Colonial Pipeline Co. paid roughly 75 bitcoins, or between $4 million and $5 million, to Eastern European hackers May 7, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country's largest fuel pipeline, according to people briefed on the transaction.
The shutdown of the company's 5,500-mile pipeline, which supplies nearly half of the gas, diesel and jet fuel to the East Coast, triggered a cascading crisis that led to emergency meetings at the White House, a jump in gas prices and panic buying at the gas pumps, and forced some airlines to make fuel stops on long-haul flights.
The payment came after cybercriminals last week held up Colonial Pipeline's business networks with ransomware, a form of malware that encrypts data until the victim pays, and threatened to release it online. The ransom payment was first reported by Bloomberg.
Colonial Pipeline preemptively shut down its pipeline operations to keep the ransomware from spreading and because it had no way to bill customers with its business and accounting networks offline.
A spokeswoman for Colonial declined to confirm or deny that the company had paid a ransom.
[Video not showing up above? Click here to watch » https://www.youtube.com/watch?v=47ECPbBjErA]
President Joe Biden also declined to answer whether Colonial Pipeline had paid its extortionists in a news briefing Thursday. He did not rule out the possibility that the administration would target the cybercriminals, a ransomware outfit called DarkSide, with a retaliatory strike. He said the United States would pursue "a measure to disrupt their ability to operate."
Jen Psaki, the White House press secretary, said in a separate briefing, "It's the recommendation of the FBI to not pay ransom in these cases," because it can incentivize cybercriminals to conduct more attacks. She added that "private sector entities or companies are going to make their own decisions."
It has taken several days for Colonial to begin bringing its pipeline back online, a process that officials said would take time. "This is not like flicking on a light switch," Biden said, noting that Colonial's pipeline had never before been shut down.
Motorists found gas pumps shrouded in plastic bags at tapped-out service stations across more than a dozen U.S. states Thursday.
About 70% of North Carolina's gas stations were still without fuel amid panic-buying and about half the stations in Virginia, South Carolina and Georgia were tapped out, GasBuddy.com reported. Washington, D.C., was among the hardest-hit locations, with 73% of stations out, the site's tracking service showed.
Biden said Thursday that U.S. officials do not believe the Russian government was involved in the hack that shut down the pipeline, which stretches from Texas to New Jersey. But he added, "We do have strong reason to believe that the criminals who did the attack are living in Russia. That's where it came from."
The U.S. was in direct communication with Moscow about the need to take action against ransom networks, Biden said.
Georgia-based Colonial said in a Thursday update that gasoline deliveries were underway in all of its markets. It will take "several days" for things to return to normal, and some areas may experience "intermittent service interruptions during this start-up period," the company said.
The Northeast has seen fewer shortages since those states get more of their gas supplies from ocean tankers and other sources. The Colonial Pipeline delivers about 45% of the gasoline consumed on the East Coast, but there were no gasoline shortages, according to government officials and energy analysts, just delays in delivering the fuel from Gulf Coast refineries.
"We are not out of the woods yet, but the trees are thinning out," Richard Joswick, global head of oil analytics at S&P Global Platts, said.
Gas stations should be back to normal next week, though, if the pipeline restart goes as planned and consumers are convinced that they no longer need to panic-buy fuel, Joswick said. He estimated that full recovery for the East and Gulf coasts would take at least a couple of weeks.
The run on gas also prompted an urgent warning in Virginia that people should never siphon gasoline off by mouth with hoses, an advisory that followed calls in recent days about people who were poisoned. One man sucked gasoline into his lungs, causing significant distress, Dr. Chris Holstege, the medical director of the Blue Ridge Poison center at UVA Health, said.
The governors of both Virginia and North Carolina declared states of emergency to help ensure access to gasoline. Other governors urged people not to hoard supplies.
"There is available fuel supply in and around our state, and it will take time for tankers to move that supply to the stations that are experiencing shortages," North Carolina Gov. Roy Cooper said. He reiterated calls for residents not to make any unnecessary trips to the pump.
PANIC BUYING
Despite warnings from government officials and experts, panicked drivers have flocked to pumps all over the Eastern U.S., draining thousands of filling stations, including many that would not otherwise have been affected by the pipeline hack. The heightened demand also pushed the national average price for a gallon of gas to $3.02 on Thursday, its highest level since 2014 according to AAA.
The search for working gas pumps has frayed the nerves of some drivers. Two people were charged with assault after spitting in each other's faces over spots in a line at a Marathon station in Knightdale, N.C., on Tuesday afternoon, authorities said.
The shutdown even affected hikers along the Appalachian Trail, which stretches from Georgia to Maine. They depend on cars and vans to access the trail and get supplies.
"Everybody's out here buying from the same gas pumps, so the lines are long, some are out -- you've really got to look for it," said Ron Brown, who operates Ron's Appalachian Trail Shuttles.
'GLARING DEFICIENCIES'
An outside audit of Colonial three years ago found "atrocious" information management practices and "a patchwork of poorly connected and secured systems," its author told The Associated Press.
"We found glaring deficiencies and big problems," said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. "I mean, an eighth-grader could have hacked into that system."
How far the company, Colonial Pipeline, went to address the vulnerabilities isn't clear. Colonial said Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall information technology spending by more than 50%. While it did not specify an amount, it said it has spent tens of millions of dollars.
"We are constantly assessing and improving our security practices -- both physical and digital," the privately held Georgia company said in response to questions from the AP about the audit's findings. It did not name the firms who did cybersecurity work but one firm, Rausch Advisory Services, located in Atlanta near Colonial's headquarters, acknowledged being among them. Colonial's chief information officer sits on Rausch's advisory board.
Information for this article was contributed by staff members of The New York Times; by Tom Foreman Jr., Jeff Martin, Ben Finley, Cathy Bussewitz, Eric Tucker, Sarah Brumfield and Bryan Anderson of The Associated Press; by William Turton and Michael Riley of Bloomberg News (WPNS); and by Taylor Telford of The Washington Post.