Colonial Pipeline paid nearly $5 million to hackers in ransomware attack

Julia Ainsley and Kevin Collier
Updated ·2 min read

Colonial Pipeline paid the hackers who shut down some of its networks nearly $5 million in ransom, a U.S. official familiar with the matter said Thursday.

News of the payment was first reported by Bloomberg. The U.S. official did not say how or when the company paid.

Colonial, which operates the country’s largest fuel pipeline, announced it had been hacked Friday, and shut down all four of its major pipelines that serve the Eastern and Southeastern United States as a precaution. Gas prices rose, and some stations ran out of fuel. The Department of Transportation issued an emergency order allowing truckers driving fuel in affected states to work longer hours than federal regulations normally allow.

A third-party consulting company that now handles Colonial’s press inquiries declined to comment on the payment.

The company announced Wednesday that it was resuming operations.

The FBI has historically discouraged, but not prohibited, American ransomware victims from paying hackers, as a payment isn’t guaranteed to work and can encourage criminals to continue attacking others. In a press conference Monday, Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technologies, acknowledged that some organizations might find paying the criminals off can be in their best interest.

“We recognize, though, that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data,” she said.

Speaking to MSNBC’s Andrea Mitchell on Thursday, Neuberger said the White House’s advice remains that victims do not pay the ransom.

“The federal government, we discourage the payment of ransoms, because the prolific payment of ransoms encourages ransomware."

The hackers, known as DarkSide, are one of a number of ransomware groups that hold organizations’ files hostage and demand a payment, either by locking their files and making them unusable or threatening to release them to the public.

DarkSide, like many ransomware gangs, are believed to operate in Russia, and their ransomware program is designed to shut down if they infect computers that work in the Russian language.

President Joe Biden said Monday that U.S. intelligence believes DarkSide to be operating within Russia’s borders, and that while it didn’t appear to be directed by the Russian government, he is “going to have a conversation” with Russian President Vladimir Putin about such groups. “They have some responsibility to deal with this,” he said.

DarkSide in particular is notorious for providing victims who pay with a decryption program that works painfully slowly, said Brett Callow, an analyst at the cybersecurity firm Emsisoft.

Colonial retained the cybersecurity company Mandiant to deal with the attack. Mandiant doesn’t directly pay ransomware gangs on clients’ behalf, a spokesperson for the company said, but acknowledges victims can choose to do so.