Colonial Pipeline, which suffered a crippling ransomware attack on its infrastructure on May 7, 2021, just recently announced that it has recovered quickly from the attack just a week ago and expects all its infrastructure to be fully operational soon.
But now, details are emerging that the Colonial Pipeline Company paid nearly $5 million in Bitcoin to hacker group DarkSide on Friday, according to people familiar with the transaction. It is also being said that the U.S. government is aware of the transaction. Although the FBI has repeatedly discouraged organizations from paying ransom to hackers saying there is no guarantee they will follow through on promises to unlock files, and it also provides incentives to other would-be hackers.
While ransom payment could explain the fast restoration of operations, according to CNN the quick recovery was possible after retrieving “the most important data” from intermediary servers in the U.S. that the attackers used to store stolen info. But the company realized the decryption tool provided by DarkSide was inefficient and it could only access the backups with the help of outside security firms and US government officials after it had paid the ransom.
Colonial Pipeline can now report that we have restarted our entire pipeline system and that product delivery has commenced to all markets we serve. https://t.co/kpWNw0UQve pic.twitter.com/9r5hA2CLNn
— Colonial Pipeline (@Colpipe) May 13, 2021
With this, Colonial Pipeline joins Brenntag, a leading chemical distribution company headquartered in Germany in paying nearly $4.4 million ransom in Bitcoin to the same ransomware gang, DarkSide to receive a decryptor for encrypted files and prevent the threat actors from publicly leaking stolen data.
Brenntag"s North America division was targeted in a massive ransomware attack. The attackers encrypted devices on the network and stole unencrypted files amounting to about 150GB of data. DarkSide initially demanded a 133.65 Bitcoin (approx $7.5 million) in ransom but after negotiations, the demand was decreased to $4.4 million.
After the Colonial Pipeline incident, DarkSide released a statement:
"We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment and look for other our motives. Our goal is to make money, and not creating problems for society.
From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."
DarkSide is operated as a Ransomware-as-a-Service. It has two groups, one is the core operators and developers of the ransomware, and the other is its affiliates that are recruited to hack networks and deploy the ransomware. The ransom payment is then divided with the core operators keeping approximately 20-30%, and the rest going to the affiliates group.
Aiming to fix its image the group donated $20,000 of their bitcoins earned by way of ransom payments in October 2020 to the Children International and The Water Project charities. But since the details were made public the charities decided that they could not keep the donations.
Source: BleepingComputer & Bloomberg | Image source: BleepingComputer