Great Connections Happen Here.™

Colonial Pipeline Paid $5 Million Ransom to Hackers in Attack

Colonial Pipeline Company paid 75 bitcoins, nearly $5 million, in ransom to hackers within hours of a ransomware attack that shut down a key component of the U.S.’s critical energy infrastructure.

Bloomberg News reported May 13 that the Colonial Pipeline Company paid nearly $5 million in ransom to hackers within hours of a May 7 ransomware attack that shut down a key component of the U.S.’s critical energy infrastructure for almost a week.

Bloomberg said, “The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard.”

The FBI has pinned blame on the ransomware attack on an Eastern European group called DarkSide, an organized group of hackers who develop and market ransomware tools to criminals.

The New York Times reports that Colonial Pipeline paid the hackers 75 bitcoins to receive a decryption tool that could restore the company’s disabled computer network.

The DarkSide: “Ransonware as a Service”

Boston-based Cybereason told CNBC that DarkSide’s operating model is essentially, “Ransomware as a Service”.

The DarkSide group, which has been active since August 2020 and is linked Russia, released a statement on their website after the attack: “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives … Our goal is to make money, and not creating [sic] problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

The DarkSide appears to only attack for-profit companies in English-speaking countries.

Ransomware: Out of the Shadows

When we think of cyber-attacks, we think of criminals lurking in the shadows but the DarkSide is a new breed of cyber gang, complete with a press room, mailing lists, and a hotline for victims to call.

DarkSide practices a new trend of ransomware attacks called “double extortion”. In “double extortion” hackers not only encrypt and lock up their target’s data, but they also steal data and threaten to make it public if the ransom is not paid.

DarkSide practices a new trend of ransomware attacks called “double extortion”. In “double extortion” hackers not only encrypt and lock up their target’s data, but they also steal data and threaten to make it public if the ransom is not paid.

Companies are then essentially paying to not only regain access to their computer systems, networks and data, but also to protect the privacy of their stolen data. The DarkSide ransom demands, prior to Colonial Pipeline, had been in the $200,000 to $2 million range.

Colonial Pipeline Attack Felt from Texas to New Jersey

The Colonial Pipeline Company said its pipeline system is the “largest refined products pipeline in the United States”, transporting more than 100 million gallons of fuel via 5,500 miles of pipeline between Texas and New Jersey.

Timeline for the Colonial Pipeline cyber attack:

  • Colonial Pipeline first announced on May 7 that they were the victim of a cybersecurity attack and that they “proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations and affected some of our IT systems.”
  • Then on May 8, Colonial Pipeline updated its initial statement saying that it had “determined that this incident involves ransomware”.
  • Private cybersecurity firm FireEye was brought in to investigate the attack with Colonial Pipeline saying,” upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have already launched an investigation into the nature and the scope of this incident, which is ongoing … We have contacted law enforcement and other federal agencies”.
  • On May 13, Colonial Pipeline said, “We can now report that we have restarted our entire pipeline system and that product delivery has commenced to all markets we serve.”

Eric Goldstein, executive assistant director of the Cyber Division of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), said,

“This underscores the threat that ransomware poses to organizations regardless of size or sector. We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats.”

DHS Secretary: “Ransomware is a National Security Threat”

The Colonial Pipeline cyber attack came just about a week after the Ransomware Task Force (RTF), a broad coalition of experts in industry, government, law enforcement, civil society, and international organizations led by the Institute for Security and Technology, released a report called “Combating Ransomware: A Comprehensive Framework for Action”.

Department of Homeland Security Secretary Alejandro Mayorkas said that, “One thing is clear: Ransomware is a national security threat.”

Mayorkas said that ransomware attacks in the U.S. increased by 300 percent from 2019 to 2020 with more than $350 million paid by victims last year.

There may be help on the way for state, local, territorial, and tribal governments as congress is looking to introduce a “State and Local Cybersecurity Improvement Act” which would authorize $500 in cyber grants to prevent ransomware attacks and strengthen overall cybersecurity.

Former CISA director Christopher Krebs, and former senior cybersecurity adviser at CiSA Matthew Masterson penned an editorial in The Hill in April that said: “It’s clear that we’re in the midst of a new normal of cyber enabled malicious activity. The status quo costs American businesses and government agencies hundreds of billions of dollars a year in lost productivity, fraud, and disrupted operations.”

Other Companies Face Cyber Attacks

While the Colonial Pipeline ransomware attack was attracting all the headlines, other companies have also been dealing with recent attacks including:

Scripps Health in the San Diego area was a victim of a May 1 cyber attack with the company issuing a statement that read, “the network outage was caused by malware.”

FBI and New York State Police cyber squads are investigating an attack on Rensselaer Polytechnic Institute computer systems that started May 7. The university announced on May 9, that because of the security incident, all final examinations, term papers, and project reports that were due had been canceled.

In late April, oncology and radiology system provider Elekta had to take its cloud storage system offline after a ransomware attack, affecting the treatment of some cancer patients.

PS LIGHTWAVE provides high-speed, fiber Internet for public and private commercial entities in the Greater Houston and surrounding areas.

Through our high-quality infrastructure, innovative technology and expert, locally based support, we deliver not only the best in connectivity and reliability but in scalability and redundancy. We invite you to learn more about our services, our history and our dedicated team.

Share This Blog Post:



PS LIGHTWAVE, a leading telecommunications service provider headquartered in Houston, Texas, provides managed Ethernet Data Circuits, Internet, private network solutions and Voice over IP (VoIP) over one of the nation’s largest facilities-based private Metropolitan Area Networks (MANs). The switched Layer 2 network, backed by 24/7/365 Network Operations Center (NOC) support, encompasses approximately 5,500 route miles and 1,400 on-net locations and connects 100+ fault-tolerant multi-gigabit Ethernet rings for built-in redundancy, security, low latency, and high-availability. At PS LIGHTWAVE Great Connections Happen Here™.

For more information, please visit or call 832-615-8000.