Colonial Pipeline CEO tells why he paid hackers a $4.4M ransom

For years, the Federal Bureau of Investigation has advised companies not to pay when hit with ransomware

The operator of the Colonial Pipeline learned it was in trouble at daybreak on May 7, when an employee found a ransom note from hackers on a control-room computer. By that night, the company's chief executive came to a difficult conclusion: He had to pay.

Joseph Blount, CEO of Colonial Pipeline Co., told The Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back.


Mr. Blount acknowledged publicly for the first time that the company had paid the ransom, saying it was an option he felt he had to exercise, given the stakes involved in a shutdown of such critical energy infrastructure. The Colonial Pipeline provides roughly 45% of the fuel for the East Coast, according to the company.

"I know that's a highly controversial decision," Mr. Blount said in his first public remarks since the crippling hack. "I didn't make it lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this."

"But it was the right thing to do for the country," he added.

For years, the Federal Bureau of Investigation has advised companies not to pay when hit with ransomware, a type of code that takes computer systems hostage and demands payment to have files unlocked. Doing so, officials have said, would support a booming criminal marketplace.

But many companies, municipalities and others debilitated by attacks do pay, concluding it is the only way to avoid costly disruptions to their operations.


U.S. officials have linked the ransomware attack on Colonial to a criminal gang known as DarkSide, believed to be based in Eastern Europe, which specializes in crafting the malware used to breach systems, and shares it with affiliates -- for a cut of the ransoms they obtain.

Mr. Blount said Colonial paid the ransom in consultation with experts who had previously dealt with the criminal organization behind the attacks. He and others involved declined to detail who assisted in those negotiations.

In return for the payment, made on the night of May 7 in the form of bitcoin, according to a person familiar with the matter, the company received a decryption tool to unlock the systems hackers penetrated. While it proved to be of some use, it was ultimately not enough to immediately restore the pipeline's systems, the person said.

The pipeline, which transports gasoline, diesel, jet fuel and other refined products from the Gulf Coast to Linden, N.J., wound up being shut down for six days. The stoppage spurred a run on gasoline along parts of the East Coast that pushed prices to the highest levels in more than 6 1/2 years and left thousands of gas stations without fuel.


The pipeline company, which is based in Alpharetta, Ga. and owned by units of IFM Investors, Koch Industries Inc., KKR & Co. and Royal Dutch Shell PLC, restored service on the pipeline last week. It said Monday that it was transporting fuel at normal levels, though it warned that it would take time for the supply chain to recover.

The crisis was a test of leadership for Mr. Blount, 60 years old, who has led the company since 2017. He had co-founded private equity-backed pipeline company Century Midstream LLC in 2013, after working as an executive and in other roles at energy companies over an almost 40-year career.

Over the past five years, Mr. Blount said, Colonial has invested about $1.5 billion in maintaining the integrity of its 5,500-mile pipeline system, and has spent $200 million on IT.

For Mr. Blount, the cyberattack was akin to the Gulf Coast hurricanes that often force segments of pipelines and refineries to shut down for days or weeks. However, it was in some ways more devastating. The Colonial Pipeline had never before been shut down all at once, he said.

The attack was discovered around 5:30 a.m. on May 7 and quickly set off alarms through the company's chain of command, reaching Mr. Blount less than a half-hour later as he was getting ready for the workday. The company has stressed that operational systems weren't directly impacted, and that it shut down pipeline flows while it investigated how deeply the hackers had gotten inside.


It took Colonial about an hour to shut the conduit, which has about 260 delivery points across 13 states and Washington, D.C. The move was also meant to prevent the infection from potentially migrating to the pipeline's operational controls.

As Colonial shut the pipeline, employees were instructed not to log in to its corporate network, and executives made a volley of phone calls to federal authorities, starting with the FBI's offices in Atlanta and San Francisco, as well as a representative from the Cybersecurity and Infrastructure Security Agency, or CISA, Mr. Blount said.

CISA officials confirmed Colonial representatives informed them of the hack shortly after the incident occurred. FBI representatives didn't respond to requests for comment.

Over the next several days, the Energy Department acted as a conduit through which Colonial could provide updates to multiple federal agencies involved in the response, Mr. Blount said. Energy Secretary Jennifer Granholm and Deputy Secretary David Turk stayed in regular contact with the company, in part to "gain information to guide the federal response," Energy Department spokesman Kevin Liao said.

As Colonial prepared to restore service, its personnel patrolled the pipeline searching for any signs of physical damage, driving some 29,000 miles. The company dispatched nearly 300 workers to keep their eyes on the pipeline, supplementing its usual electronic monitoring, Mr. Blount said.


Though the pipeline's flow of fuel has returned to normal, the impact of the hack hardly ended with the ransom payment. It will take months of restoration work to recover some business systems, and will ultimately cost Colonial tens of millions of dollars, Mr. Blount said, noting that it is still unable to bill customers following an outage of that system.

Another costly loss, Mr. Blount noted, was the company's preferred level of anonymity.

"We were perfectly happy having no one know who Colonial Pipeline was, and unfortunately that's not the case anymore," he said. "Everybody in the world knows."