For the exclusive use of A. Nguyen, 2025.

9 -1 2 3 -0 6 9
MARCH 2, 2023

SURAJ SRINIVASAN

LI-KUAN (JASON) NI

Ransomware Attack at Colonial Pipeline Company

Introduction
On the morning of May 7, 2021, the CEO of Colonial Pipeline Company (“Colonial”) Joseph Blount
was getting ready for the day when he received an urgent call: the company had been the victim of a
malicious ransomware attack by affiliates of the hacker group DarkSide. The ransom note discovered
in the accounting and billing system just minutes earlier claimed that the perpetrators had stolen and
locked up company data, and that 75 bitcoins (worth about $4.4 million at the time) would need to be
paid to receive the key to unlock the data. To contain the system infection, the control room had put in
a stop order to shut down the company’s pipeline – critical infrastructure that transported nearly half
of all refined oil products consumed in the East Coast of the United States.1

The crisis was a test of leadership for Blount, 60 years old, who had led the company since 2017.
“[My] typical CEO job went out the door…and it’s not coming back for quite some time,” Blount later
recounted.2

The company had followed its incident response procedures and assembled experts and informed
the authorities about the incident. But, information was limited. Even after several hours, Blount still
could not obtain a clear picture of the extent of the data breach and the possibility of restoring pipeline
operation without the encryption key from the hackers. As the passing of every minute threatened the
oil supply to 13 states and the nation’s capital, Blount had to make one crucial decision: whether to pay
the ransom or not.3

Colonial Pipeline Company

The Colonial Pipeline Company (“Colonial”) was founded in 1961 as a joint venture between nine
major oil companies to move oil from refineries near the Gulf Coast to markets in the East Coast. In
less than three years, Colonial built its first pipeline from Houston to Linden, New Jersey with a
capacity to transport 240,000 barrels per day. After years of continuous expansion and change of
ownership, by 2021 the company was transporting more than 2.5 million barrels per day through its
5,500 miles of pipeline and was privately owned by five companies: CDPQ Colonial Partners, L.P.
(16%), IFM (US) Colonial Pipeline 2 LLC (16%), KKR-Keats Pipeline Investors L.P. (23%), Koch Capital
Investments Company LLC (28%), and Shell Midstream Operating LLC (16%). Colonial’s five-member

Professor Suraj Srinivasan and Research Associate Li-Kuan (Jason) Ni prepared this case. This case was developed from published sources. Funding
for the development of this case was provided by Harvard Business School and not by the company. HBS cases are developed solely as the basis
for class discussion. Cases are not intended to serve as endorsements, sources of primary data, or illustrations of effective or ineffective
management.

Copyright © 2023 President and Fellows of Harvard College. To order copies or request permission to reproduce materials, call 1-800-545-7685,
write Harvard Business School Publishing, Boston, MA 02163, or go to www.hbsp.harvard.edu. This publication may not be digitized, photocopied,
or otherwise reproduced, posted, or transmitted, without the permission of Harvard Business School.

This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

123-069 Ransomware Attack at Colonial Pipeline Company

board of directors were composed of a representative from each of the five companies and had rich
experience in energy and utility investment.4

As of 2021, the Alpharetta, Georgia-headquartered Colonial had about 950 employees and operated
the largest refined products pipeline by volume in the United States, transporting petroleum products
such as gasoline, diesel, aviation fuels, and home heating oil from 29 refineries in the Gulf Coast to 260
delivery points across 13 states and Washington D.C. through its 5,500 miles of pipeline. The product
Colonial transported accounted for about 45% of the fuel consumed on the East Coast, providing
energy for more than 50 million Americans.5

Financially, in fiscal year 2021 the company had $3.4 billion in total assets (of which $2.0 billion
were in tangible property including pipeline and storage facilities), $1,228 million in revenues, $446
million in operating income, and $186 million in net income. 6

