Almost a week after a ransomware attack led Colonial Pipeline to halt fuel distribution on the East Coast, reports were released Friday that the company had paid a ransom of 75 bitcoins – worth up to go up to $ 5 million, depending on the time of payment – with the goal of restoring service faster. And if the company was able to restart operations on Wednesday evening, the decision to give in to hackers’ demands will only embolden other groups in the future. Real progress against the ransomware epidemic will force more companies to say no, experts say.
That doesn’t mean it’s easy. The FBI and other law enforcement groups have long discouraged ransomware victims from paying digital extortion fees, but in practice many organizations resort to payment. Either they don’t have the backups and other infrastructure needed to recover otherwise, can’t or won’t take the time to recover on their own, or decide that it’s cheaper to just quietly pay the ransom and move on. to something else. Ransomware groups increasingly control their victims’ finances before setting their traps, allowing them to price as high as possible their victims can still afford.In the case of Colonial Pipeline, the DarkSide ransomware group attacked the company’s business network rather than the more sensitive operational technology networks that control the pipeline. But Colonial also cut its OT network in an attempt to contain the damage, increasing the pressure to resolve the issue and resume the flow of fuel along the East Coast. Another potential factor in the decision, first reported by Zero Day, was that the company’s billing system had been infected with ransomware, so it had no way of tracking fuel delivery. and bill customers.
Proponents of zero tolerance for ransom payments hoped the proactive shutdown of Colonial Pipeline was a sign the company would refuse to pay. Reports on Wednesday indicated that the company intended to hold on, but numerous reports subsequent to Thursday, led by Bloomberg, confirmed that the 75 bitcoin ransom had been paid. Colonial Pipeline did not return a request for comment from WIRED regarding the payment. It is still unclear whether the company paid the ransom soon after the attack or a few days later, as fuel prices rose and gas station lines rose.
“I can’t say I’m surprised, but it’s certainly disappointing,” said Brett Callow, threat analyst at antivirus company Emsisoft. “Unfortunately, this will help keep US critical infrastructure providers in the spotlight. If an industry turns out to be profitable, they will keep hitting it. “
In a briefing Thursday, White House press secretary Jen Pskai generally stressed that the US government encourages victims not to pay. Other members of the administration struck a more measured note. “Colonial is a private company and we will defer information regarding their decision to pay them a ransom,” Anne Neuberger, deputy national security adviser for cyber and emerging technologies said Monday. She added that ransomware victims “face a very difficult situation and [often] just have to balance the cost-benefit ratio when they have no choice but to pay a ransom. “
Researchers and policymakers have struggled to produce comprehensive advice on ransom payments. If every victim in the world suddenly stopped paying ransoms and stood firm, the attacks would cease quickly, as there would be no incentive for the criminals to continue. But coordinating a mandatory boycott seems impractical, researchers say, and would likely result in more secret payments. When the Evil Corp ransomware gang attacked Garmin last summer, the company paid the ransom through an intermediary. It’s not unusual for large corporations to use a payment intermediary, but Garmin’s situation was particularly noteworthy because Evil Corp had been sanctioned by the US government.
“For some organizations, their business could be completely destroyed if they don’t pay the ransom,” says Katie Nickels, director of intelligence at security firm Red Canary. “If the payments aren’t allowed, you’ll just find people are quieter about making the payments. “
Prolonged closures of hospitals, critical infrastructure and municipal services also threaten more than just finances. When lives are literally on the line, a principled stance against hackers quickly falls off the priority list. Nickels herself recently participated in a public-private effort to establish comprehensive US-based ransomware recommendations; the group could not agree on final guidelines on whether and when to pay.
“The ransomware task force has discussed this at length,” she says. “There were a lot of important things that the group came to consensus on and the payout was one that there was no consensus on.”
As part of an executive decree on cybersecurity signed by President Joseph Biden on Wednesday, the Department of Homeland Security will establish a Cyber Security Review Committee to investigate and take stock of “significant” cyber attacks. the general public has a better idea of the scale of the ransomware problem. But if the board is prompted to encourage private organizations to participate, it may still need expanded authority from Congress to demand full transparency. During this time, the payments will continue, and so will the attacks.
“You shouldn’t be paying, but if you don’t have a choice and you’re definitely bankrupt, you’re going to pay,” said Adam Meyers, vice president of intelligence at security firm CrowdStrike. mind, the one thing that will really drive change is that organizations aren’t taken in the first place. When the money is gone, these guys will find another way to make money. And then we’ll have to deal with it.
For now, however, ransomware remains a serious threat. And Colonial Pipeline’s $ 5 million payment will only make cybercriminals stronger.
This story originally appeared on wired.com.