Colonial Pipeline cyberattack: Everything you need to know and gas price impact

Pipelines in the foreground with an oil refinery in the background.
(Image credit: Kodda/Shutterstock)

The ransomware attack on Colonial Pipeline, a major pipeline operator that carries gasoline and other fuels from the Gulf Coast to the Eastern Seaboard, may end up being one of the most consequential publicly disclosed cyberattacks on a private company in history.

But is this the first strike of a cyberwar, or just a criminal act? Are the Russians involved? Is the pipeline really broken? And what kind of impact is this having on gas prices?

Here's what we know so far.

What happened with Colonial Pipeline?

Encrypting ransomware has locked up the corporate computer systems of Colonial Pipeline, disrupting fuel deliveries to a large part of the eastern United States. Colonial Pipeline said systems controlling fuel delivery were not infected, but it shut them down too as a precaution.

On Wednesday afternoon (May 12), Colonial Pipeline said that the fuel had started to flow again.

The company said it had "initiated the restart of pipeline operations today at approximately 5 p.m. ET." 

"It will take several days for the product delivery supply chain to return to normal," the company's statement added. "Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during the start-up period."

The Southeast seems to be the most heavily impacted by fuel shortages, at least some of which seem to be the result of panic buying, but Colonial also delivers a lot of fuel to the Northeast, along with other pipeline operators that are not affected.

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) released an advisory Tuesday (May 11), revised Wednesday (May 12), that states that "there is no indication that the entity’s operational technology (OT) networks have been directly affected by the ransomware."

Who attacked Colonial Pipeline?

A cybercrime group known as DarkSide created and licensed the ransomware, but it's possible that the actual attack was carried out by a DarkSide "affiliate" that strikes targets on its own.

How long will fuel deliveries be disrupted?

Colonial Pipeline said in a statement Monday that it had "the goal of substantially restoring operational service by the end of the week," or May 14 or 15. After the announcement May 12 that the pipeline had been restarted, that date looks reasonable. (The fuel flows between 3 and 5 miles per hour, and it's got hundreds of miles to go.)

"Since our pipeline system was taken offline, working with our shippers, Colonial has delivered approximately 967,000 barrels (~41 million gallons) to various delivery points along our system," the company said late Tuesday (May 11). "This includes delivery into the following markets: Atlanta, Ga., Belton and Spartanburg, S.C., Charlotte and Greensboro, N.C., Baltimore, Md., and Woodbury and Linden N.J."

An oil-company source told independent information-security reporter Kim Zetter  that while the Colonial Pipeline pipelines are running fine, the "ticketing" system that keeps track of how much each customer was delivered may be offline. If so, Colonial Pipeline would have to manually keep track of and bill for deliveries.

How will this affect gas prices?

Gas prices were already ticking upwards as a result of this incident, but widespread panic buying after the story made the TV news has made things worse.

The Twitter account @GasBuddyGuy delivers several reports per day on the price and availability of gasoline nationwide. On Wednesday afternoon (May 12), it reported that 68% of gas stations in North Carolina had run dry, along with 45% in both Georgia and South Carolina and 49% in Virginia. 

Some cities in the Southeast had it worst, with more than 70% of stations out of gas in Charlotte, Raleigh/Durham, Pensacola, and Greenville/Spartanburg, and 65% out in Atlanta.

Experts blamed the shortages on panic buying, and there were numerous TV-news clips of long lines at gas stations and people filling up multiple 5-gallon jugs by hand.

"People are taking their entire family fleet of vehicles to the gas station and filing up when they don't need to," a AAA official told CNN. "We are our own worst enemy in this situation because we are over-consuming at the pump."

However, there were also reports that there simply weren't enough gas trucks — or truck drivers — available to meet the demand.

The GasBuddy website posted a constantly updated state-by-state rundown of gas availability, and its GasBuddy tracker will help you find stations with gasoline in your area.

On Monday, AAA said that the average price per gallon nationwide had gone up 6 cents in the previous week to $2.96, although that data was likely collected before  the news of the attack on Colonial Pipeline could be fully felt. 