Colonial’s IT Practices Before the Ransomware Attack

Marie Mouchet had joined Colonial as its first chief information officer (“CIO”) in 2016. She brought
with her 35 years of experiences in the power and utility industry, and was the CIO at Southern
Company, one of the largest U.S. energy providers and a constituent of the Fortune 500, prior to her
appointment at Colonial.7 At Colonial, Mouchet led the company’s technology strategy and operations
for both information technology (“IT”) and operations technology (“OT”), which included supervisory
control and data acquisition (“SCADA”) engineering, controls engineering, traditional IT,
cybersecurity, physical security, and information governance. She also participated in all board
meetings with external directors and executives, and was involved in executive recruitment and board
onboarding.8

Between 2017 and 2021 Colonial hired at least four independent firms to conduct cybersecurity risk
assessments, which identified IT deficiencies and generated recommendation for Colonial. At least one
consultant recommended in January, 2018 that Colonial hire a chief information security officer
(“CISO”), a position that many cybersecurity experts considered essential for companies with critical
infrastructure. The same consultant claimed that he found “atrocious” information management
practices, a patchwork of poorly secured systems, and no security-awareness training. “We found
glaring deficiencies and big problems,” said the consultant who submitted an 89-page report to
Colonial, “I mean an eighth-grader could have hacked into that system” He also cited Colonial’s
inability to locate a particular maintenance document, “You’re supposed to be able to find it within 15
minutes. It took them three weeks.”9

As a result of these IT and cybersecurity assessments Colonial increased its IT budget by 50% and
spent more than $200 million on its IT systems between 2016 and 2021, on top of over $1.5 billion for
physical integrity of the pipeline. At the time of the ransomware attack in May, 2021 the company’s IT
network was strictly segregated from the pipeline operating control systems and had active monitoring
and overlapping threat-detection systems. In particular, at least three different software tools were in
place that would provide alerts when data left the network. The expanded cybersecurity regime also
included regular simulated phishing campaigns for employees. Blount later also testified that the
company took cybersecurity “extremely seriously” and claimed that the board of directors had never
denied Mouchet’s request for cybersecurity funding. However, at the time of the attack the company
did not have a CISO, and the relevant cybersecurity responsibilities was still assigned to a subordinate
under Mouchet.10

Unlike electrical utilities, the pipeline industry in the United States was not subject to mandatory
cybersecurity standards prior to the ransomware attack at Colonial. 11

2
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

Ransomware Attack at Colonial Pipeline Company 123-069

Ransomware12
Ransomware was a type of malware a that prevented users from accessing their data by locking
system files until a ransom was paid. To do so, hackers first exploited system vulnerabilities through
phishing emailsb, stolen or guessed employee login credentials, direct network intrusion, or the like.
After the malware had gained access to a system, attackers began to encrypt files with an attacker-
controlled key, effectively locking the files. Skilled ransomware perpetrators were cautious in their
selection of files to encrypt to avoid quick detection, and some variants would also infect or delete
backup files to make recovery without the decryption key more difficult. The more files the
extortionists encrypted the more effective they were in paralyzing the system for users. Once the
encryption was complete, the ransom demand was made, often by changing a display background to
a ransom note or placing the note as a text file in each encrypted directory. Typically, these notes
demanded a set amount of cryptocurrency (to ensure anonymity) in exchange for access to the victim’s
files. Starting around 2020, variants also employed double or triple extortionc techniques to pressure
victims to pay. If the ransom was paid, the ransomware operator would provide the keys and methods
to unlock the files and restore user access.13

Since around 2015 ransomware had become a major source of cyber risk. Cybersecurity experts
estimated that annual ransomware attacks had risen from 183 million attempts in 2016 to 623 million
by 2021 (see Exhibit 2 for global ransomware rates and total ransom paid from 2016 to 2021).
Ransomware amounted to about 11% of all data breaches incidents in 2022, and the average cost to the
victim of the attack was about $4.54 million. These costs included detection, notification, crisis
management, post-breach restitution, and lost business costs.

