T-9. Colonial Pipeline

Ransom Paid: $4.4 Million

A May ransomware attack prompted Colonial Pipeline to shut down its 5,500-mile natural gas pipeline for five days, resulting in more than 10,000 gas stations across the Southeastern U.S. being out of fuel. Colonial Pipeline paid the Darkside ransomware group $4.4 million on May 8 with the hope of restoring operations on its pipeline sooner, although federal officials were able to seize back most of the ransom.

Colonial Pipeline paid the ransom in untraceable cryptocurrency within hours of the initial attack in exchange for a decrypting tool that could be used to restore its computer network. However, Darkside’s decryption tool was so slow that Colonial continued using its own backups to help restore the system, a source familiar with the company’s efforts told Bloomberg.

Law enforcement officials in June said they were able to track multiple transfers of Colonial’s ransom payment by reviewing the Bitcoin public ledger and identified $2.3 million of proceeds that had been transferred to a specific address. The Federal Bureau of Investigation was able to obtain the “private key”—the rough equivalent of a password—needed to seize assets from that specific Bitcoin address.