Colonial breach underscores concerns over paying hackers

Colonial Pipeline’s decision to pay the cyber criminals behind a ransomware attack that forced the company to temporarily shut down operations has reignited the debate around whether victims of such attacks should pay to regain access to their networks.

The company, which provides around 45 percent of the East Coast’s fuel supply, was under intense pressure to restart its pipeline as gasoline shortages mounted after the May 7 cyberattack. Bloomberg News reported Thursday that Colonial paid nearly $5 million in cryptocurrency to unlock its network. Colonial has not publicly confirmed that it paid the ransom, but has not disputed the story.

Had Colonial not paid the ransom, it may have taken far longer to restart the pipeline. But with ransomware attacks increasing around the world against a variety of critical organizations, officials and experts are warning that paying hackers only makes the problem worse.

“Hundreds of millions of dollars are being paid to ransomware operators, and that is feeding this business model, it is causing more ransomware incidents to happen, and it is why we are in the position we are in now,” Brandon Wales, the acting director of the federal Cybersecurity and Infrastructure Security Agency (CISA), said during a virtual event hosted by George Washington University on Thursday.

Ransomware attacks have been on the rise in recent years, but have spiked in particular over the last year as the COVID-19 pandemic forced more services online, with cyber criminals targeting critical infrastructure groups more likely to pay to access their systems again.

Hospitals, schools and government agencies have been targeted, and often face a difficult choice between paying a ransom demanded by hackers or spending far more time and money replacing impacted systems.

Jen Ellis, vice president of Community and Public Affairs at cybersecurity group Rapid7, told The Hill that considerations around paying the ransom vary depending on the group, but that utilities like Colonial Pipeline come under the most pressure to pay.

“The calculation is vastly different for the provider of an essential service such as a hospital or fuel pipeline versus something less impactful to society,” said Ellis, who also serves as co-chair of the Institute for Security and Technology’s Ransomware Task Force. 

“There is also a potential regulatory impact,” she said. “There may be a reputational consequence — on the one hand, funding crime is often viewed in a very negative light, but on the other hand, organizations may view paying as a way of drawing less attention to the issue and escaping reputational fallout.”

Refusing to pay is also often far more expensive than the initial ransom demanded.

The city of Atlanta chose not to pay when it was hit by a ransomware attack in 2018, which took some city systems offline for weeks. While Iranian hackers, who were later indicted by the Justice Department, initially demanded the equivalent of over $50,000 to unlock the city’s systems, the city ended up spending around $2.6 million to recover, according to Wired.

The city of Baltimore, hit by a separate ransomware attack in 2019, also chose not to pay, and spent over $18 million to recover from the attack, which impacted some agencies for weeks. The hackers had requested around $80,000 in cryptocurrency to unlock their systems. 

Despite the disparity in funding, then-Baltimore Mayor Bernard “Jack” Young (D) insisted at the time he was “confident” the city had made the right decision.

“We won’t reward criminal behavior,” Young said in a video in 2019. “If we paid the ransom, there is no guarantee they can or will unlock our system. There is no way of tracking the payment or even being able to confirm who we are paying the money to.”

“There is no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future,” he noted. “Ultimately, we would still have to take all of the steps we have taken to ensure a safe and secure environment.” 

Following Colonial Pipeline’s decision to pay the ransom last week, officials criticized the company, stressing that there are often more negatives than positives involved with payment.

“I advocate don’t pay the ransom for 3 reasons: Practical: you’d be doing a deal w/ a criminal, trusting them to leave/give back access,” former CISA Director Christopher Krebs tweeted Thursday. “Technical: you’d be buying a decryption tool that’s not guaranteed to work. Ethical: you’d be an active investor in a criminal enterprise.”

House Speaker Nancy Pelosi (D-Calif.) told reporters Thursday that Colonial should not have paid the hackers, stressing that “the point is that we don’t want people to think that there’s money in it for them to threaten the security of a critical infrastructure in our country.”

The federal government has maintained its stance that paying cyber criminals, even with the increased costs to organizations sometimes strapped for cash, is not the recommended course of action. 

The Treasury Department Office of Foreign Assets Control (OFAC) last year issued an advisory against paying ransoms. The agency warned that “companies that facilitate ransomware payments to cyber actors on behalf of victims…not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

The Biden administration has also launched an effort to address the tide of ransomware attacks before they occur, with the Justice Department standing up a ransomware task force last month, and the Department of Homeland Security making the issue the first of several cybersecurity “sprints.”

As the government works to confront malicious cyber activity, and continues to recommend against payment, White House press secretary Jen Psaki admitted this week that the government cannot make that decision for individual companies on the front lines.

“It is the recommendation of the FBI to not pay ransom in these cases…for good reason, because it can incentivize similar attacks, additional attacks,” Psaki told reporters at the White House. “That’s our recommendation, but private sector entities or companies are going to make their own decisions.”

Wales, the CISA head, said that the U.S. is working with other nations to combat ransomware attacks and stressed the need for companies to resist paying cyber criminals.

“We recognize that companies are often in a very challenging circumstance that paying looks like a very attractive option to their networks back up, but the long-term implications for our country are profound,” Wales said.