In 2021, expert estimates showed that ransomware on average took 326 days to identify and contain,
or 49 days longer than the global average across different types of cyber breaches of 277 days. Victim
organizations also experienced an average of 20 days in post-attack system downtime. Perhaps due to
its disruptive potential, a 2022 survey of corporate executives ranked ransomware as the second highest
cyberbreach concerns (closely behind targeted phishing attacks).14

Also, paying ransom did not always guarantee a full recovery of data and function. IT consulting
firm Gartner estimated in 2021 that organizations that paid the ransom were only able to recover 65%
of their data, and only 8% of organizations recovered all the encrypted files. Cost wise, IBM estimated
in 2022 that organizations that paid ransom incurred an average total cost of $4.49 million while those
that did not pay incurred $5.12 million. 15

Many ransomware groups had gained prominence over the years, such as REvil, Conti,
DoppelPaymer, LockBit, and DarkSide. DarkSide became a household name after its affiliates attacked
Colonial in May, 2021. These criminal gangs were believed to have been based in Eastern Europe
and/or Russia, and were known for infecting company and government network, locking up data by
encryption, and threatening to expose sensitive data in their demand for ransom payments.16

a Malware was a software specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

b Phishing email was a form of social engineering where attackers sent emails to deceive the recipient into revealing sensitive
information or installing malware.
c In a double extortion, the perpetrator not only demanded ransom for the exchange of the decryption tool but also threatened
to publish stolen information if the victim did not pay ransom by the deadline; a triple extortion is a double extortion but the
perpetrator also demand separate ransom from individuals whose private information was stolen.

3
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

123-069 Ransomware Attack at Colonial Pipeline Company

DarkSide
DarkSide operated a ransomware-as-a-service business model. It recruited affiliate subscribers and
granted them access to ransomware developed by DarkSide, in return for 10% to 25% of the ransom
payment its affiliates received from victims.17

DarkSide was first noticed in an August, 2020 cyberattack. The group was quickly known for its
professional-looking website and its “Robin Hood” image. For example, it publicly stated its
predilection to target large organizations instead of hospitals, schools, non-profits, and governments.
It also posted receipts of bitcoin donations worth a total of $20,000 to humanitarian projects. 18

One cybersecurity firm estimated that between August, 2020 and May, 2021 DarkSide malware had
infected at least 99 organizations, and that 47 had paid ransom with a total value of $90 million.19

The Ransomware Attack at Colonial

On April 29, 2021, DarkSide hackers first accessed Colonial’s IT system. Between the initial intrusion
time and May 6 intruders stole 100 gigabyte worth of company data, including personal information
of nearly 6,000 individuals, in preparation for a double extortion. 20

At around 5:00 AM on May 7, 2021, Colonial control room employees found data being locked in
the billing and accounting system along with a ransom note (see Exhibit 3 for a standard ransom note
used by DarkSide). The note demanded 75 bitcoins (worth about $4.4 million at the time) for the
exchange of encryption key and threatened to leak the stolen data if ransom was not paid. The
controller immediately reported to a supervisor. After consulting with the corporate IT group, the
control center put in the stop work order to halt operations throughout the pipeline. The stop order
was intended to isolate the attack and prevent the infection from migrating to the pipeline operational
controls, if it had not already. Colonial CEO Blount was notified around 5:30 AM. At approximately
5:55 AM, employees began the shutdown process. Within 15 minutes, Colonial for the first time in its
57-year history shut down the entirety of 5,500 miles of pipelines.21

In a later congressional hearing, Blount said,

Shutting down the pipeline was absolutely the right decision, and I stand by our
employees’ decision to do what they were trained to do. We have an incident response
process that follows the same framework used by some federal agencies. Everyone in the
company—from me to the operators in the field—has stop work authority if they believe
that the safety of our systems is at risk, and that is a critical part of our incident response
process…I am proud and grateful to report that our response worked: we were able to
quickly identify, isolate, and respond to the attack and stop the malware from spreading
and causing even more damage.22

As Colonial shut down the pipeline, employees were instructed not to log in to its corporate
network. Within an hour or so the Company brought in Mandiant, a cybersecurity firm, and together
they mobilized a team of experienced incident responders to investigate and contain the incident,
eradicate the threat actor, and enhance the security posture of the network in order to facilitate a safe
restart to the pipeline. Mandiant was also able to help return some of the local lines to manual operation
within hours.23

Concurrently, executives made a volley of phone calls to federal authorities, including the Federal
Bureau of Investigation (“FBI”), Cybersecurity and Infrastructure Security Agency (“CISA”), the White
House, National Security Council, the Department of Energy (designated as the lead Federal agency

