Skip to main content
Canada’s most-awarded newsroom for a reason
Enjoy unlimited digital access
$1.99
per week
for 24 weeks
Canada’s most-awarded newsroom for a reason
$1.99
per week
for 24 weeks
// //

A plastic bag covering a fuel pump to signal no gas is available is seen at a Circle K gas station after a cyberattack crippled the biggest fuel pipeline in the country, run by Colonial Pipeline, in Lakeland, Florida, U.S. May 14, 2021.

OCTAVIO JONES/Reuters

Gas shortages at the pumps have spread from the South, all but emptying stations in Washington, D.C., following a ransomware cyberattack that forced a shutdown of the nation’s largest gasoline pipeline. Though the pipeline operator paid a ransom, restoring service was taking time.

As Georgia-based Colonial Pipeline reported making “substantial progress” in restoring full service, multiple sources confirmed that the company had paid the criminals a ransom of nearly $5 million in cryptocurrency for the software decryption key required to unscramble their data network.

The ransom – 75 Bitcoin – was paid last Saturday, a day after the criminals locked up Colonial’s corporate network, according to Tom Robinson, co-founder of the cryptocurrency-tracking firm Elliptic. Prior to Robinson’s blog post, two people briefed on the case had confirmed the payment amount to The Associated Press.

Story continues below advertisement

The FBI advises against paying such ransoms because it only encourages a global criminal feeding frenzy that has worsened during the pandemic. But many ransomware victims – especially those ill-prepared for a quick recovery with carefully managed backups – opt to pay.

President Joe Biden said Thursday that his administration would seek to put the responsible Russian-speaking ransomware syndicate out of business, and its operators later said they were shutting down. Biden has said he intends to speak directly to Russian President Vladimir Putin about his government’s harboring of ransomware criminals that have caused tens of billions of dollars in damages in the West in the past year. The pipeline shutdown is the most damaging cyberattack on U.S. soil.

The tracking service GasBuddy.com on Friday showed that 88% of gas stations were out of fuel in the nation’s capital, 45% were out in Virginia and 39% of Maryland stations were dry. About 65% of stations were without gas in North Carolina, and nearly half were tapped out in Georgia and South Carolina.

Colonial said Thursday that operations had restarted and gasoline deliveries were being made in all of its markets, but it would take “several days” to return to normal.

A gas station owner in Virginia said panic buying is the problem.

“It’s like a frenzy,” Barry Rieger, who owns a gas station in Burke, Virginia, told WJLA-TV.

Many authorities are warning of the dangers of hoarding gas.

Story continues below advertisement

In South Carolina, a woman was severely burned after flipping a car that a deputy tried to pull over for a suspected stolen license plate Thursday night. The fire touched off multiple explosions due to fuel “that she was hoarding in the trunk of the vehicle,” a Pickens County sheriff’s statement said.

A cyberattack by hackers who lock up computer systems and demand a ransom to release them hit the pipeline on May 7. The hackers didn’t take control of the pipeline’s operations, but Colonial shut it down to prevent the malware from impacting its industrial control systems.

Biden has promised aggressive action against DarkSide, the syndicate responsible for the attack. Its public-facing darknet site went offline on Thursday, and its operators said in a cybercriminal forum post that the group had lost access to it and would be shutting down.

This does not necessarily mean U.S. or allied cyberjockeys knocked it offline. Cybersecurity experts said that DarkSide, which rents out its ransomware to partners to carry out the actual attacks, could have taken it down to prevent Western law enforcement from tracking down the rest of its infrastructure.

It could also be an “exit scam,” many noted. Ransomware gangs have dissolved and `rebranded’ under different names in the past when the heat was on. In his blog post, Robinson of Elliptic said the cryptocurrency wallet used by DarkSide to receive the Colonial payment was emptied on Thursday.

Yelisey Boguslavskiy, director of research of the cybersecurity firm Advanced Intelligence, noted that the moderator of a top darknet forum for Russian-speaking cybercriminals, XSS, said Thursday that “he was officially prohibiting all ransomware-related activity and discussion on the forum.”

Story continues below advertisement

That could suggest fears of a U.S. crackdown – or pressure from the Kremlin. While there is no indication the Kremlin benefits from ransomware extortion, U.S. officials say ransomware gangs are tolerated by Russia’s security services, which have employed some of their members.

DarkSide stole information from Colonial’s network prior to locking up the data on May 7. What it stole is unclear. The company is not saying. DarkSide is among the ransomware gangs that employ double extortion, threatening to dump online sensitive data they steal before activating the ransomware. In Colonial’s case, that could potentially include data on contracts with suppliers that would be of keen interest to stock and commodities traders.

The Colonial Pipeline system stretches from Texas to New Jersey and delivers about 45% of the gasoline consumed on the East Coast.

Richard Joswick, global head of oil analytics at S&P Global Platts, said gas stations should be back to normal next week if the pipeline restart goes as planned and consumers are convinced they no longer need to panic-buy fuel. Full recovery would take several more weeks, he estimated.

Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow topics related to this article:

View more suggestions in Following Read more about following topics and authors
Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies