Gas shortages at the pumps have spread from the South, all but emptying stations in Washington, D.C., following a ransomware cyberattack that forced a shutdown of the nation’s largest gasoline pipeline. Though the pipeline operator paid a ransom, restoring service was taking time.
As Georgia-based Colonial Pipeline reported making “substantial progress” in restoring full service, multiple sources confirmed that the company had paid the criminals a ransom of nearly $5 million in cryptocurrency for the software decryption key required to unscramble their data network.
The ransom – 75 Bitcoin – was paid last Saturday, a day after the criminals locked up Colonial’s corporate network, according to Tom Robinson, co-founder of the cryptocurrency-tracking firm Elliptic. Prior to Robinson’s blog post, two people briefed on the case had confirmed the payment amount to The Associated Press.
The FBI advises against paying such ransoms because it only encourages a global criminal feeding frenzy that has worsened during the pandemic. But many ransomware victims – especially those ill-prepared for a quick recovery with carefully managed backups – opt to pay.
President Joe Biden said Thursday that his administration would seek to put the responsible Russian-speaking ransomware syndicate out of business, and its operators later said they were shutting down. Biden has said he intends to speak directly to Russian President Vladimir Putin about his government’s harboring of ransomware criminals that have caused tens of billions of dollars in damages in the West in the past year. The pipeline shutdown is the most damaging cyberattack on U.S. soil.
The tracking service GasBuddy.com on Friday showed that 88% of gas stations were out of fuel in the nation’s capital, 45% were out in Virginia and 39% of Maryland stations were dry. About 65% of stations were without gas in North Carolina, and nearly half were tapped out in Georgia and South Carolina.
Colonial said Thursday that operations had restarted and gasoline deliveries were being made in all of its markets, but it would take “several days” to return to normal.
A gas station owner in Virginia said panic buying is the problem.
“It’s like a frenzy,” Barry Rieger, who owns a gas station in Burke, Virginia, told WJLA-TV.
Many authorities are warning of the dangers of hoarding gas.
In South Carolina, a woman was severely burned after flipping a car that a deputy tried to pull over for a suspected stolen license plate Thursday night. The fire touched off multiple explosions due to fuel “that she was hoarding in the trunk of the vehicle,” a Pickens County sheriff’s statement said.
A cyberattack by hackers who lock up computer systems and demand a ransom to release them hit the pipeline on May 7. The hackers didn’t take control of the pipeline’s operations, but Colonial shut it down to prevent the malware from impacting its industrial control systems.
Biden has promised aggressive action against DarkSide, the syndicate responsible for the attack. Its public-facing darknet site went offline on Thursday, and its operators said in a cybercriminal forum post that the group had lost access to it and would be shutting down.
This does not necessarily mean U.S. or allied cyberjockeys knocked it offline. Cybersecurity experts said that DarkSide, which rents out its ransomware to partners to carry out the actual attacks, could have taken it down to prevent Western law enforcement from tracking down the rest of its infrastructure.
It could also be an “exit scam,” many noted. Ransomware gangs have dissolved and `rebranded’ under different names in the past when the heat was on. In his blog post, Robinson of Elliptic said the cryptocurrency wallet used by DarkSide to receive the Colonial payment was emptied on Thursday.
Yelisey Boguslavskiy, director of research of the cybersecurity firm Advanced Intelligence, noted that the moderator of a top darknet forum for Russian-speaking cybercriminals, XSS, said Thursday that “he was officially prohibiting all ransomware-related activity and discussion on the forum.”
That could suggest fears of a U.S. crackdown – or pressure from the Kremlin. While there is no indication the Kremlin benefits from ransomware extortion, U.S. officials say ransomware gangs are tolerated by Russia’s security services, which have employed some of their members.
DarkSide stole information from Colonial’s network prior to locking up the data on May 7. What it stole is unclear. The company is not saying. DarkSide is among the ransomware gangs that employ double extortion, threatening to dump online sensitive data they steal before activating the ransomware. In Colonial’s case, that could potentially include data on contracts with suppliers that would be of keen interest to stock and commodities traders.
The Colonial Pipeline system stretches from Texas to New Jersey and delivers about 45% of the gasoline consumed on the East Coast.
Richard Joswick, global head of oil analytics at S&P Global Platts, said gas stations should be back to normal next week if the pipeline restart goes as planned and consumers are convinced they no longer need to panic-buy fuel. Full recovery would take several more weeks, he estimated.
Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.