Colonial Pipeline Co. paid a $5 million ransom in cryptocurrency to the hackers who shut down its network with ransomware -- taking the critical energy pipeline offline and triggering a national emergency -- within hours of the hack, according to a Bloomberg report citing unnamed sources on Thursday May 13.
"Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system," the story claimed, without naming a source.
Colonial Pipeline and the National Security Council both declined to comment. Former CISA Director Chris Krebs noted on Twitter that paying a ransom made those doing so an "active investor in a criminal enterprise."
In June 2020 the University of California made the unusual step of publicly acknowledging that it had paid cybercriminals $1.14 million (£1 million) to decrypt a “limited number of servers” in its School of Medicine that were hit by ransomware this month, saying that data encrypted in the attack, attributed to the Netwalker ransomware family, was important to "serving the public good... We therefore made the difficult decision to pay… for a tool to unlock the encrypted data and the return of the data."
Cybersecurity expert Kevin Beaumont, tweeting before the ransom payment had broken, noted: "The USG needs to stop treating big game ransomware as a victim punting to FBI exercise (they’re not equipped to stop it) and officially classify it as a national security risk, to enable covert action. Other governments need to do this too. It’s a runaway freight train, they’re getting too powerful too quickly, serious effort needs to be put in to catch up with said train. I cannot stress how far behind everybody is."
When asked by reporters late on Thursday whether he had been briefed on the fact that Colonial Pipeline Co. had allegedly paid the ransom, US President Joe Biden said he had "no comment on that."
An executive order signed by Biden May 12, meanwhile, aims to help improve cybersecurity across both the federal and private sectors. Explicitly, it aims to:
- Remove barriers to threat information sharing between government and the private sector, by ensuring IT Service Providers are able to share information with the government -- and requiring them to share certain breach information.
- Help "move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period."
- Improve the security of software by "establishing baseline security standards for development of software sold to the government... Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up."
- Create a standardised playbook and set of definitions for cyber incident response by federal departments and agencies. As the White House noted: "Recent incidents have shown that within the government the maturity level of response plans vary widely. The playbook will ensure all Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat."
- Improve Detection of Cybersecurity Incidents on Federal Government Networks in a bid to tackle the "slow and inconsistent deployment of foundational cybersecurity tools and practices"
Speaking to The Stack's founder Ed Targett in late 2020, one senior UK cybercrime officer said: "“It would be difficult to argue credibly that we aren't [outgunned]. The public sector are never going to be particularly cutting edge with their standard IT and training equipment that we give to people.
"We bring in bright young things straight out of university; you come into law enforcement and it’s a case of ‘here’s your Windows 7 laptop and 50p to put in the slot on the side’. We’re not always keeping pace."
The names of bluechip companies hit by ransomware over the past 12 months meanwhile just keeps growing: Honda, one of the world’s biggest car manufacturers; Cognizant, a major IT services company; Finastra, a prominent banking services provider; MaxLinear, a NYSE-listed semiconductor specialist: the list goes on. (Cybersecurity Ventures predicts cybercrime will cost the world in excess of $6 trillion in 2021.)