Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom (wsj.com) 160
The operator of the Colonial Pipeline learned it was in trouble at daybreak on May 7, when an employee found a ransom note from hackers on a control-room computer. By that night, the company's chief executive came to a difficult conclusion: He had to pay. From a report: Joseph Blount, CEO of Colonial Pipeline, told The Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back. Mr. Blount acknowledged publicly for the first time that the company had paid the ransom, saying it was an option he felt he had to exercise, given the stakes involved in a shutdown of such critical energy infrastructure. The Colonial Pipeline provides roughly 45% of the fuel for the East Coast, according to the company. "I know that's a highly controversial decision," Mr. Blount said in his first public remarks since the crippling hack. "I didn't make it lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this. But it was the right thing to do for the country," he added.
[...] Mr. Blount said Colonial paid the ransom in consultation with experts who had previously dealt with the criminal organization behind the attacks. He and others involved declined to detail who assisted in those negotiations. Colonial said it has cyber insurance, but declined to provide details on ransomware-related coverage. In return for the payment, made in the form of bitcoin, about 75 in all, according to a person familiar with the matter, the company received a decryption tool to unlock the systems hackers penetrated. While it proved to be of some use, it was ultimately not enough to immediately restore the pipeline's systems, the person said.
[...] Mr. Blount said Colonial paid the ransom in consultation with experts who had previously dealt with the criminal organization behind the attacks. He and others involved declined to detail who assisted in those negotiations. Colonial said it has cyber insurance, but declined to provide details on ransomware-related coverage. In return for the payment, made in the form of bitcoin, about 75 in all, according to a person familiar with the matter, the company received a decryption tool to unlock the systems hackers penetrated. While it proved to be of some use, it was ultimately not enough to immediately restore the pipeline's systems, the person said.
Hope they cashed it quickly (Score:5, Funny)
Re: (Score:2, Informative)
Bitcoin is down 20%, so I guess it's now a $3.5m ransom!
Nope, it was $4.4M when they bought it, they don't get a refund just because the price dropped.
Versioned backups would have been slightly cheaper (Score:5, Interesting)
Re: (Score:3)
Did I read this wrong?
To me, this sounds like the employee came in and found a physical note, on paper sitting on the computer, indicating that there was an intruder (or inside person) that had physical access to machine(s) there.
Was this the case?
If so, it isn't just cyber security that is their problem.
Re: Versioned backups would have been slightly che (Score:5, Funny)
Re: Versioned backups would have been slightly che (Score:4, Funny)
"The files are _in_ the computer!.."
This deserves to be modded funny.
Re:Versioned backups would have been slightly chea (Score:5, Insightful)
Did I read this wrong?
To me, this sounds like the employee came in and found a physical note, on paper sitting on the computer, indicating that there was an intruder (or inside person) that had physical access to machine(s) there.
Was this the case?
If so, it isn't just cyber security that is their problem.
The only "case" to solve here, is why clickbait sensationalist reporting, continues to be acceptable.
The "ransom note" found "on" a computer, is textbook ransomware. I highly doubt there was a *physical* note sitting on a computer. If hackers have *that* kind of access, the pipeline would probably still be down. Why half-ass an attack like that when you can whole-ass it with direct physical access.
Re: (Score:3)
Re: (Score:3)
Why would the pipeline still be down? These guys are in it for the money. Part of the reason they got paid is that, according to TFS, others had paid them in the past and received their decryption keys. The goal wasn't to shut down the pipeline, the goal was to get paid.
Yeah. Exactly.
Think holding the eastern fucking seaboard, ransom, is worth a bit more than a measly $5 million? If you're brave enough to brag with physical access, you're likely strong enough to not half-ass the attack.
$5 million would have turned into the daily ransom in two weeks. Just to keep the rioting down to only losing one or two major cities.
Re: (Score:3)
I assume they basically left Notepad (assuming it's Windows, which it probably is) open on the desktop, and had typed the message there.
Re: (Score:3)
Ok.
