Colonial Pipeline paid $5 million ransom to DarkSide hackers, report

Flows expected to return to normal levels by the weekend

Colonial Pipeline paid nearly $5 million (about £3.55 million) ransom to Eastern European hackers last Friday, after a cyber attack forced the shutdown of its major pipeline supplying fuel to the East Coast.

Multiple sources familiar with the investigation told Bloomberg that ransom was paid in cryptocurrency hours after the company's systems stared locking up last week.

After receiving the payment, the ransomware operators provided a decryption tool to the company to restore its disabled computer network. The tool was too slow, however, and firm had to continue using its own backups to restore the network. Flows of fuel are expected to return to normal levels this weekend.

The company has not publicly confirmed the reported payment.

Earlier this week, the company said that it had no intention of paying ransom to cyber criminals to help restore its systems.

One source told the news outlet that the Biden administration is aware that the firm made the payment.

When asked by reporters if he had been briefed on Colonial's ransom payment, Biden told Bloomberg that he had "no comment on that."

The FBI discourages US firms which become victim of ransomware attack from paying money to hackers.

However, Biden promised to disrupt the hackers. "We have been in direct communication with Moscow for the imperative for responsible countries to take decisive action against these ransomware networks," he said. "We're also going to pursue a measure to disrupt their ability to operate."

Colonial, which operates the largest fuel pipeline in the US, said that it began resuming pipeline operators around 5 p.m. Eastern time Wednesday.

Ondrej Krehel, chief executive of digital forensics company LIFARS said the reported $5 million ransom was "very low" under the circumstances.

"Ransom is usually around $25 million to $35 million for such a company. I think the threat actor realised they stepped on the wrong company and triggered a massive government response," he said, adding that he understood why the company might have paid.

"This is a cyber cancer. You want to die or you want to live? It's not a situation where you can wait."

Colonial Pipeline disclosed the ransomware attack on Saturday, saying its main fuel lines were offline but some smaller lines remained operational.

The company did not give details on who might have been behind the attacks, but said that it was being assisted by a "leading, third-party cybersecurity firm" to investigate the attack.

Some media reports claimed that the hackers were thought to be the members of DarkSide ransomware gang, believed to be based in Russia.

Earlier this week, the DarkSide group apologised for the attack and promised to vet its targets more closely in the future.

The group posted on its darkweb site: "We are apolitical. We do not participate in geopolitics. Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."

Colonial Pipeline transports about 45 per cent of all fuel consumed on the US East Coast. The firm's pipeline spans nearly 8,850 kilometres from Houston, Texas to the New York area, carrying more than 100 million gallons of petrol, diesel and other fuels daily.

The shutdown of the Colonial's system sparked panic in the southeastern US, with residents seen lining up at petrol pumps for several hours over fears of fuel shortage. Petrol prices rose as a result of fuel supply disturbance, and some stations also ran out of fuel.

The Department of Transportation issued an emergency order earlier this week, allowing truckers supplying fuel in affected states to work for longer hours than federal rules normally allow.

Colonial warned on Thursday that it may take many days for supply to return to normal, and that intermittent disruptions may still occur.