Colonial Pipeline services restored.
Colonial Pipeline tweeted Saturday that its services had returned to normal.
After a brief disruption on the 18th caused by an IT problem, Colonial Pipeline tweeted that it had quickly resumed full service, and that the brief interruption was not the result of a cyberattack. "Our internal server that runs our nomination system experienced intermittent disruptions this morning due to some of the hardening efforts that are ongoing and part of our restoration process. These issues were not related to the ransomware or any type of reinfection," the company said.
Colonial's CEO Joseph Blount confirmed to the Wall Street Journal that he did authorize payment of $4.1 million in ransom to the company's extortionists. The urgency of restoring service, combined with the company's uncertainty about how extensively its systems had been compromised, drove the decision. He acknowledged that deciding to pay the ransom was difficult, and that he knew the decision would be controversial, but he judged the situation analogous to the challenge of restoring service after a natural disaster, like a Gulf hurricane.
The company's decision to pay the extortionists ransom has drawn generally adverse comment (ironic, given that paying $5 million to DarkSide, the gang responsible, apparently didn't aid the recovery, which Colonial Pipeline had to do, in the end, from its own resources). Some, like the US National Security Council's Anne Neuberger, expressed some sympathy for organizations caught in a tough spot. CNBC quoted her as saying, "We recognize that victims of cyberattacks often face a very difficult situation and they have to just balance often the cost-benefit when they have no choice with regards to paying a ransom. Colonial is a private company and we’ll defer information regarding their decision on paying a ransom to them.” This is not by any means an endorsement of giving in to extortionists. She pointed to the FBI's unambiguous advice against paying ransom.
And overall the consensus is with CISA, whose advice is summarized by SIGNAL: paying the ransom isn't a good practice. WIRED offers a long summary of the ways in which payment perpetuates a vicious cycle and fuels a bandit economy.
The consensus is also that ransomware attacks against critical infrastructure are likely to be attempted again. An op-ed published by the Australian Broadcasting Corporation frames the incident as a warning that there's worse to come unless the major cyber powers can arrive at some international norms that would produce an effective modus vivendi in cyberspace. The New York Times, in a piece that accepts DarkSide's self-presentation as a group of apolitical criminals, argues that the incident should be assessed in terms of the vulnerabilities it exposed.
Jalopnik's rather sour take on the incident is the observation that the ransomware didn't actually interfere with pipeline operations, just Colonial's ability to bill customers for deliveries, which is why the company shut its systems down. Their piece also quotes some of the communications from DarkSide recounted by Zero Day, like this one: “Before an attack, we carefully analyze your accountancy and determine how much you can pay based on your net income. You can ask all your questions in the chat before paying and our support will answer them.” Jalopnik's comment is apt enough: "I can’t get over this exchange where the hackers are blasé about the billing breach, and refer Colonial to their customer service as if this were some broadband outage from a [sh**ty] ISP."