Colonial CEO defends $4.3M ransomware payment

A gas station in Florida out of fuel in the wake of the Colonial Pipeline shutdown. (Image credit: Hayden Dunsel/Shutterstock.com)

Joseph Blount, the chief executive officer of Colonial Pipeline, on Tuesday defended the company's ransom payment to the criminal group Darkside and said Colonial is continuing to work with law enforcement and cybersecurity consultants to restore their business systems.

"I believe with all my heart it was the right choice to make," Blount told the Senate Homeland Security and Governmental Affairs Committee. The Colonial chief said the choice to make the payment was entirely his as was the choice to keep it confidential for several days after the initial attack.

Blount said his company also hired legal assistance to ensure Darkside was not sanctioned by the Treasury Department's office of foreign asset control as well as negotiators who made direct contact with Darkside on Colonial's behalf.

The Justice Department on Monday announced it identified and recovered approximately $2.3 million of the $4.3 million ransom Colonial Pipeline paid in Bitcoin.

Senators, who seemed largely skeptical of the company's capitulation to the hackers, noted the FBI's longstanding advice not to pay. They asked about the effectiveness of the decryption tool Darkside provided in exchange for the ransom payment. Blount said the tools were helpful but conceded they are not perfect.

Blount also said he was "disappointed" in remarks by Brandon Wales, the acting chief of the Cybersecurity and Infrastructure Security Agency, that Wales believed Colonial would not have contacted CISA had the FBI not acted as an intermediary.

Blount said Colonial was working to contact a long list of law enforcement and government agencies following the attack. Early on during the incident, the FBI indicated to Colonial that they would bring CISA into a phone call and that is why Colonial did not reach out to CISA directly.

"If the FBI had not called them, we would have. We called every other governmental agency we were required to and then some that day," Blount said. "I don't know why he [Wales] made that statement, but I can tell you we would have called him."

The hearing comes as multiple companies across the U.S. also suffered ransomware attacks in the weeks following the one on Colonial Pipeline, ranging from a meat-packing company and the New York City subway to a communications application widely used by members Congress.

In addition to working the FBI, Blount confirmed Colonial has brought in consultants from the cybersecurity firms Mandiant, Dragos and Black Hills.

Blount also faced questions about how Darkside breached Colonial's IT systems. Early reports indicated the company's legacy virtual private network was compromised. Asked whether that VPN was using multi-factor authentication, Blount said it was not.

He added that the VPN used a "complicated password," as opposed to "Colonial123." (The chief executive of SolarWinds publicly blamed a company intern for setting a password to "SolarWinds123.")

Blount added that Mandiant is continuing to investigate how hackers cracked the password.

Sen. Jacky Rosen (D-Nev.) asked Blount about reports stating Colonial Pipeline declined to participate in a voluntary cybersecurity assessment offered by the Transportation Security Administration. He said he was "shocked" to learn his company did not participate, but also did not deny the reports. Blount said the coronavirus pandemic had got in the way of scheduling the review, but the company has now scheduled it for July.

Blount is scheduled to testify again before a House committee on Wednesday.