Colonial Pipeline Paid $5M To Darkside Hours After Attack: Report

The Darkside ransomware gang provided Colonial Pipeline with a decryption tool following its ransom payment, but the process was so slow that Colonial continued using its own backups for restoration.

Colonial Pipeline paid the Darkside ransomware gang nearly $5 million Friday despite publicly saying they wouldn’t pay a ransom to resume operations, according to Bloomberg.

The Alpharetta, Ga.-based pipeline giant paid the ransom in untraceable cryptocurrency within hours of the initial attack, two people familiar with the transaction told Bloomberg. Once Darkside received the payment, Bloomberg said they provided Colonial with a decrypting tool to restore its computer network.

However, Darkside’s decryption tool was so slow that Colonial continued using its own backups to help restore the system, a source familiar with the company’s efforts told Bloomberg. Colonial declined to comment to Bloomberg, and didn’t immediately respond to a CRN request for comment.

[Related: Colonial Pipeline Restarts System Five Days After Cyberattack]

U.S. government officials are aware that Colonial made the ransom payment, a third person familiar with the situation told Bloomberg. Meanwhile, New York Times reporter Nicole Perlroth said on Twitter that Colonial paid Darkside 75 Bitcoin - or nearly $5 million - Monday to recover stolen data.

President Joe Biden declined to comment during a press conference Thursday on whether he had been briefed that Colonial paid the ransom. A spokesperson for the National Security Council declined to comment.

This is one of the biggest ransomware payments ever reportedly made, exceeding the $2.3 million Travelex paid to Sodinokibi following a ransomware attack that took the company’s internal network, consumer-facing website, and app offline. Hackers have frequently requested larger ransoms– such as REvil’s $50 million demand of Apple supplier Quanta – but it’s unclear if those victims actually paid.

Biden told reporters Thursday he doesn’t believe the Russian government was involved in the attack against Colonial Pipeline, but noted the administration has strong reason to believe the criminals that carried out the attack live in Russia. Biden said the United States is going to pursue measures to disrupt the ability of groups like Darkside to operate, though the president didn’t provide any specifics.

“We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks,” Biden said Thursday.

Deputy National Security Agency Anne Neuberger acknowledged Monday that companies sometimes may have no choice but to pay ransoms. “We recognize, though, that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data,” Neuberger told reporters at the time.

Colonial Pipeline restarted operations on its 5,500-mile pipeline at around 5 p.m. ET Wednesday five days after being hit with the crippling Darkside ransomware attack. But the company cautioned that it’ll still be several more days before its product delivery supply chain returns to normal, with some markets experiencing intermittent service interruptions during Colonial’s start-up period.