4
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

Ransomware Attack at Colonial Pipeline Company 123-069

over this incident), the Department of Homeland Security, the Pipeline and Hazardous Materials Safety
Administration (“PHMSA”), the Federal Energy Regulatory Commission (“FERC”), the Energy
Information Administration, and the Environmental Protection Agency (“EPA”). 24

“In our case after the attack, the CEO responsibility immediately becomes to contain the attack and
remediate the situation…there is not enough time in the day or enough people, so you become actively
involved yourself,” Blount recalled. He was quickly occupied with frequent daily update briefings with
the federal government about attack details, response, and recovery: “We set up that one conduit with
the government - which allowed us to communicate all the way up to the White House, to every
regulator responsible [for the industry], to all the way through to the lobbyist groups who were helpful
in disseminating information to like companies”25

Colonial also increased air surveillance and dispatched nearly 300 workers to patrol the pipeline;
these staffers drove some 29,000 miles to search for any signs of physical damage while the usual
electronic monitoring system was down.26

Colonial’s disaster preparedness plan did not include any discussion on ransom payment. Before
the end of the day on May 7, Blount, after receiving legal confirmation that DarkSide was not a
sanctioned entity, decided to pay the ransom because executives were unsure how badly the
cyberattack had breached its systems and how long it would take to restore pipeline operations. To
Blount, paying ransom was a way to give the company “every tool available…to swiftly get the pipeline
back up and running.” He also said in a later interview, “I know that’s a highly controversial
decision…. I will admit that I wasn’t comfortable seeing money go out the door to people like
this….[but] I believe that restoring critical infrastructure as quickly as possible, in this situation, was
the right thing to do for the country.”27

The Company initially kept the decision to pay ransom confidential as the executives were
concerned with operational security and to minimize publicity for the hacker. The ransom payment
was leaked to news agencies on May 13, and Blount publicly acknowledged the payment on May 19.28

Once hackers received the payment on May 8, they provided the operator with a decrypting tool to
restore its disabled computer network. However, the tool was so slow that the company ended up
restoring the operation mostly from system backups.29

Simultaneously, Mandiant was installing new detection tools that would alert Colonial of any
secondary attacks, which were not uncommon after a significant breach. Investigators later determined
that they had found no evidence of the same hackers trying to regain access. Mandiant experts also
swept the system to gauge how far hackers had probed the network. In doing so, they did not find
indication that hackers were able to breach the more critical OT systems.30

On the morning of May 8, US President Joe Biden was briefed of the incident. Around noon,
Colonial officially released public statements regarding the cyberattack and the temporary suspension
of all pipeline services. It became instant headliner for major news outlet. Reuters reported the attack
as “one of the most disruptive digital ransom operations ever reported”; CBS quoted experts saying
ransomware was “an existential threat” to businesses; and the New York Times described the incident
as “a vivid demonstration of the vulnerability of energy infrastructure to cyberattacks.”31

On Monday, May 10, Colonial announced that the company was planning to use a “phased
approach” to incrementally resume pipeline operation, and that it was looking to “substantially
[restore] operational service by the end of the week.” FBI also confirmed on the same day that DarkSide
was the responsible party behind the attack.32

5
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

123-069 Ransomware Attack at Colonial Pipeline Company

On May 12, Mandiant and Colonial conclusively determined that the attack had been contained,
and the restart of the pipe operation began, ending the six-day shutdown. Nonetheless, bringing
pipeline back on-line required, in Blount’s words, “Herculean, around-the-clock” effort, and it was not
until May 17 that the pipelines were supplying products at a normal volume. 33

The impact of the hack hardly ended after May 17. It would take weeks and in some cases months
to recover some of Colonial’s business systems. Blount estimated that the cost of the incident would be
in the tens of millions of dollars. Blount also rued the loss of anonymity. “We were perfectly happy
having no one know who Colonial Pipeline was, and unfortunately that’s not the case anymore,” said
Blount, “Everybody in the world knows.”34

