Pipeline CEO: Ransom payment 'hardest decision' of career

Colonial Pipeline
Posted at 3:14 PM, Jun 08, 2021
and last updated 2021-06-08 15:31:40-04

WASHINGTON (AP) -- The chief executive of the massive fuel pipeline hit by ransomware said Tuesday that authorizing a multi-million-dollar payment to hackers was the right thing to do after an attack that prompted a gas shortage in much of the eastern U.S., even as federal authorities have discouraged such transactions.

"I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible," Colonial Pipeline CEO Joseph Blount told the Senate Homeland Security Committee at a hearing about last month's attack. "It was the hardest decision I've made in my 39 years in the energy industry, and I know how critical our pipeline is to the country -- and I put the interests of the country first."

Asked how much worse it would have been if the company hadn't paid to get its data back, Blount said, "That's an unknown we probably don't want to know. And it may be an unknown we probably don't want to play out in a public forum."

Blount's testimony, his first since the May 7 cyberattack that led the pipeline to halt operations, underscored the dilemma facing both the private industry and the federal government as ransomware attacks have proliferated in scale and sophistication. U.S. authorities have cautioned against payments for fear of encouraging additional attacks, but Blount's remarks made clear the enormous economic consequences if ransoms aren't paid and critical infrastructure is shut down.

In this case, the Justice Department was able to recover much of the $4.4 million ransom after seizing a virtual bitcoin wallet used to hide the proceeds. Though officials said they may be able to achieve similar success in future ransomware attacks, that is hardly guaranteed.

The May 7 attack on Colonial Pipeline -- which supplies roughly 45 of the fuel consumed on the East Coast -- has been attributed to a Russia-based gang of cybercriminals using the DarkSide ransomware variant, one of more than 100 variants the FBI is currently investigating. The attack began after hackers exploited a legacy virtual private network that was not intended to be in use and has since been shut down, Blount said.

Blount said the Georgia-based company began negotiating with the hackers on the evening of the May 7 attack and paid a ransom of 75 bitcoin -- then valued at roughly $4.4 million -- the following day. The hack prompted the company to halt operations before the ransomware could spread to its operating systems.

Though the FBI has historically discouraged ransomware payments for fear of encouraging cyberattacks, Colonial officials have said they saw the transaction as necessary to resume the vital fuel transport business as rapidly as possible.

The encryption tool the hackers provided the company in exchange for the payment helped "to some degree" but was not perfect, with Colonial still in the process of fully restoring its systems, Blount said.

"If you start to look at the fact that it took us from Friday all the way to Wednesday afternoon the following (to resume operations), and we already started to see pandemonium going on in the markets, people doing unsafe things like filling garbage bags full of gasoline or people fist-fighting in line at the fuel pump, the concern would be what would happen if it had stretched on beyond that amount of time," Blount said.

"What would happen at the airports where we supply a lot of jet fuel, let alone what might happen at the gas pump," he added.

The operation to seize cryptocurrency paid to the Russia-based hacker group is the first of its kind to be undertaken by a specialized ransomware task force created by the Biden administration Justice Department. It reflects a rare victory in the fight against ransomware as U.S. officials scramble to confront a rapidly accelerating threat targeting critical industries around the world.

"By going after the entire ecosystem that fuels ransomware and digital extortion attacks -- including criminal proceeds in the form of digital currency -- we will continue to use all of our resources to increase the cost and consequences of ransomware and other cyber-based attacks," Deputy Attorney General Lisa Monaco said Monday in announcing the operation.

The Bitcoin amount seized -- 63.7, currently valued at $2.3 million after the price of Bitcoin tumbled-- amounted to 85% of the total ransom paid, which is the exact amount that the cryptocurrency-tracking firm Elliptic says it believes was the take of the affiliate who carried out the attack. The ransomware software provider, DarkSide, would have gotten the other 15%.

"The extortionists will never see this money," said Stephanie Hinds, the acting U.S. attorney for the Northern District of California, where a judge earlier Monday authorized the seizure warrant.

Ransomware attacks -- in which hackers encrypt a victim organization's data and demand a hefty sum for returning the information -- have flourished across the globe. Last year was the costliest on record for such attacks. Hackers have targeted vital industries, as well as hospitals and police departments.

Weeks after the Colonial Pipeline attack, a ransomware attack attributed to REvil, a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months, disrupted production at Brazil's JBS SA, the world's largest meat processing company.

The ransomware business has evolved into a highly compartmentalized racket, with labor divided among the provider of the software that locks data, ransom negotiators, hackers who break into targeted networks, hackers skilled at moving undetected through those systems and exfiltrating sensitive data -- and even call centers in India employed to threaten people whose data was stolen to pressure for extortion payments.


Associated Press writer Frank Bajak in Boston contributed to this report.