The ransomware group that carried out a crippling cyberattack on Colonial Pipeline has demanded millions in bitcoin cyrptocurrency payment, though at this point the company has not paid, according to people familiar with the matter.
The group, previously identified as DarkSide, demanded nearly $5 million, two sources familiar with the incident said.
But it is looking like Colonial Pipeline will not have to pay up. The company, working with US government officials, has managed to retrieve the most important data that was stolen, according to a person familiar with the response. The person said the data was not retrieved from the hackers via a ransomware payment, but by leveraging the attackers’ use of intermediary servers within the United States to store the stolen information.
Experts have also told CNN that early action by the company means it may be able to restore its systems without paying the ransom.
In response to the attack, private sector companies worked with US agencies to take a key server offline as recently as Saturday, disrupting the cyberattacks against the pipeline operator, CNN previously reported.
That move appears to have made it possible for Colonial to take steps to restore its computer system from backups, rather than pay the ransom, according to Allan Liska, senior security architect at Recorded Future.
“Since the exfiltrated data was cut off and never reached the ‘homeland’ there is no real additional incentive to pay an extortion now,” Liska said, referring to what is likely Russia or another Eastern European country. On Wednesday, White House Press Secretary Jen Psaki referred to the FBI guidance on whether to pay ransoms. “Of course, the guidance from the FBI is not to do that,” she said.
The US government has not been providing advice to Colonial Pipeline on whether to pay the ransom or not, said another source.
Helping efforts to restore the pipeline is the fact that there are “no indications that the threat actor moved laterally” to the company’s operational networks, the Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation said on Tuesday.
Colonial also said late Wednesday that it initiated the restart of pipeline operations but acknowledged “it will take several days for the product delivery supply chain to return to normal.”
New details emerging about decision to shut pipeline
Meanwhile, new details are emerging about Colonial’s decision to proactively shut down its pipeline last week, a move that has led to panic buying and massive lines at the gas pump.
The company halted operations because its billing system was compromised, three people briefed on the matter told CNN, and they were concerned they wouldn’t be able to figure out how much to bill customers for fuel they received.
One person familiar with the response said the billing system is central to the unfettered operation of the pipeline. That is part of the reason getting it back up and running has taken time, this person said.
Asked about whether the shutdown was prompted by concerns about payment, the company spokesperson said, “In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems.”
At this time, there is no evidence that the company’s operational technology systems were compromised by the attackers, the spokesperson added.
The Colonial spokesperson said that it will not be commenting on the ransom “at this time,” citing the ongoing investigation. But ransom demands are typically running between 1-3% of a company’s gross revenue and usually negotiated to 1-2%, according to a source familiar with recent trends in ransomware payments.
Government working to identify individual hackers
At the same time, government officials have been working to identify the individual hackers behind the attack in order to hold them accountable.
In a joint federal government alert issued Tuesday night, CISA and the FBI confirmed that DarkSide was used as a “ransomware-as-a-service,” in which developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.”
The “affiliate” in this case was likely Russian, according to sources familiar with the investigation. The affiliate could be a single individual, one of the sources said.
There are also indications that the individual actors that attacked Colonial, in conjunction with DarkSide, may have been inexperienced or novice hackers, rather than well-seasoned professionals, according to three sources familiar with the Colonial investigation.
David Kennedy, the president of the cybersecurity firm TrustedSec, noted that DarkSide’s business model is to provide attackers with limited skills the funding and resources they need to actually launch the attacks, providing a platform that both parties can profit off of.
Among the signs that the hackers were novices is the fact that they chose a high-risk target that deals in a low-margin business, meaning the attack was unlikely to yield the kind of payout experienced ransomware actors are typically looking for, the sources told CNN.
“This was a gross miscalculation on the hackers’ part,” a source previously told CNN, noting the hackers likely had not anticipated that their attack would lead to the shutdown of one of the US’ largest refined products pipeline system, spurring emergency White House meetings and a whole-of-government response.
This story has been updated with additional reporting.