Root Cause
Mandiant experts conducted an exhaustive search to ascertain how hackers breached the company
network. They believed perpetrators entered Colonial’s network as early as April 29, 2021 through a
legacy virtual private network (“VPN”) account that allowed employees to remotely access the
company’s network. The account was no longer actively in use by the employee at the time of the attack
but had not been deactivated. The investigation could not determine how the credential was actually
obtained by the hackers. Since the account’s password was discovered inside a batch of leaked
passwords on the darkweb, one possibility Mandiant proposed was that a Colonial employee may have
reused the same password on another non-company account that was previously hacked. Mandiant
also found that the VPN account did not require multifactor authentication, a basic protection feature,
thus allowing the hackers to breach the network using just a compromised username and password. 35

Compromised VPN account was a routine way ransomware operator used to infiltrate
organizational network. One reason for hackers’ predilection for VPN was because organizations often
could not identify the true identity of the person logging into the internal network; that is, the
monitoring system could only identify the VPN account but not the actual workstation, thus preventing
hackers from exposing their true location.36

Noteworthily, it was later discovered that Colonial did not undergo a security review of its facilities
requested by the U.S. Transportation Security Administration (“TSA”) in 2020 and was in the process
of scheduling an audit of its computer networks when the ransomware attack happened. Nonetheless,
it was unclear if the security review and computer network audit would have prevented the attack. 37

Crisis Communication
The Colonial ransomware attack instantly made it to the news headlines. Since its first public
statement about the cyber incident and the pipeline shut down on May 8, media inquiries started
pouring in. The communication team, led by chief people and communication officer Angela Long,
working with its crisis communication consulting firm, quickly scrambled to develop regular employee
updates, providing public statements (see Exhibit 4 for excerpts of Colonial press releases throughout
the incident), preparing for daily government briefings, and supporting the operational and IT
response teams as they worked to restore the system. After the dust settled, the team had fielded more
than 1,000 media inquiries.

In May, 2022, The Public Relations Society of America awarded Colonial the Silver Anvil Award of
Excellence -- considered the icon of the profession and the benchmark of high performance in public
relations -- for the company’s crisis communication responses during the ransomware attack.38

6
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

Ransomware Attack at Colonial Pipeline Company 123-069

Panic Buying and Government Response

The shutdown of the pipeline that transported about 45% of all fuel used in the East Coast caused
immediate disruption to the general economy and public life.

On May 9, The Federal Motor Carrier Safety Administration issued a regional emergency
declaration to temporarily lift the normal restriction on the amount of petroleum products that could
be transported by road in Washington D.C. and 17 states. Between May 7 and May 11, Colonial worked
with shippers and delivered more than 41 million gallons of fuels to various delivery points along its
system, in additional to the 84 million gallons needed for the company to restart the pipeline. The next
day on May 10, Georgia Governor also declared a state of emergency and temporarily lifted collection
of state taxes on diesel ($32.2 cents a gallon) and gasoline ($28.7 cents a gallon) until May 22.39

Many government officials, including multiple state governors, U.S. Transportation Secretary, and
U.S. Energy Secretary cautioned against panic buying on fuel. And panic buying the public did. Despite
the fact that the U.S. gasoline inventory during the pipeline shutdown would have lasted about 26
days, worried drivers started piling into gas stations. Most southeastern and eastern states started
reporting fuel shortages. On May 13, more than half of the stations were out of gas in North Carolina,
Virginia, Washington, D.C., and South Carolina. On that same day the average U.S. price of gasoline
broke $3 a gallon for the first time in over six years. Washington D.C. would also see the highest
shortage rate of all places, with 87% of gas station ran dry on May 14. As social media flooded with
pictures of people lined up to hoard gas, containers of all sorts in hand, US Consumer Product Safety
Commission offered a warning that quickly went viral: “Do not fill plastic bags with gasoline.”40

The aviation industry was also impacted. At Charlotte’s Douglas International Airport in North
Carolina, American Airlines changed flight schedule temporarily, with some flights added fuel stops
outside of the impacted states; Hartsfield-Jackson Atlanta International Airport scrambled to find
additional suppliers to augment the airport’s jet fuel inventory; and Southwest Airlines flew planes
with additional fuel into Nashville International Airport to supplement the dwindling local supply.41

