The reason they paid the ransom despite having backups might be that it was part of a sting operation.
US recovers millions in cryptocurrency paid to Colonial Pipeline ransomware hackers
To inoculate an operation against ransomware, a good backup policy needs to be executed and the backup files need to be stored offline. Consider it insurance. If hackers encrypt your files, the most you lose will be the transactions made since the most recent backup.US investigators have recovered millions in cryptocurrency they say was paid in ransom to hackers whose attack prompted the shutdown of the key East Coast pipeline last month, the Justice Department announced Monday....
Colonial Pipeline Co. CEO Joseph Blount told The Wall Street Journal in an interview published last month that the company complied with the $4.4 million ransom demand because officials didn't know the extent of the intrusion by hackers and how long it would take to restore operations.
But behind the scenes, the company had taken early steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia....
"When Colonial was attacked on May 7, we quietly and quickly contacted the local FBI field offices in Atlanta and San Francisco, and prosecutors in Northern California and Washington D.C. to share with them what we knew at that time. The Department of Justice and FBI were instrumental in helping us to understand the threat actor and their tactics. Their efforts to hold these criminals accountable and bring them to justice are commendable," Blount said....
Bookmarks