Within hours of realizing that a ransomware attack had hit the Colonial Pipeline network on May 7, with the company’s IT network mostly offline and the fuel pipeline itself shut down, Colonial Pipeline’s CEO had already decided to begin the negotiation process with the actors to pay the ransom, reasoning that an extended outage of the pipeline could affect fuel distribution not just at gas stations, but also at airports for months to come.
Had the company not shut down the pipeline when it did, preventing the ransomware from potentially spreading to the operational technology network that controls it, and started the ransom payment process, things could have gone much worse than they did, CEO Joseph Blount Jr. said.
“The attack forced us to make difficult choices in real time that no company ever wants to face. I made the decision to pay and keep the payment confidential. I put the interests of the country first. I kept the information closely held because I was concerned about operational security and safety. I believe with all my heart it was the right choice to make,” Blount said during a hearing of the Senate Committee on Homeland Security and Governmental Affairs Tuesday.
“We’d already seen pandemonium and panic buying. The concern would be what would happen at the airports, where we supply a lot of jet fuel? In the early hours of May 7, we didn't know exactly what we had. We didn’t know if it was just a cyber attack. We had to make sure it wasn’t an attack on our physical infrastructure, too.”
The effects of the attack on Colonial Pipeline are still emerging, and Blount said not all of the company’s systems are back online yet, a month after the initial intrusion. The company paid a $4.4 million ransom to the actors the day after the attack and then received the decryptor tool to begin the recovery process. Though the tool worked as intended and decrypted the systems directly compromised by the DarkSide ransomware, that’s just one piece of the recovery, Blount said, noting that several of the company’s finance systems are just coming back online this week.
“It takes months and months and months and in some cases years to restore these systems. Our focus that first week was to restore the critical systems and bring the pipeline back up,” Blount said.
“The remediation is ongoing. The keys are useful and we did take advantage of them, but they’re not perfect.”
In addition to installing ransomware, the DarkSide actors also stole some of the company’s data, which Blount said Colonial Pipeline had retrieved from the actors. However, he said he’s not sure what specific information was taken.
“But I believe that restoring critical infrastructure as quickly as possible, in this situation, was the right thing to do for the country."
“It was retrieved very quickly. It was brought back in. We don’t fully understand everything that’s in it, because of where it’s been held since it was retrieved,” he said.
Blount’s testimony came the day after the Department of Justice announced that it had seized $2.3 million of the ransom that Colonial Pipeline had paid. The seizure was the end result of the FBI tracing the Bitcoin payment through a series of digital wallets to its eventual destination, which happened to be on a computer in California. The recovery is an unusual outcome for these investigations, and Blount said that the decision to call the FBI as soon as technicians discovered the ransomware attack was a key factor in limiting the damage.
“Our engagement with those federal authorities helped us achieve meaningful milestones in our response process to address the attack and restore pipeline operations as quickly as possible,” Blount said.
Blount told the committee that while he and his team were aware of the FBI’s stated guidance against paying ransoms, the bureau did not give the company any specific advice after the intrusion, and the decision to pay the ransom was Blount’s. The company and its lawyers and negotiators also checked to ensure that the actors to whom they paid the ransom were not sanctioned entities by the Office of Foreign Asset Control.
“But I believe that restoring critical infrastructure as quickly as possible, in this situation, was the right thing to do for the country. We took steps in advance of making the ransom payment to follow regulatory guidance and we have explained our course of dealings with the attackers to law enforcement so that they can pursue enforcement options that may be available to them,” he said.