Colonial Pipeline Pays Hackers $5M In Bitcoin To Restore Services As DarkSide Drops Off The Face Of The Internet Without A Trace

News of the Colonial Pipeline ransomware hack and the ensuing gas shortage has been everywhere in headlines this week as people attempt to learn more about the mysterious hacker group DarkSide. Late yesterday, Colonial Pipeline reportedly paid the hackers about $5 million in Bitcoin to regain access to their systems, sparking controversy online.

Contradicting reports earlier this week that the company had zero intention of paying an extortion fee, Bloomberg reported that “two people familiar with the transaction” and a third person “familiar with the situation said U.S. government officials are aware that Colonial made the payment.” Upon receiving payment, DarkSide then allegedly gave Colonial a “decrypting tool” to restore its subdued computer network.

Can confirm that Colonial Pipeline paid its extortionists 75 Bitcoin on Monday- nearly $5 million- to recover stolen data.

— Nicole Perlroth (@nicoleperlroth) May 13, 2021

Unsurprisingly, much of the ensuing discussion revolved around people being flabbergasted that Colonial would negotiate with the hacking group, let alone pay them.

Colonial Pipeline admitted today it paid nearly $5 million to Eastern European hackers last Friday, within hours of the attack, in untraceable cryptocurrency. This only encourages other criminal hackers. It should be illegal.

— Robert Reich (@RBReich) May 13, 2021

Russian hackers who shut down the Colonial pipeline were paid nearly $5M in ransom by its owners, the evil Koch family. It’s so coincidental the oh so many connections Russia has with GQP mega donors and paying them some “ransom” in untraceable cryptocurrency is quite something.

— Ricky Davila (@TheRickyDavila) May 14, 2021

The FBI’s stance on such cyberattacks is to discourage any organization from paying hackers ransom money, citing concerns over bolstering the confidence of other groups to attempt similar attacks but also because they could simply take the money and run without ever following through. The FBI said the hackers behind this particular cyberattack are linked to a cell in Russia or Eastern Europe that specializes in digital extortion.

Feeling the heat, DarkSide ransomware group -- the one responsible for attacking Colonial Pipeline -- closes after its servers were seized and cryptocurrency holdings mysteriously disappeared. Closure comes as crime forums start banning ransomware threads https://t.co/aNkVt5wfnX

— briankrebs (@briankrebs) May 14, 2021

Interestingly earlier today, DarkSide reportedly stated that it would be shutting down among news of the payment. It seems that the payoff resulted in some sort of sudden decision within the group to go into hiding, who later told other hacking associates that it had lost access to the infrastructure it uses to run its operation and would be shutting down. According to security firms FireEye and Intel 471, DarkSide cited pressure from law enforcement and from the U.S. following the attack among its reasons.

The group also claimed that the cryptocurrency payment was withdrawn from DarkSide’s payment server and transferred to an unknown wallet, so whether or not they actually received the 75 Bitcoins remains unknown.

According to the Wall Street Journal, security experts state that cybercriminal groups like DarkSide often disband and return under different names, so the truth to its claims might not be entirely accurate.

UPDATE Colonial Pipeline will be operational once a large obstruction in the State of Georgia is removed: pic.twitter.com/Kreu0vDJFI

— Trung Phan 🇨🇦 (@TrungTPhan) May 14, 2021