On Wednesday, the AAA's daily survey of gas prices had pushed the average to $3.008, up from $2.985 the day before. The Southeast, the area most impacted by the Colonial Pipeline shutdown and by panic buying, still had the lowest prices, in line with historical trends.

AAA recommended that drivers worried about running out of gas try to avoid high-traffic times of day, run all their errands in one trip, take heavy items out of their cars and roll down their windows instead of using air conditioning.

Will this ransomware attack result in fuel shortages?

That's already happening in the Southeast, where there has been panic buying of gasoline. Some regions have Colonial Pipeline as the primary fuel supplier, and there have been many reports of some gas stations running dry. The GasBuddyGuy Twitter account reported that 20% of Atlanta gas stations were already empty by Tuesday afternoon.

Long-haul trucks are making up some of the shortfall by carrying gasoline in tanker trucks to cities in the Southeast. The Northeast is not seeing widespread runs on gas stations, and it may be able to get fuel shipped by oil tanker from Europe. There are fuel stockpiles in the Northeast, but they might not hold enough fuel to meet demand.

Some fuel distributors in both areas get their fuel from other pipeline operators and won't be affected.

When was the attack on Colonial Pipeline discovered?

Colonial Pipeline said it discovered the ransomware attack on Friday, May 7. It shut down its main pipeline running up the Gulf Coast and East Coast that evening.

When did the ransomware attack on Colonial Pipeline take place?

Unnamed sources told Bloomberg News that the attack started Thursday, May 6 and resulted in 100GB of Colonial Pipeline data being stolen in about two hours.

What is a ransomware affiliate?

The ransomware business operates a bit like the legitimate software industry. Certain groups can develop and distribute ransomware, and then they may sell licenses to other criminals, who pay a fee plus sometimes a cut of the take to the original ransomware developers. This is often called ransomware-as-a-service (RaaS).

The licensees or "affiliates" are often the ones attacking the targets, independently of the groups that develop the ransomware. It's not certain what happened in this case.

On Tuesday, FireEye, the company that has been brought in to help Colonial Pipeline recover from the cyberattack, released a detailed analysis of the DarkSide affiliate program

Prospective affiliates have to be interviewed first, and if they pass, they then get access to a Darkside administration interface that manages the malware, keeps track of ransom payments, provides statistics and lets the affiliates contact DarkSide customer support.

DarkSide affiliates pay the DarkSide providers 25% of ransom payments of less than $500,000, but the providers' cut decreases the larger the payment is. The FireEye report says that "affiliates are prohibited from targeting hospitals, schools, universities, non-profit organizations and public-sector entities."

What has DarkSide said about this?

The DarkSide ransomware managers have tried to distance themselves from the Colonial Pipeline attack, claiming in a statement May 10 that "our goal is to make money, and not creating problems for society." 

They say that they will "check each company that our partners want to encrypt to avoid social consequences in the future."

How much are the crooks demanding in ransom?

That's not been disclosed, but it's bound to be a lot of money, though Colonial Pipeline may have insurance coverage for ransomware payments.

Is the government helping?

The federal government has temporarily waived rules barring smog-creating gasoline from being sold in the mid-Atlantic states.

The Federal Motor Carrier Safety Administration has temporarily waived rules that restrict truck transport of gasoline and other fuels in 17 states and the District of Columbia. 

Who is helping Colonial Pipeline clean up its computer systems?

The incident-response team from the cybersecurity firm FireEye has been brought in.

What exactly is Colonial Pipeline?

Colonial Pipeline is a privately held pipeline operator founded in 1961 and based in Alpharetta, Georgia, near Atlanta. It says it supplies about 45% of the petroleum-based fuel — gasoline, jet fuel, home heating oil, diesel fuel — used on the East Coast. 

The company's main pipeline runs from eastern Texas to northern New Jersey, with branch lines running into Tennessee. The pipeline has had several spills in the past two decades, and in 2016 a construction worker was killed when a backhoe dug into the pipeline at the site of a spill in Alabama, causing an explosion.

How did the ransomware get into Colonial Pipeline's computer systems?

That's not been disclosed. There are several ways the ransomware could have entered the systems, including a phishing email, a misconfigured website, or through a connected company's own systems. 

