Colonial Pipeline, the US operator of fossil fuel distribution infrastructurelast week, may have paid a $5m ransom to the ransomware operators within hours of being locked out of critical systems, according to reports. According to anonymous sources close to the incident, in an anonymous cryptocurrency and received the decryption tool. However, this tool allegedly worked so slowly that the from backups, which somewhat negated the point of paying. , the first to report the apparent payment, also said the US government was aware a ransom had been paid.
infrastructure are understood to have resumed on Wednesday, 12 May. According the resumption of operations was delayed because the ransomware attack hit the firm’s billing system. Therefore, it was forced to shut off supplies because it could not guarantee its it. At the time of writing, Colonial Pipeline’s security partner Imperva is blocking legitimate access to its website from outside the US using its . It has therefore not been possible at the .
Armis’ European cyber-risk officer, Andy Norton, said: “I don’t think we are at the end of this story; there is no clear winner here. DarkSide may have been paid $5m to destroy the data they hold and unencrypt the affected files, but in doing so, they became ain future US and Russia dealings. “Darkside enemy number one right now, even issuing an apology about the collateral damage to their attack [and] other criminal affiliates will be trying to distance themselves from Darkside, to avoid getting rolled up in the future investigations,” he said. “If there is a loser, it’s the , who now have to cover the costs.”
Robert Golladay, EMEA and APAC director at, said that the fact Colonial Pipeline may have had insurance against ransomware could have been a factor in why it was targeted, to begin with. “Hackers are figuring out who is insured, which tells them the company has valuable assets and will be in a position to pay,” he said. “As we see in the Colonial attack, instances of ransomware are growing in size and scale. This type of attack is exploding because it works, scales and is predictable, and it’s a for attackers to make easy money. Some of the criminal enterprises, like DarkSide, are funneling the money they make into the tools they are using.” In further development, unconfirmed reports have emerged today (Friday 14 May) that the DarkSide has been seized and taken offline, possibly in a law enforcement response.