Aftermath
On May 12, 2021, the same day Colonial restarted the main pipeline (see Exhibit 5 for the timeline),
President Biden signed Executive Order 14028 as a response to the growing number of cyberattacks.
The order aimed to increase software security standards to the government, strengthen detection and
security on existing systems, improve information sharing and training, establish a Cyber Safety
Review Board, and improve incident response. Ultimately it attempted to establish a clear framework
for how the government and private entities may work together to improve cybersecurity. 42

On May 14, DarkSide announced that it was shutting down the business. In a statement, the group
claimed that it had lost access to its public-facing portion of its online system, including its blog and
payment server. “Due to the pressure from the U.S., the affiliate program is closed…Stay safe and good
luck,” DarkSide stated. This pronouncement came just one day after President Biden said that the
country would not rule out a retaliatory strike against DarkSide to “disrupt their ability to operate.” It
was not clear if the group’s hiatus was the doing of the U.S. government. Analysts also speculated that
the closedown could be a ruse to bring operations underground or to deflect the negative attention
associated with the Colonial attack.43

That same month, the U.S. Transportation Safety Administration (“TSA”), the pipeline’s oversight
agency, announced new security directives that would require pipeline operators to notify TSA when
they were targets of cyberattacks.44

7
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

123-069 Ransomware Attack at Colonial Pipeline Company

On June 7, 2021, the Department of Justice announced that the FBI had successfully recovered 63.7
of the 75 bitcoins Colonial paid to DarkSide – a rare and difficult feat because law enforcement had to
find and monitor the virtual wallet associated with the criminal. Because bitcoin’s market value had
fallen since the date of the ransom payment, this recouped amount was valued at approximately $2.3
million. As of February, 2023, this remained one of the two known cases where the U.S. government
was successful at seizing cryptocurrency tied to illegal activities.45

Congressional Hearing
On June 8 and 9, 2021, Blount testified before the Senate and House committees, during which he
defended his actions during the ransomware attack. Blount told the committee that he believed he was
within his right to decide to pay ransom. “It was our understanding that the decision was solely ours
as a private company to make the decision about whether to pay or not to pay,” Blount said, “And
considering the consequences of potentially not bringing the pipeline back on as quickly as I possibly
could, I chose the option to make the ransom payment.” He also confirmed that the FBI or any
government entity was not involved in the discussion to pay ransom, but that Colonial did notify the
FBI of the payment two days after it was made. Committee members further questioned the merit of
paying ransom since the IT tool provided by DarkSide proved to be not as useful in restoring systems.
Blount shared the dilemma he was facing at the moment:

When you are there in the early hours of having your system and your servers and
computers encrypted, you don’t know what you have in front of you. You don’t know
how good your back-up systems are…. A lot of companies have back-up systems that
don’t help them at the end of the day…. We had to avail ourselves of any and every option
that we had, one of which was the de-encryption tool. So, therefore, the ransom payment
was made in order to get the tool. The tool was then brought in-house; Mandiant had the
tool. While Mandiant was also working with the tool, they were working with our back-
up systems, which, in this case, allowed us to bring the pipeline system back on. If our
back-up systems had been corrupted and were never capable of being used, there was the
potential that [without the de-encryption tool] we would have to rebuild the entire
system, which could have taken us a lot longer to bringing the pipeline back on before
[May 12, or five days after the initial attack]. Again, critical, critical dire consequences
could have come out of that. So, again, I availed myself of an option that in hindsight we
didn’t necessary need, but we wouldn’t have known it for days, which would have just
delayed our ability to start the system back up and bring 100 million gallons of fuel back
into our country.46

Blount also confirmed to committee members that the company had an emergency response plan
that stipulated the process to “see the threat, contain, remediate, and restore,” and that the company
had participated in cyberattack simulations. However, some committee members took exceptions to
the fact that the company did not have multifactor authentication to all VPN accounts and that the
emergency response plan did not include a directive on ransom. New Hampshire senator Maggie
Hassan also issued a statement following the hearing:47

It is a stunning admission that Colonial Pipeline did not have a plan in place if hackers
requested a ransom payment. I’ve talked with small school districts in my state of New
Hampshire that are better prepared for cyberattacks than Colonial Pipeline was. Colonial
Pipeline operates critical infrastructure that families and our economy rely on. It is
unacceptable that it was so unprepared for a cyberattack, and it is a wakeup call that more
must be done to secure our critical infrastructure.48

