National Security

Colonial Pipeline CEO Defends $4.4M Ransom Payment Decision

Joseph Blount told senators that authorizing the payment to hackers was the right thing to do to bring an end to the pandemonium and fuel shortages.

Colonial Pipeline CEO Defends $4.4M Ransom Payment Decision
Graeme Jennings / Pool via AP

The chief executive of the massive fuel pipeline hit by ransomware last month told senators on Tuesday that authorizing a multi-million-dollar payment to hackers was the right thing to do to bring an end to fuel shortages affecting much of the eastern United States, even as authorities have discouraged such payments.

Asked how much worse it would have been if Colonial Pipeline hadn't paid to get its data back, CEO Joseph Blount said, "That's an unknown we probably don't want to know. And it’s an unknown we probably don’t want to play out in a public forum."

He said that given the company's crucial role in fuel transport, and the potential for "pandemonium" arising from a prolonged shutdown of the pipeline, he made the decision to pay a ransom to the hackers. 

The encryption tool the hackers provided the company in exchange for the payment helped "to some degree" but has not been perfect, with Colonial still in the process of fully restoring its system, Blount said.

He faced the Senate Homeland Security Committee, one day after the Justice Department revealed it had recovered the majority of the $4.4 million ransom payment the company made in hopes of getting its system back online.

Blount's testimony marks his first appearance before Congress since the May 7 ransomware attack that led Georgia-based Colonial Pipeline, which supplies roughly half the fuel consumed on the East Coast, to temporarily halt operations. 

The attack has been attributed to a Russia-based gang of cybercriminals using the DarkSide ransomware variant, one of more than 100 variants the FBI is currently investigating.

The company began negotiating with the hackers on the evening of the attack and, the following day, paid a ransom of 75 bitcoin — then valued at roughly $4.4 million. 

Though the FBI has historically discouraged ransomware payments for fear of encouraging cyberattacks, Colonial officials have said they saw the transaction as necessary to resume the vital fuel transport business as rapidly as possible.

"It was one of the toughest decisions I have had to make in my life," Blount said in prepared remarks. "At the time, I kept this information close hold because we were concerned about operational security and minimizing publicity for the threat actor. But I believe that restoring critical infrastructure as quickly as possible, in this situation, was the right thing to do for the country."

The attack, which Blount says began after hackers exploited a virtual private network that was not intended to be in use and has since been shut down, had significant collateral consequences, including gas shortages as concerned motorists rushed to fill their tanks.

The operation to seize cryptocurrency paid to the Russia-based hacker group is the first of its kind to be undertaken by a specialized ransomware task force created by the Biden administration Justice Department. 

It reflects a rare victory in the fight against ransomware as U.S. officials scramble to confront a rapidly accelerating threat targeting critical industries around the world.

Cryptocurrency is favored by cybercriminals because it enables direct online payments regardless of geographical location, but in this case, the FBI was able to identify a virtual currency wallet used by the hackers and recovered the proceeds from there. 

The Justice Department did not provide details about how the FBI had obtained a "key" for the specific bitcoin address, but said law enforcement had been able to track multiple transfers of the cryptocurrency.

The bitcoin amount seized — 63.7, currently valued at $2.3 million after the price of Bitcoin tumbled — amounted to 85% of the total ransom paid, which is the exact amount that the cryptocurrency-tracking firm Elliptic says it believes was the take of the affiliate who carried out the attack. 

The ransomware software provider, DarkSide, would have gotten the other 15%.

"The extortionists will never see this money," said Stephanie Hinds, the acting U.S. attorney for the Northern District of California, where a judge earlier Monday authorized the seizure warrant.

Additional reporting by the Associated Press.