The Colonial Pipeline ransomware saga continues to unfold before our eyes.
This week, company CEO Joseph Blount admitted to paying millions in ransom to cybercriminals, following the attack that shut down the largest fuel pipeline in the U.S.
In an exclusive interview with the Wall Street Journal, Blount says he made the decision to pay the ransom within hours of the attack.
"I know that's a highly controversial decision. I didn't make it lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this... But it was the right thing to do for the country."
The WSJ reports the company learned of the attack on May 7th after an employee found a ransom note on a control room computer. That evening, Blount decided to pay because he was unsure how badly the cyberattack had breached its systems.
The attack disrupted the company's operations and caused gas shortages all over the east coast of the United States.
Was paying a ransom the right thing to do for the United States, as the Colonial Pipeline CEO suggests?
Not according to Congressman Jim Langevin, who is on the Homeland Security Committee. He responded on Twitter:
"Paying cyber criminals $4.4 million, while freezing out the @FBI and @CISAgov, is not "good for the country."
Paying cyber criminals $4.4 million, while freezing out the @FBI and @CISAgov, is not "good for the country."
— Jim Langevin (@JimLangevin) May 19, 2021
I'll have some questions about Blount's judgement when he appears before @HomelandDems in a couple weeks.https://t.co/9P3VjFaakr
The ransom payment was also tracked by Elliptic, a crypto compliance company.
"Elliptic has identified the Bitcoin wallet used by the DarkSide ransomware group to receive ransom payments from its victims, based on our intelligence collection and analysis of blockchain transactions. This wallet received the 75 BTC payment made by Colonial Pipeline on May 8..."
Based on the value of Bitcoin on that day, the ransom payment was worth approximately $4.4 million, the same amount Colonial Pipeline's CEO says the company paid.
But just because Colonial Pipeline made the tough decision to pay the ransom does not mean they are done dealing with the consequences of the attack.
Colonial Pipeline refuses to share ransom details with Congress
While the CEO now admits to paying the ransom, company officials did not admit that in front of Congress a day earlier.
And that fact is not going over too well.
Carolyn B. Maloney, Chairwoman of the Committee on Oversight and Reform, and Bennie G. Thompson, Chairman of the Committee on Homeland Security, issued the following statement:
"Following today's briefing from Colonial Pipeline... We're disappointed that the company refused to share any specific information regarding the reported payment of ransom during today's briefing. In order for Congress to legislate effectively on ransomware, we need this information.
This attack not only highlights glaring vulnerabilities in our critical infrastructure, it also exposes a marketplace in which it may be easier for a company to pay off a criminal than put resources towards preventing and defending against attacks."
What did Colonial Pipe get by paying the hacker ransom?
So did paying the ransom work for the company? According to the Wall Street Journal, the decryption tool received from the hackers only helped somewhat and was not enough to quickly restore operations.
The issue of ransomware attacks and payments that often follow will be a complicated task to tackle, for lawmakers and practitioners alike.
Cyber Attorney Shawn Tuma tells SecureWorld he personally likes the idea of banning ransomware payments, but at this point, it's not practical because too many organizations would go out of business without this option.
And he says there is much more companies can do to limit this risk in the first place:
"The answer is improved security and improved resilience planning.
And so that means, let's all understand number one, none of us are immune. So let's get our cyber risk management programs in place.
Let's follow the steps we need to improve our security to the highest level we reasonably can under our circumstances.
Then let's do resilience planning. Let's say okay, we've done everything reasonably possible."
One part of President Biden's Executive Order on Improving the Nation’s Cybersecurity encourages organizations to share information related to a breach.
Electricity operators and other critical infrastructure are required to do this, but not pipeline companies. Their cybersecurity efforts and sharing after an incident are voluntary.
Richard Glick is chairman of the Federal Energy Regulatory Commission and he is now publicly calling for this to change:
"The cyberattack against the Colonial Pipeline system, which provides nearly half of the fuel supply for the East Coast, is a stark reminder that we must do more to ensure the safety of our nation's energy infrastructure.
For over a decade, the Federal Energy Regulatory Commission (FERC), in coordination with the North American Electric Reliability Corporation, has established and enforced mandatory cybersecurity standards for the bulk electric system. However, there are no comparable mandatory standards for the nearly 3 million miles of natural gas, oil, and hazardous liquid pipelines that traverse the United States."
Maybe this part of the reason that some are now calling ransomware a national emergency.
DarkSide ransomware profits and operations
The DarkSide ransomware group was behind the Colonial Pipeline attack and is on the retreat.
The group announced that it will be shutting down its operations due to "pressure from the U.S."
But it has already made millions. Elliptic reports that since March, the group received Bitcoin transactions with a total value of $17.5 million through other ransomware attacks.
Would banning ransomware payments help stop this kind of cybercrime? Watch the SecureWorld livestream on this topic for some thought-provoking perspectives.