Colonial Pipeline paid its extortionists roughly 75 Bitcoin, or nearly $5 million, to recover its stolen data, according to people briefed on the transaction.
The payment came after cybercriminals last week held up Colonial Pipeline’s business networks with ransomware, a form of malware that encrypts data until the victim pays, and threatened to release it online. Colonial Pipeline pre-emptively shut down its pipeline operations to keep the ransomware from spreading and because it had no way to bill customers with its business and accounting networks offline.
The shutdown of the company’s network, which includes 5,500 miles of pipeline that supplies nearly half the gas, diesel and jet fuel to the East Coast, triggered a cascading crisis that led to emergency meetings at the White House, a jump in gas prices, panic buying at the gas pumps, and forced some airlines to make fuel stops on long-haul flights.
The ransom payment was first reported by Bloomberg. A spokeswoman for Colonial declined to confirm or deny that the company had paid a ransom.
President Biden also declined to answer whether Colonial Pipeline had paid its extortionists in a press briefing on Thursday. He did not rule out the possibility that the administration would target the cybercriminals, a ransomware outfit called DarkSide, with a retaliatory strike. He said the United States would pursue “a measure to disrupt their ability to operate.”
Jen Psaki, the White House press secretary, said in a separate briefing, “It’s the recommendation of the F.B.I. to not pay ransom in these cases,” because it can incentivize cybercriminals to conduct more attacks. She added that “private sector entities or companies are going to make their own decisions.”
DarkSide has tried to distance itself from politics. In a statement on its website, the group said it tried to avoid being political — an effort perhaps to thwart a pre-emptive strike by the United States, which took a major ransomware conduit offline last year to head off an attack on the 2020 election.
On Thursday, eight websites associated with DarkSide were pulled offline. It was not immediately clear why. The United States Cyber Command referred questions to the National Security Council, which declined to comment.
It has taken several days for Colonial to begin bringing its pipeline back online, a process that officials said would take time. Mr. Biden encouraged Americans not to panic-buy gas and warned gas companies to refrain from price gouging.
“This is not like flicking on a light switch,” he said, noting that Colonial’s pipeline had never before been shut down.
Colonial has not shared many details about the incident, or why it was necessary to shut down the pipeline, which other operators sequester from their business operations for safety. Cybersecurity experts have said the attack and its fallout demonstrated a lack of cyber resilience and planning.
Kim Zetter, a cybersecurity journalist, first reported that Colonial had shut down its pipeline partly because its billing systems were taken offline and it had no way to charge customers.
Many organizations across the United States, including police departments, have opted to pay their ransomware extortionists rather than suffer the loss of critical data or incur the costs of rebuilding computer systems from scratch.
In a separate ransomware attack on the Washington, D.C., Metropolitan Police Department, hackers said the price the police offered to pay was “too small” and dumped 250 gigabytes of the department’s data online this week, including databases that track gang members and social media preservation requests.
“This is an indicator of why we should pay,” the cybercriminals, called Babuk, said in a post online. “The police also wanted to pay us, but the amount turned out to be too small. Look at this wall of shame,” they wrote, “you have every chance of not getting there. Just pay us!”
Julian E. Barnes contributed reporting.