Can Colonial Pipeline move fuel without the computer systems?

The company has said that the technology operating the pipeline is running normally, but that much of those systems have been taken offline as a precaution. 

As mentioned above, it's possible that the ticketing system is not functioning properly. If that's true, it would mean that the company might not be able to accurately measure how much fuel is delivered and hence might not be able to properly bill its customers.

Are the Russians involved in this cyberattack?

The DarkSide group appears to be based in Russia, but that doesn't mean the Russian government has anything to do with it. Most ransomware groups are white-collar criminals, not spies. The White House has called this a "criminal act." 

President Biden said during a press conference May 10 that "there is no evidence from our intelligence people that Russia is involved, though there is evidence the actors, the ransomware, is in Russia."

"They have some responsibility to deal with this," he added.

You could argue that the Russian government does bear some responsibility for this. That's because for at least two decades, the Russian domestic authorities have let cybercriminals operate openly on Russian soil as long as they don't attack other Russians. 

"Just don't ever work against your country and businesses in this country," is how one Russian security expert speaking to the Associated Press described Moscow's attitude. "If you steal something from Americans, that's fine."

Many strains of malware, including the DarkSide ransomware, won't activate if they detect that the computer they've infected is set to use Russian or another former-Soviet-bloc language as the language default. 

Which federal agencies have been brought into this case?

The FBI is involved, but it's not clear if it's leading the investigation, although it presumably would be. 

The bureau on Monday (May 10) released a brief statement: "The FBI confirms that the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation."

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has said it is also involved.

On Tuesday (May 11), the two agencies jointly released a cybersecurity advisory on the DarkSide ransomware aimed at enterprises.

Who are the DarkSide ransomware group?

There's the DarkSide ransomware, and then the DarkSide group that develops, distributes and licenses the ransomware. Licensees subscribe to the ransomware but can use it on their own. 

The DarkSide ransomware, which attacks computers and servers running Windows or Linux, will copy data from an infected system and sent it up to a command-and-control server, and after that encrypt the data on the server. It will also try to delete the target's backups of the data. 

If the target does not pay the ransom to free the data, the licensee of the DarkSide ransomware may threaten to release the stolen copies of the data online — a tactic experts call "double extortion." Bloomberg News said Colonial Pipeline received such a warning.

DarkSide's managers have even said they'd be willing to sell a company's stolen data to a rival company or investors before making it public.

One expert from CrowdStrike told Wired that DarkSide's managers were former credit-card thieves who graduated to ransomware after they saw how lucrative it could be.

How can I protect myself from DarkSide ransomware?

If you're a home computer user, DarkSide and other top ransomware groups aren't as interested in you as they would have been a couple of years ago. 

The big money now is in attacking large and medium-sized companies and other organizations — school systems, town governments, medical facilities, universities, police departments — that need to get their data back and can (often) afford to pay for it.

The DarkSide managers have stated in press releases(yes, they have press releases) that they will not attack hospitals, schools, universities or government organizations. 

"We only attack companies that can pay the requested amount, we do not want to kill your business," the group said in one of its first press releases after they declared their existence last August. 

It's not clear how they can control which organizations their affiliates attack, though.

The DarkSide managers have even tried to donate some of their ill-gotten gains to charity, but their donations were rejected.

Can you decrypt files encrypted by the DarkSide ransomware?

Information-security firm Bitdefender released a DarkSide decryption tool in January, but it likely will not work on files encrypted in DarkSide attacks since then.

This story was originally published May 11, 2021.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • varase
    If these guys are going after strategic assets, there should be a strategic response - we need to start removing threats like this by any means necessary.

    They're causing tons of disruption and misery for a profit - and we should have federal law enforcement, the military, and clandestine services operate in unison to insure that this is no longer a profitable endeavor.

    Those thinking of doing this in the future should have a clear and dramatic picture of what happened to those in the past who unleashed this type of chaos.
  • USAFRet
    varase said:
    If these guys are going after strategic assets, there should be a strategic response - we need to start removing threats like this by any means necessary.
    We have lots of assets.

    But...what person or building, specifically?