The article was a bit ambiguous to me...sounded like a note laying ON the computer...if they'd said a note was displayed on the computer, etc.
Re: (Score:2)
Yeah, I agree it was ambiguously worded (and we could still find out that your interpretation was right).
Also, the story has changed over time - originally they'd indicated it wasn't the operational computer, but they were just worried about them. Now it appears Darkside actually did get into their vital infrastructure.
Re: (Score:2)
The Hackers could have used a connected printer to print out the message a few times.
Re: (Score:2)
For 90%+ of the general public the monitor is the computer (or at the very least part of the computer) so when some one says that something is left on the computer (especially in the context of a program) that 90%+ of the population have no problem realizing that the person meant that there was a message displayed on the monitor.
You have to be REALLY isolated into the computer world not to make this connections right away.*
*Sure for a microsecond you could be excused if you thought it was a physical note on
Re: (Score:2)
*V*LANS are of no help when you find the message in your control room. You need to assume the firmware of the switches has been compromised.
For something like a pipeline a bi-directional serial link might be ok, but a highly secured network would only use a broadcast serial network to send data to the MIS network. It gets very complicated though when you can’t have direct network access.
They had backups (Score:5, Informative)
They were restoring from backups, but it was progressing slowly enough that they felt it would be faster to pay the ransom (insert disclaimer about how people who pay the ransom frequently find out the decryption process is often slower than restoring backups, or doesn't work at all). Because the operational network had been shut down as a precaution, they couldn't turn it back on until they were confident they'd eliminated any malware from their administrative network.
The whole thing points to insufficient thought put into their network segmentation. Normally you'd set it up so if the two networks have access to each other, it's only through a few chokepoints (there are performance reasons for doing this, not just security). And all they would've had to do is sever those chokepoints to guarantee nothing on the administrative network could reach the operations network. Apparently they couldn't do this with confidence, so had to shut both networks down.
Re: (Score:2)
Re: (Score:2)
Well more to the point, why was one company so influential to the infrastructure?
A companies goal is to make money. To maximize the money they make they try to minimize expenses. (They are cheap) Running your operation cheaply, often creates little to no buffer for problems or mistakes. So when one does happen to hit the snag, it becomes a big problem hurting many people.
Either force and keep competition in areas so if something happens to a single company it isn't as bad, or have the government control
Re: (Score:2)
Pipelines work much better if they're big. It's a frequently under appreciated problem with fuel-based energy: long vulnerable supply chains that only work efficiently at large scale.
Re: (Score:2)
Never give up but realistically I don't think airtight security for vast enterprises is going to happen. I know I'm going to get shot for saying this in here but I think the ability to make payments anonymously is a problem. I don't think government should routinely monitor everything but the capability to do investigations and rollbacks when necessary is a good thing, and the existence of means to move millions of dollars untraceably
Still using Windows 95 (Score:2)
They don't really run Windows 95 any more.
LoB
Re: (Score:2)
I hope they spend some money on proper security systems from now on
They will, only if it's cheaper than paying the ransom.
Re: (Score:2)
so (Score:5, Insightful)
So... they funded terrorism?
Re:so (Score:5, Funny)
It's an oil company.
Re:so (Score:5, Insightful)
Kind of, though not entirely unlike the little defenseless village that was invaded by terrorists and given the choice of "support us, or die."
The difference is that no company should be without adequate defenses against ransomware and other forms of cyber-terrorism. And certainly not a company that represents a substantial and irreplaceable part of the infrastructure that keeps all of us alive.
Let's hope they learn their lesson, and also are held accountable for (a) helping to fund this criminal organization, albeit arguably more because of negligence rather than intent; and (b) getting their sh*t together so this doesn't happen again.
Re: (Score:3)
Not exactly. Reports are that the intrusion did not affect actual pipeline operations, just billing systems. So the option wasn't really equivalent to "or die".
Re: (Score:2)
Re: (Score:2)
By the above definition, perhaps not.
But theft and violence are not entirely unrelated, nor are financial versus political motivations.
