Colonial Pipeline — DarkSide ransomware

On 7 May 2021, Colonial Pipeline — operator of the 5,500-mile pipeline that delivers approximately 45% of all gasoline, diesel and jet fuel consumed on the US East Coast — discovered ransomware on its corporate IT systems. The malware was DarkSide, a ransomware-as-a-service platform operated by a Russian-speaking criminal group that ran an affiliate model: the operators provided the malware and infrastructure, affiliates delivered intrusions, and the proceeds were split. The Colonial breach is believed to have entered through a compromised legacy VPN account that did not have multi-factor authentication enabled and whose password had been reused on a third-party site that had previously been breached.

Colonial Pipeline’s response was to shut down the entire pipeline within hours of discovering the ransomware. The pipeline’s billing and scheduling systems were on the affected corporate IT network; the operational technology managing valve, pressure and flow control was on a separate network and was not encrypted. Colonial took the OT environment offline as a precaution because the company could not bill customers for fuel deliveries while its IT systems were encrypted, and continuing to deliver fuel without billing was operationally impossible. The shutdown lasted six days. Fuel shortages and queues spread across the South-eastern US; airlines re-routed; the President declared a regional emergency; gasoline prices rose nationally for the first time in seven years.

Colonial paid 75 BTC (approximately $4.4 million at the time) to DarkSide in exchange for a decryptor that, in the event, ran more slowly than restoring from backup and was largely not used. In June 2021, the FBI announced it had recovered approximately 64 BTC ($2.3 million) of the ransom payment after gaining access to the wallet’s private key — a recovery that demonstrated, to the surprise of much of the criminal-underground audience, that crypto payments were not as untraceable as had been assumed. DarkSide announced shortly after the Colonial breach that it was disbanding under “law enforcement pressure”; observers assessed the announcement as a rebrand rather than an actual exit.

Defender takeaway: the entry vector — single-factor VPN with a credential-stuffed password — was a textbook avoidable failure that has been quoted in security awareness training thousands of times since. The deeper lesson is operational coupling: the OT environment was technically separated from IT, but the business processes for billing customers were not. A pipeline operator that cannot accurately measure and bill for fuel deliveries cannot operate the pipeline, even if the OT network itself is technically unaffected. Operational-resilience planning that treats IT and OT as fully decoupled fails where the business processes binding them together are required for normal operations. The third lesson — recovery — is that a paid ransom does not necessarily provide useful decryption; restoration from backup remains the recovery path that actually works in most major ransomware events.