The United States’ largest oil pipeline, Colonial Pipeline Co., reportedly paid hacker group DarkSide $4 to $5 million USD in cryptocurrency to remove the ransomware installed in its systems that led to a crippling of the U.S. fuel supply on the East coast throughout the week.
According to Bloomberg, “people familiar with the company’s efforts” said Colonial paid the ransom in a “difficult-to-trace cryptocurrency” only hours after the attack, who were given a decryption tool to use to recover their systems by DarkSide. However, the tool was so slow the company continued to restore from its own backups in the meantime.
To the contrary, New York Times reported Colonial paid DarkSide 75 Bitcoin. The Bitcoin blockchain is a completely transparent public ledger that can be forensically analyzed in many different ways.
On May 12, several media outlets such as Reuters and Washington Post, cited anonymous sources who claimed Colonial had no intention to pay the ransom.
Bloomberg also said the Biden administration was aware the ransom was paid, that Colonial declined to comment on the matter, and when Bloomberg asked Joe Biden about if he had been briefed on the ransom payment, Biden only replied with “I have no comment on that.”
On May 10, the FBI confirmed DarkSide ransomware was responsible for the havoc. According to Reuters, the DarkSide webpage had an update titled About the Latest News, which stated “Our goal is to make money, and not creating problems for society,” evidently indicating the organization wanted to be paid quickly and not attract excess attention from law enforcement for creating domestic terrorism.
DarkSide also claimed they were apolitical and not connected to any government.
NYT reports on Thursday eight websites associated with the hackers went dark.
Ransomware is a form of malware which seizes control of systems and/or data. Once the malware is installed, attackers extort their target to pay a fee in cryptocurrency to regain control of their networks or data. The ransom is usually backed by the threat of system destruction or release of confidential, proprietary data to the public, usually through the Dark Web.