Colonial Pipeline CEO says company paid hackers $4.4 million in ransomware attack

The CEO of Colonial Pipeline, hit by a ransomware attack that forced it to shut down operations for much of last week, confirmed publicly for the first time Wednesday that the company paid the hackers behind the attack so it could regain access to its systems.

Colonial Pipeline CEO Joseph Blount told The Wall Street Journal that he authorized the company to pay the cyber criminals the equivalent of $4.4 million in Bitcoin on May 7, the day of the attack, for the keys to decrypt the network. Bloomberg News previously reported that Colonial paid nearly $5 million.

“I know that’s a highly controversial decision,” Blount told the publication. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”

“But it was the right thing to do for the country,” he added.

Officials and cybersecurity experts have condemned the company for paying the ransom due to the potential that it might encourage hackers to target other critical infrastructure groups in the future. However, organizations targeted by ransomware attacks that choose not to pay often spend far more money and time recovering.

The attack on Colonial Pipeline was particularly disruptive to the nation, as it provides around 45 percent of the East Coast’s fuel, and the decision to shut down the pipeline to protect operational controls from the hackers caused gas shortages in several states. 

The pipeline resumed operations last week, but on Tuesday it experienced what it described as “intermittent disruptions” to some of its internal servers as part of the restoration process, stressing that they were not due to another cyberattack.

Blount told the Wall Street Journal that he was sad the company was in the spotlight more than ever due to the attack.

“We were perfectly happy having no one know who Colonial Pipeline was, and unfortunately that’s not the case anymore,” Blount said. “Everybody in the world knows.”

President Biden last week announced that the cyber criminals involved, who deployed the “DarkSide” ransomware variant against Colonial, were likely based in Russia, but were not backed by the Russian government. The group was taken offline late last week.

Colonial engaged cybersecurity group FireEye to help investigate and respond to the hack.

Sandra Joyce, executive vice president of FireEye’s Mandiant Threat Intelligence, stressed the impossible choice presented to victims of ransomware attacks, which have increasingly included critical organizations such as city governments, schools, and hospitals over the past year. Her comments were entirely separate from the company’s response to the Colonial Pipeline hack. 

“Ransomware puts organizations in an impossible situation,” Joyce said. “If you’re a hospital that’s been a victim of ransomware and they are asking for a certain amount of money typically in cryptocurrency then you have a choice between treating your patients or not treating your patients, and nobody should ever have to be in that situation and that’s exactly what organizations are up against.”

“Do I let all my customer data get spilled, do I release my source code into the wild,” Joyce added.

Updated at 12:33 p.m.