Comment removed (Score:5, Insightful)
Re: (Score:2)
After reading this FBI testimony, it seems like they intermingle terrorism and criminal acts involving property quite a bit. They definitely use the term violence when defining the word "terrorism", but doesn't seem solely wrt bodily harm:
https://archives.fbi.gov/archi... [fbi.gov]
For example:
"Domestic terrorism is the unlawful use, or threatened use, of violence by a group or individual based and operating entirely within the United States (or its territories) without foreign direction, committed against persons or
Re: (Score:3)
The key part of the definition of terrorism is "furtherance of political or social objectives." Shutting down a pipeline and not allowing it to be started up again until Taco Tuesday is enshrined in law is terrorism. Shutting down a pipeline randomly to demonstrate how vulnerable the dirty capitalist pigs are is terrorism. Shutting one down so you can make some dough to buy a sweet mansion and some hookers in Eastern Europe is not.
Re: (Score:3)
Re:so (Score:4, Insightful)
Now, the right thing to do for the country is to fire all top level executives collecting all golden parachutes, bonus's etc from them and auction off the company. The right thing to do for the country is to not allow anyone to profit from shitty management of a critical infrastructure element when they failed this badly.
Too big to fail and too important to fail just means it is ok to fail.
Re: (Score:3)
That's silly. "It was the right thing to do for the country" is what you say because in a hyper-patriotic country like the US it plays better than "we're losing four million a day so paying a five mil ransom was a no-brainer."
Insurance paid the ransom. Good. (Score:2)
So we have a system which pretty much guarantees that ransoms will be paid.
I actually think that this is a good thing, and that the hackers are serving a valuable function. By constantly embarrassing CEOs about their half hearted cyber security.
If there is ever real trouble with China, they will want more than just a few million dollars ransom. Bureaucrats will never sort this out by themselves. But constant attacks by embarrassing ransomware should.
I think that we should actually legalize this behavior.
Knowing they shut down operations by choice... (Score:3)
Re: (Score:2)
Doh, wish I had saved my mod points! Good point.
However, you never know how deep the rabbit hole goes once you have been owned.
Re:Knowing they shut down operations by choice... (Score:5, Interesting)
It says they had "cyber insurance." Not sure if this counts as a cyber or not. (Back in my day a cyber was a textual role-playing session where you pull out your wand and wizard hat.)
I was thinking along the lines of insurance fraud, but you could very well pull a fraud here without even using insurance:
1. Purposefully run without sufficient security.
2. Coordinate with the "hackers" to let them know how to steal just the right data for the next step.
3. "Oh no! We've been cybered! Now the east coast doesn't have gasoline! We have to pay them 4 million, national security!"
4. Hackers split the 4 million with the guy who let them into the network.
Step 1 won't even seem that weird to anyone. We all know bad security is everywhere, so it becomes "Well... just another Cyber grabbing your Cryptos. Happens every day."
Re:Knowing they shut down operations by choice... (Score:5, Informative)
You usually can't GET cyber-insurance without having your insurnace co come and audit your system and maybe install some tools of their own.
When there's THAT much money on the line, the insurance company will ALWAYS want to make sure your'e making reasonable efforts to avoid loss in the first place. Try keeping your fire insurance while not passing the chief's fire inspections.
Re: (Score:2)
Man, those insurance companies sure are stupid. Shame they get taken advantage of so much. Poor insurance companies.
This is exactly what Cyber Insurance covers (Score:2)
And it is a good thing that the ransom is paid. This type of ransomware should be legalized and encouraged.
That way cyber security will not be considered an afterthought.
If ever there is serious trouble with a foreign power, they will want a lot more than a few million dollars. We are wide open today.
Re: (Score:2)
Ah yes the "the whole thing was a scam, it's so simple" theory that some numnuts is always compelled to trot out.
Yet it totally ignores a couple of dozen reasons why that's ridiculously unlikely to be the case because invariably the people suggesting this malarkey are only capable of picturing anything outside of their own direct lives as a montage from Ocean's 11.
