"Right Thing For Country" - Colonial Pipeline CEO Tells All About Ransomware Attack 

Tyler Durden's Photo
by Tyler Durden
Wednesday, May 19, 2021 - 12:36 PM

For the first time, Joseph Blount, CEO of Colonial Pipeline Co., told The Wall Street Journal that he authorized the ransom payment of $4.4 million on the evening of May 7 after a ransom note from hackers was found on a control room computer. He was unsure how deep the ransomware penetrated the network controlling the pipeline systems but was obligated to immediately resolve the issue as the pipeline provides approximately 45% of the fuel for the US East Coast. 

This is Blount's first public acknowledgment about the company paying the ransom to DarkSide, the cybercriminal gang believed to be based in Eastern Europe or Russia. 

"I know that's a highly controversial decision," he said. "I didn't make it lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this."

"But it was the right thing to do for the country," Blount added.

DarkSide operates a "ransomware as a service" business model where they find ways to breach private networks and install malicious software designed to block access to a computer system unless a ransom is paid. 

The Federal Bureau of Investigation usually advises companies not to pay the ransom due to the uncertainty of receiving ransomware tools to restore computer systems after payment. Also, it would set precedence and make the ransomware business flourish. 

However, Blount quickly paid the ransom after consultation with cybersecurity experts. The payment was made the same day the ransomware was discovered, on May 7, in the form of Bitcoin. The company then received a decryption tool from DarkSide. Still, it wasn't enough the restore the entire 5,500-mile pipeline system from Gulf Coast to Linden, New Jersey, resulting in six days of fuel stoppage and the eventual gas shortage at fueling stations up and down the East Coast. This also rocketed fuel prices to a 6.5-year high. 

Last Thursday, Bloomberg said Colonial paid the hackers within hours of the attack in "untraceable" Bitcoin. 

Blount told WSJ that Colonial had had segments of its pipeline closed for days or weeks due to Gulf Coast hurricanes, but having the entire system closed for nearly a week was unprecedented. In many ways, it was more devastating than any natural disaster previously seen. 

He said the ransomware was found on a control room computer at 0530 ET on May 7. When workers found the ransomware, it was quickly escalated up the company's chain of command to Blount within 30 minutes.

A short time later, Colonial shut the entire system down, spanning 13 states and Washington, DC, to prevent the infection from spreading. 

Over the day, Colonial executives were in constant contact with FBI's offices in Atlanta and San Francisco and a Cybersecurity and Infrastructure Security Agency representative, Blount said. 

The CEO went onto say, through the shutdown period, the Energy Department worked alongside Colonial to provide multiple federal agencies involved in the response effort with updates. 

Blount's quick action resolved what could've resulted in widespread chaos across the East Coast for weeks. The pipeline's fuel flow has returned to normal, but Blount said restoration work to recover some business systems could take months and tens of millions of dollars. 

"We were perfectly happy having no one know who Colonial Pipeline was, and unfortunately that's not the case anymore," he said. "Everybody in the world knows."

Still, the lingering effects of the pipeline shutdown continue Wednesday, with as many as 9.5k fuel stations are without gas. 

In a blog post Tuesday, London-based blockchain analytics firm Elliptic who identified the bitcoin wallet used by DarkSide to collect ransom payments from its victims, said the group and its affiliates collected $90 million bitcoin ransom payments over the past nine months from 47 victims.

On Tuesday, Colonial experienced another round of issues where it issued a brief statement that read: "Colonial is currently experiencing network issues impacting customers' ability to enter and update nominations." 

So after collecting nearly $90 million in ransomware payments over the nine months and then resulting in the grand finale of paralyzing almost 50% of the US East Coast fuel system, DarkSide appears to have closed down