Nearly a week after a ransomware attack led Colonial Pipeline to halt fuel distribution on the East Coast, reports emerged on Friday that the company paid a 75 bitcoin ransom—worth as much as $5 million, depending on the time of payment—in an attempt to restore service more quickly. And while the company was able to restart operations Wednesday night, the decision to give in to hackers’ demands will only embolden other groups going forward. Real progress against the ransomware epidemic, experts say, will require more companies to say no.
Not to say that doing so is easy. The FBI and other law enforcement groups have long discouraged ransomware victims from paying digital extortion fees, but in practice many organizations resort to paying. They either don’t have the backups and other infrastructure necessary to recover otherwise, can’t or don’t want to take the time to recover on their own, or decide that it’s cheaper to just quietly pay the ransom and move on. Ransomware groups increasingly vet their victims’ financials before springing their traps, allowing them to set the highest possible price that their victims can still potentially afford.
In the case of Colonial Pipeline, the DarkSide ransomware group attacked the company’s business network rather than the more sensitive operational technology networks that control the pipeline. But Colonial took down its OT network as well in an attempt to contain the damage, increasing the pressure to resolve the issue and resume the flow of fuel along the East Coast. Another potential factor in the decision, first reported by Zero Day, was that the company’s billing system had been infected with ransomware, so it had no way to track fuel distribution and bill customers.
Advocates of zero tolerance for ransom payments hoped that Colonial Pipeline’s proactive shutdown was a sign that the company would refuse to pay. Reports on Wednesday indicated that the company had a plan to hold out, but numerous subsequent reports on Thursday, led by Bloomberg, confirmed that the 75 bitcoin ransom had been paid. Colonial Pipeline did not return a request for comment from WIRED about the payment. It is still unclear whether the company paid the ransom soon after the attack or days later, as fuel prices rose and lines at gas stations grew.
“I can’t say I’m surprised, but it’s certainly disappointing,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “Unfortunately, it’ll help keep United States critical infrastructure providers in the crosshairs. If a sector proves to be profitable, they’ll keep on hitting it.”
In a briefing on Thursday, White House press secretary Jen Pskai emphasized in general that the US government encourages victims not to pay. Others in the administration struck a more measured note. “Colonial is a private company and we’ll defer information regarding their decision on paying a ransom to them,” said Anne Neuberger, deputy national security advisor for cyber and emerging technologies, in a press briefing on Monday. She added that ransomware victims “face a very difficult situation and they have to just balance often the cost-benefit when they have no choice with regards to paying a ransom.”
Researchers and policymakers have struggled to produce comprehensive guidance about ransom payments. If every victim in the world suddenly stopped paying ransoms and held firm, the attacks would quickly stop, because there would be no incentive for criminals to continue. But coordinating a mandatory boycott seems impractical, researchers say, and likely would result in more payments happening in secret. When the ransomware gang Evil Corp attacked Garmin last summer, the company paid the ransom through an intermediary. It’s not unusual for large companies to use a middleman for payment, but Garmin’s situation was particularly noteworthy because Evil Corp had been sanctioned by the US government.