Re: (Score:2)
Indeed. Points for spin...interesting meta issue.
Re:Knowing they shut down operations by choice... (Score:5, Interesting)
This article spins some serious bullshit.
Yes. This entire story is bullshit.
The operation of the pipeline was not shut down by ransomware. The ransonware was in the billing system. **THE COMPANY** shut down the pipeline because they were worried that they wouldn't be able to bill their customers.
Paying ransom doesn't work? (Score:2)
Wait, they paid the random, and that wasn't enough to get them back online?? Paying ransom doesn't work?
Re: (Score:2)
And AFAIK paying ransom for this kind of situation doesn't ensure that there aren't little Easter Eggs sprinkled all over the place, dormant for now. If the cybersecurity team didn't catch the first attack, how do they even know what their system has?
Re: (Score:2)
And AFAIK paying ransom for this kind of situation doesn't ensure that there aren't little Easter Eggs sprinkled all over the place, dormant for now. If the cybersecurity team didn't catch the first attack, how do they even know what their system has?
The group or person who did it is reading this thread, I'm sure. So, sending a message to them is easy.
Re:Paying ransom doesn't work? (Score:5, Informative)
I'm a little disturbed by this line: "While it proved to be of some use, it [paying the ransom] was ultimately not enough to immediately restore the pipeline's systems,"
Wait, they paid the random, and that wasn't enough to get them back online?? Paying ransom doesn't work?
From other news sources, I gather the decryption tool provided by the hackers worked but was very slow. Ultimately Colonial used a combination of restoring from backups, wiping and rebuilding, and the decryption tool to get everything back up and running.
Re:Paying ransom doesn't work? (Score:4, Informative)
Re: (Score:2)
I read an article last week that had a comment from Colonial that the decryption tool was slower than their own recovery efforts, which I assume was restoring from backups.
I believe this is the accurate assessment, but if you want to know what is slow here, perhaps talk to a certain CEO that made the decision to pay, and THEN realized how fucking worthless (and now dangerous) that decision, really was.
Then perhaps we could talk to the "experts" from the government advising him.
Re: Paying ransom doesn't work? (Score:2)
Makes sense if you think about it. Read a block, decrypt, write back to the same device, versus reading from external backup device, writing to primary device.
If you had a particularly slow backup storage or pipe to the restore target and fast primary storage, the situation could reverse though where decrypting in place would be faster. I doubt anyone has a strong idea which is faster until they go through that scenario.
Also, nobody on the outside knows what their backup coverage actually is ... was, and
Re: (Score:3, Funny)
Wait a minute. Hold the bus here.
Are we saying that criminal organizations are untrustworthy and we shouldn't take them at their word to follow through on promises?
What has this world come to? Where are my pearls and fainting couch?
Because... (Score:2)
Re:Because... (Score:5, Funny)
Now that I think about it, Windows 1.0 can't be connected to the Internet, so, it probably is safer than most.
Re: (Score:2)
Tell that to the Iranians whose air-gapped computers running the centrifuges were hit by Stuxnet
Re:Because... (Score:4, Informative)
Re: (Score:2)
Re: Because... (Score:2)
Re: (Score:2)
Yes, that's an example where Windows 1.0 would have been more secure than whatever it was they were running.
Comment removed (Score:5, Insightful)
Re:Because he didn't prevent and prepare (Score:5, Insightful)
He paid the ransom because he refused to pay for prevention and preparation.
The scary part of this statement is, assuming the attackers keep the ransom relatively low, it may actually be cheaper (by beancounter standards) to pay a ransom than pay for effective cybersecurity.
Re: (Score:2)
Re: (Score:2)
Except now we have the FTC and SEC investigations.
Re: (Score:2)
Citation Needed (Score:2)
He paid the ransom because he refused to pay for prevention and preparation.
Do you have anything to support this accusation?
I know how the armchair quarterbacks, like yourself, are invincible experts. But, A proper ransomware attack is extremely hard to defend against. Especially in a large company.
