Colonial Pipeline ransomware (DarkSide)
A reused VPN password let DarkSide encrypt Colonial Pipeline's billing systems. The operator shut down 5,500 miles of fuel pipeline for six days, paid $4.4M, and triggered a federal emergency.
- Victim
- Colonial Pipeline Company
- Loss
- $4.4M
On 7 May 2021, the ransomware affiliate group DarkSide encrypted the billing systems of Colonial Pipeline, which moves roughly 45% of the U.S. East Coast's fuel. Out of caution, Colonial took down the pipeline itself.
What happened
The initial access was unglamorous: a legacy VPN account, with a reused password, and no multi-factor authentication. The credential had likely appeared in a prior third-party breach and circulated on criminal markets. DarkSide operators logged in on 29 April, dwelled for a week, exfiltrated ~100 GB of corporate data, and detonated ransomware on 7 May.
Colonial preemptively shut down the pipeline because its billing systems were down โ the OT (operational technology) was not directly affected, but the company could not measure or invoice fuel deliveries, so it had no commercial path to keep operating.
Impact
- Six-day shutdown of the 5,500-mile pipeline; widespread fuel shortages and panic-buying across the U.S. Southeast.
- U.S. DOT regional emergency declaration covering 17 states and Washington, D.C.
- Colonial paid a 75 BTC (โ$4.4 million) ransom. The decryptor worked but was too slow to be useful; restoration proceeded from backups.
- The DOJ subsequently seized 63.7 BTC (โ$2.3 million) of the payment from a DarkSide-controlled wallet โ one of the earliest high-profile ransom clawbacks.
- DarkSide's operators disbanded the brand within weeks amid attention from U.S. law enforcement; the affiliates and tooling re-emerged as BlackMatter and ultimately fed the ALPHV/BlackCat ecosystem.
Why it matters
Colonial is the reference case for cyber attacks on energy infrastructure causing real-world physical disruption. It catalyzed CISA's mandatory pipeline cybersecurity directives, the TSA Pipeline Security Directives, executive Order 14028, and a generation of board-level attention to OT/IT segmentation, third-party password hygiene, and the resilience of single-point-of-failure logistics infrastructure.
Financial impact
Reported costs in USD
- Ransom paid$4.4M
Timeline
DarkSide operators authenticate to a legacy Colonial Pipeline VPN account using a reused password. The account had no multi-factor authentication.
About 100 GB of corporate data is exfiltrated from Colonial's network.
Ransomware is deployed against billing and operational-support systems. Colonial proactively shuts down the pipeline.
Colonial pays a 75 BTC ransom (โ$4.4M) for a decryptor that proves too slow to use.
U.S. Department of Transportation issues a regional emergency declaration covering 17 states.
Pipeline operations resume after six days of shutdown.
The DOJ announces the seizure of 63.7 BTC (โ$2.3M) of the ransom payment.
Sources
- cisa.govhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa21-131a
- justice.govhttps://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside
- bloomberg.comhttps://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password