Colonial Pipeline paid a $5 million ransom—and kept a vicious cycle turning

A woman at a gas station fills multiple gas canisters.

Nearly a week after a ransomware attack led Colonial Pipeline to halt fuel distribution on the East Coast, reports emerged on Friday that the company paid a 75 bitcoin ransom—worth as much as $5 million, depending on the time of payment—in an attempt to restore service more quickly. And while the company was able to restart operations Wednesday night, the decision to give in to hackers’ demands will only embolden other groups going forward. Real progress against the ransomware epidemic, experts say, will require more companies to say no.

Not to say that doing so is easy. The FBI and other law enforcement groups have long discouraged ransomware victims from paying digital extortion fees, but in practice many organizations resort to paying. They either don’t have the backups and other infrastructure necessary to recover otherwise, can’t or don’t want to take the time to recover on their own, or decide that it’s cheaper to just quietly pay the ransom and move on. Ransomware groups increasingly vet their victims’ financials before springing their traps, allowing them to set the highest possible price that their victims can still potentially afford.

In the case of Colonial Pipeline, the DarkSide ransomware group attacked the company’s business network rather than the more sensitive operational technology networks that control the pipeline. But Colonial took down its OT network as well in an attempt to contain the damage, increasing the pressure to resolve the issue and resume the flow of fuel along the East Coast. Another potential factor in the decision, first reported by Zero Day, was that the company’s billing system had been infected with ransomware, so it had no way to track fuel distribution and bill customers.

Advocates of zero tolerance for ransom payments hoped that Colonial Pipeline’s proactive shutdown was a sign that the company would refuse to pay. Reports on Wednesday indicated that the company had a plan to hold out, but numerous subsequent reports on Thursday, led by Bloomberg, confirmed that the 75 bitcoin ransom had been paid. Colonial Pipeline did not return a request for comment from WIRED about the payment. It is still unclear whether the company paid the ransom soon after the attack or days later, as fuel prices rose and lines at gas stations grew.

“I can’t say I’m surprised, but it’s certainly disappointing,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “Unfortunately, it’ll help keep United States critical infrastructure providers in the crosshairs. If a sector proves to be profitable, they’ll keep on hitting it.”

In a briefing on Thursday, White House press secretary Jen Pskai emphasized in general that the US government encourages victims not to pay. Others in the administration struck a more measured note. “Colonial is a private company and we’ll defer information regarding their decision on paying a ransom to them,” said Anne Neuberger, deputy national security adviser for cyber and emerging technologies, in a press briefing on Monday. She added that ransomware victims “face a very difficult situation and they [often] have to just balance the cost-benefit when they have no choice with regards to paying a ransom.”

Researchers and policymakers have struggled to produce comprehensive guidance about ransom payments. If every victim in the world suddenly stopped paying ransoms and held firm, the attacks would quickly stop, because there would be no incentive for criminals to continue. But coordinating a mandatory boycott seems impractical, researchers say, and likely would result in more payments happening in secret. When the ransomware gang Evil Corp attacked Garmin last summer, the company paid the ransom through an intermediary. It’s not unusual for large companies to use a middleman for payment, but Garmin’s situation was particularly noteworthy because Evil Corp had been sanctioned by the US government.

“For some organizations, their business could be completely destroyed if they don’t pay the ransom,” says Katie Nickels, director of intelligence at the security firm Red Canary. “If payments aren’t allowed you’ll just see people being quieter about making the payments.”

Prolonged shutdowns of hospitals, critical infrastructure, and municipal services also threaten more than just finances. When lives are literally at stake, a principled stand against hackers quickly drops off of the priorities list. Nickels herself recently participated in a public-private effort to establish comprehensive United States–based ransomware recommendations; the group could not agree on definitive guidance about if and when to pay.

“The Ransomware Task Force discussed this extensively,” she says. “There were a lot of important things that the group came to a consensus on and payment was one where there was no consensus.”

As part of a cybersecurity executive order signed by President Joseph Biden on Wednesday, the Department of Homeland Security will create a Cyber Safety Review Board to investigate and debrief “significant” cyberattacks. That could at least help more payments be made in the open, giving the general public a fuller sense of the scale of the ransomware problem. But while the board has incentives to entice private organizations to participate, it may still need expanded authority from Congress to demand total transparency. Meanwhile, the payments will continue, and so will the attacks.

“You shouldn’t pay, but if you don’t have a choice and you’ll be out of business forever, you’re gonna pay,” says Adam Meyers, vice president of intelligence at the security firm CrowdStrike. “In my mind, the only thing that’s going to really drive change is organizations not getting got in the first place. When the money disappears, these guys will find some other way to make money. And then we’ll have to deal with that.”

For now, though, ransomware remains an inveterate threat. And Colonial Pipeline’s $5 million payment will only egg on cybercriminals.

This story originally appeared on wired.com.