The hackers who caused Colonial Pipeline to shut down the biggest US petrol pipeline last Friday began their blitz against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment, as per the sources.
According to the two reports, the intruders, who are members of the DarkSide cybercrime group, took nearly 100 gigabytes of data from the Alpharetta, Georgia-based company's network in just two hours on Thursday.
The step was part of a double-extortion scheme that has become a trademark of the group. According to the reports, Colonial was told that the stolen data will be released to the Internet, although information encrypted by the hackers on machines within the network will stay locked until it paid a ransom.
The company didn't immediately respond to requests to comment on the investigation. It said earlier that it "proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems".
Colonial's decision on Friday to shut down the main pipeline that supplies the US East Coast with gasoline, diesel, and jet fuel, without specifying when it would reopen, indicates a risky new escalation in the battle against ransomware, which President Joe Biden's administration identified as a priority.
It's unclear how much the attackers requested or whether Colonial has agreed to pay. In cryptocurrency, ransomware demands can vary from a few hundred dollars to millions of dollars. Many businesses compensate, with the help of their insurers.
According to the Associated Press, AXA, one of ’s leading insurance firms, announced last week that it will break the trend and stop offering schemes in France that reimburse customers for payments made to ransomware hackers. In recent years, cyberattacks have disrupted the operations of other energy assets in the US. Last year, the Department of Homeland Security announced that an unnamed natural gas compressor facility was shut down for two days due to an attack.
The theft of Colonial's records, combined with the installation of ransomware on the company's machines, demonstrates the power that hackers frequently hold over their victims in such situations. The investigation is being assisted by FireEye Inc's Mandiant digital forensics division, according to the company.
Mr. Biden was briefed on the incident on Saturday morning, according to the White House.