Besides that, it seems that they did have defenses, backups, and a recovery plan. Simply their RTO took longer than expected or desired. According to all publish sources that I have seen, he paid the ransom to try to speed up recovery. It turned out that it did not speed it up adequately
Re: (Score:3)
That's 1% of Last Year's Profits (Score:5, Informative)
Colonial Pipeline Has Been a Lucrative Cash Cow for Many Years [bloomberg.com]
"Over the past decade, Colonial has distributed nearly all its profits, sometimes more, in the form of dividends. In 2018, for example, it paid nearly $670 million to its owners, even more than the $467 million net income. Last year, it returned to investors over 90% of its $421.6 million in profits."
And it also sounds like they don't invest in maintenance.
"Meanwhile, its aging pipelines have suffered a series of accidents. Last August, a segment of a conduit was interrupted for almost a week after more than 28,000 barrels of gasoline spilled for days in a North Carolina nature preserve, discovered by two teenagers riding all-terrain vehicles. That was caused by a failure in a sleeve repair installed 16 years earlier. In March, a federal regulator said similar threats exist throughout the system and the continued operation without corrective measures “would pose a pipeline integrity risk to public safety, property, or the environment.” Three other spills due to cracks have been reported since 2015. In September 2016, a line was shut for 12 days, cutting supplies to millions of customers. Two months later, a fatal blast nearby led to another interruption. 'Colonial’s inability to effectively detect and respond to such releases has potentially exacerbated the impacts of numerous releases over the operational history of Colonial’s entire pipeline system,' Pipeline and Hazardous Materials Safety Administration said in a notice of proposed safety order sent to Colonial Chief Executive Officer Joseph Blount."
Re:That's 1% of Last Year's Profits (Score:5, Insightful)
experts who had previously dealt with the criminal (Score:2)
HORESHIT. (Score:5, Insightful)
"I didn't make it lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this. But it was the right thing to do for the country,"
This is a load of shit like no other. The reason they shut down the pipeline is because they couldn't keep track of billing. They could have just let the pumping continue and just take the monetary hit until they restored their systems but they decided money was more important.
Little more infuriates me like false patriotism, especially when it's in the name of greed.
Re: (Score:2)
Re: (Score:2)
"I didn't make it lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this. But it was the right thing to do for the country,"
This is a load of shit like no other. The reason they shut down the pipeline is because they couldn't keep track of billing. They could have just let the pumping continue and just take the monetary hit until they restored their systems but they decided money was more important.
Little more infuriates me like false patriotism, especially when it's in the name of greed.
While I certainly don't doubt the validity of your claim here, for some reason I'm thinking the pressure of crippling the eastern fucking seaboard of the US just might have had a little influence on that decision too. The CEO probably wanted to get the US Government out of his asshole at some point.
Besides, IMHO, there's a larger turd on top of your theory. This whole thing stinks like a three-letter fundraiser.
Gas prices are back up damn near overnight and right before COVID hits its magical expiration da
Kill 'em Rather Than Pay (Score:4, Interesting)
If I was that CEO I wouldn't have paid a ransom--I would have used that $4.4M to hire a team of operators to locate and take out the perpetrators.
The criminal gang is likely in Russia, and I'm sure the CEO could have found some retired Spetsnaz types to do the dirty work.
Re: (Score:3)
How would you figure out who did it? Hire a psychic? Interrogate every Russian? Crack TOR?
Re: (Score:2)
If I was CEO, I would have paid them double (Score:2)
what they asked.
They did a great service. They put focus on our sloppy security. And not just ours, but every other infrastructure company out there.
If a foreign power ever got nasty, these systems would all be toast.
Re: (Score:2)
I would have used that $4.4M to hire a team of operators to locate and take out the perpetrators.
How would killing the perpetrators solve the ransomware problem?
Unless that team of operators also tortures the perpetrators for the unlock instructions?
De (Score:2)
Ahh, the end of The Sum of All Fears and the conspirators' denoument.
One can always dream.
