Colonial Pipeline Pays $4.4M Ransom After DarkSide Attack Shuts U.S. Fuel Pipeline
Colonial Pipeline, which supplies approximately 45 percent of fuel to the U.S. East Coast, paid a $4.4 million ransom to the DarkSide ransomware crew after an attack forced a six-day operational shutdown.
Colonial Pipeline Co., which operates the largest refined fuel pipeline in the United States and supplies approximately 45 percent of the East Coast's gasoline, diesel, and jet fuel, paid a $4.4 million ransom in bitcoin to the DarkSide ransomware crew, CEO Joseph Blount confirmed today.
The May 7 ransomware attack forced Colonial to proactively shut down its 5,500-mile pipeline for roughly six days, triggering panic buying and gasoline shortages across the southeastern United States. Average pump prices crossed $3 per gallon for the first time in seven years, and several states declared states of emergency.
"I know how critical our pipeline is to the country, and I put the interests of the country first," Blount told the Wall Street Journal. The payment was made within hours of the attack to obtain a decryption tool, though Blount said the tool was so slow that Colonial primarily restored operations from backups.
The FBI subsequently announced it had recovered approximately $2.3 million of the bitcoin ransom through a court-authorized seizure of the wallet receiving the funds, a notable demonstration that ransomware proceeds are not as anonymous as commonly believed.
The attack was traced to compromised credentials for a legacy VPN account that had been left enabled without multi-factor authentication. The credentials were reportedly found in a separate breach corpus on the dark web.
DarkSide announced it was shutting down operations within days of the attack, citing pressure from law enforcement and the loss of access to its blog and payment infrastructure. The group is widely believed to have rebranded and continued operations under new names.
President Biden signed an executive order on improving the nation's cybersecurity within days of the attack, and the Transportation Security Administration issued the first cybersecurity directive ever imposed on the pipeline sector, mandating incident reporting and the appointment of a 24/7 cybersecurity coordinator at each major operator.