does further feed the issue by providing the attackers with more funds for better capability and more notoriety, which may fuel copycat tactics by other groups.</p>

Last edited 1 year ago by Lewis Jones
Edgard Capdevielle
InfoSec Expert
May 20, 2021 9:43 am

<p>Ransomware is a reality that many organisations are facing today, but by coming out and talking about the attack, the CEO of Colonial Pipeline is providing the security industry with invaluable intelligence into the techniques deployed by cybercriminals, which will help drive more awareness around the threat and build better defences. When it comes to ransomware it is no longer a case of if, but when. Companies need to get into a post-breach mentality, pre-breach and harden systems so that when they are faced with an attack, they know exactly how they will respond and what they stand to lose depending on their response.</p>

Last edited 1 year ago by Edgard Capdevielle
Information Security Buzz
Would love your thoughts, please comment.x