Last week the pipeline that carries fuel from Texas to the east coast was shut down following a ransomware attack, causing chaos and panic-buying.
Now the operating company has confirmed it paid a US$4.4 million ransom to the cybercriminal gang responsible for taking the pipeline offline.
Colonial Pipeline’s CEO has told the Wall Street Journal he authorised the payment to cybercriminal gang DarkSide on May 7 because of uncertainty over how long the shutdown would continue.
“I know that’s a highly controversial decision,” Joseph Blount said in his first interview since the hack.
The 8,900km pipeline carries 2.5 million barrels a day. According to the firm, that’s 45% of the east coast’s supply of diesel, petrol and jet fuel.
Blount told the WSJ that the firm decided to pay the ransom after discussions with experts who had previously dealt with DarkSide, the criminal organisation behind the attack.
“I didn’t make that decision lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this, but it was the right thing to do for the country,” he said.
The US government has recommended in the past that companies do not pay criminals over ransomware attacks, to avoid inviting future blackmail attempts.
At the time of the hack, the DarkSide criminal gang acknowledged the incident in a public statement.
“Our goal is to make money and not creating problems for society,” DarkSide wrote on its website. “We do not participate in geopolitics, do not need to tie us with a defined government and look for… our motives.”
In return for the Bitcoin payment, the company received a decryption tool enabling it to unlock the systems compromised by the hackers – although that was not enough to restart systems immediately, according to the WSJ.
Operations resumed on the pipeline late last week, although petrol shortages seen across south-eastern states have persisted, according to data tracking firm Gas Buddy.
Blount said it would take months before some other systems are recovered, and he estimated that the attack would ultimately cost the company tens of millions of dollars.
He also regrets that the company has lost its anonymity.
“We were perfectly happy having no one know who Colonial Pipeline was, and unfortunately that’s not the case anymore,” he said.
“Everybody in the world knows who we are now.”