First thing to do when a ransom takes down company (Score:3)
What CEOs can get fired for... (Score:2)
Yes, there are things they can't get away with. Al Capone got away with murder, then went to jail for tax evasion.
What did they get? (Score:2)
Re: (Score:2)
What did they get for their 4.4 million? A promise from the hackers not to do it again?
I heard the giggling from the other end was so bad even TCP was struggling to keep a handshake going.
Lack of competition? (Score:2)
Why would one company have such a stranglehold? I know pipelines are a hotpoint, but one company should not have that outsized impact on roughly a quarter of the nation. That's just begging for a disaster.
Re: (Score:2)
one company should not have that outsized impact on roughly a quarter of the nation. That's just begging for a disaster.
I wish I was kidding, the answer is they had a really good lobbyist.
I welcome the attacks (Score:2)
The only option (Score:2)
"Mr. Blount acknowledged publicly for the first time that the company had paid the ransom, saying it was an option he felt he had to exercise..." ...thereby ensuring that cybercriminals will continue to plague other companies, and his in the future.
Governments should make a law that is "no cyber ransoms shall be paid". The result would be some chaos, followed by these corporations putting measures in place to ensure it won't happen again. I doubt that such a thing is realistic. Just saying.
Re: (Score:2)
Governments should make a law that is "no cyber ransoms shall be paid". The result would be some chaos, followed by these corporations putting measures in place to ensure it won't happen again. I doubt that such a thing is realistic. Just saying.
No, it's not realistic. Because the Government themselves would have paid the damn ransom within two weeks. Just to avoid another city burning.
Doesn't matter who you are in the food chain. No one, has the luxury of sitting on the sidelines of a 45% fuel supply problem.
Re: (Score:2)
Doesn't matter who you are in the food chain. No one, has the luxury of sitting on the sidelines of a 45% fuel supply problem.
That's what separates us from monkeys. Our ability to think past the immediate. Today it's a 5 day shutdown. Tomorrow it's a terrorist-sponsored total destruction of the system.
He's too stupid for shame. (Score:2)
Time to break up this monopoly. Shareholder value be damned. Consumers matter more.
There were no stakes (Score:2)
So in other words he should not have paid it (Score:2)
1) They are now a massive target for further attacks since everyone knows they will pay up.
2) It didn't even really help bring the pipeline up faster.
3) All other critical infrastructure is now an equally larger target since we know the U.S. will pay up.
4) (Bonus) since they also used the tool the hackers have them to partly fix the thing, isn't the entire system likely full of backdoors now so the group can come back in any time they like? A working, but compromised system is exactly what you'd expect a h
What about OFAC (Score:2)
Re: (Score:2)
As someone on the IT security and legal side of things (lawyer with a CISSP and background in IT infra), I'm wondering how the various govt 3 letter acronyms will look at this from the perspective of OFAC: https://home.treasury.gov/syst... [treasury.gov]
Interesting read. Depending on who was on the receiving end of Darkside's "lost" funds, the matter may be ignored by 3 letter agencies. That said, one might measure the value of some kind of additional fine or worse because the problem was felt widespread enough to garner public support for such an action. For once, government would not look like the "bad guys" and instead be looking to protect and secure the lifesblood of a fossil-fueled country, and every citizen that depends on it. Sending a message
Perhaps I'm crazy... (Score:2)
But sending 45% of an areas fuel through one pipeline seems like an enormously bad idea.
Re: (Score:2)
Welcome to "modern" US infrastructure...
Financing a criminal organization (Score:2)
That is what he did. And he should go to prison for it.
I really wonder why (Score:2)
Why would anyone pay? (Score:2)
Seriously once a machine has been compromised, is paying a ransom going to restore your faith in that machine being secure?
I think the only people who would consider paying a ransom like this, are people with zero technical understanding of computer systems.
We had such an attack in our company, we simply deleted the data affected or restored backups, not for a second did we consider paying it.
We were infected because of the actions of a staff member I've been wanting sacked since the day I started. Most of
Re: (Score:2)