8
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

Ransomware Attack at Colonial Pipeline Company 123-069

Cybersecurity Legislation
On top of executive branch actions such as President Biden’s executive order and TSA directives,
U.S. Congress also passed 13 bills in 2021 and 2022 that dealt in whole or part with cybersecurity. For
examples, the Cyber Diplomacy Act aimed to enhance the State Department’s ability to promote a
secure and open cyberspace by creating an office of cyberspace and the digital economy; the National
Defense Authorization Act included provisions to increase funding for cybersecurity research and
development, the creation of a cyber reserve force, and the establishment of a new cybersecurity
directorate within the Department of Homeland Security; and the Cyber Incident Notification Act
required federal agencies, contractors, and critical infrastructure owners and operators to report
significant cyber incidents to the CISA within 24 hours.49 In addition, in March, 2022, the U.S. Senate
passed an omnibus cybersecurity bill, the Strengthening American Cybersecurity Act, that would
require companies involved in critical infrastructure to report cyberattacks and ransomware payments,
among other provisions. As of February, 2023, the bill is awaiting a vote at the U.S. House of
Representatives.50

Post-attack Colonial
After the attack, Colonial removed the legacy VPN profile used in the attack and implemented
multifactor authentication for all VPN accounts. The firm also hired additional cybersecurity experts
on top of the Mandiant team to help device plans to ward off future attacks. 51

In February, 2022, Colonial brought in Adam Tice as the company’s first CISO. Tice was an ex-
Mandiant employee and had previously served as VP of Cyber Operations at Equifax, helping the
credit reporting company recover from a 2017 data breach incident that exposed 147 million consumer
records. Tice would also serve on the company’s Cyber Steering Committee with an “open line of
communication” to the CEO and the board. Colonial’s Technology Group also started re-structuring
for better organizational effectiveness. 52

In March, Blount was elected board chair of the Association of Oil Pipe Lines. The association’s CEO
remarked, “[Blount’s] first-hand knowledge and experience dealing with some of the major issues
industry faces is a great asset to AOPL and the pipeline industry.”53

In June, 2022, Mouchet retired from her CIO position, and the company brought in Darrell Riekena
as the new CIO to strengthen the strategy and operations of information technology across the
company, including infrastructure, applications, systems, solutions delivery, data, analytics, and
cybersecurity. Riekena brought with him past executive-level experience in technology and business
operations with Target, The Kroger Company, LimitedBrands, and JCPenny. He was the CIO for
Republic National Distributing Company just before joining Colonial.54

In December, 2022, Blount retired from the company. His CEO seat was filled by Melanie Little, a
pipeline industry leader with more than twenty years of experience and most recently the chief
operating officer at Magellan Midstream Partners, a publicly traded U.S. pipeline company.55

Conclusion
The ransomware attack at Colonial was the most significant cyberattack on an oil infrastructure
target in the United States history. It showed how a stolen password could create a state of national
emergency. It also acted as a wake-up call that prompted organizations, especially those in the critical
infrastructure, to examine their IT governance practices and data breach reaction plans.

9
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

123-069 Ransomware Attack at Colonial Pipeline Company

Exhibit 1 Colonial Pipeline Company Selected Financial Data (in USD Millions)

2021 2020 2019

Balance Sheet Items:

Cash 356 91 88
AR and Receivables from Affiliates 311 339 225
Other Current Assets 43 63 95
Total Current Assets 710 493 408
Investment and Special Funds 520 497 481
Net Carrier Property (including Pipeline) 1,979 1,893 1,842
Net Noncarrier Property 35 31 31
Other Assets and Deferred Charges 122 229 244
Total Assets 3,366 3,143 3,006
AP and Payables to Affiliates 409 299 276
Other Current Liabilities 77 80 358
Total Current Liabilities 486 379 635
Long-Term Debt 2,600 2,600 2,260
Accumulative Deferred Tax Liabilities 409 428 418
Other Noncurrent Liabilities 149 121 120
Total Liabilities 3,644 3,529 3,433
Capital Stock and Additional Paid-in Capital 47 47 47
Treasury Stock (225) (225) (225)
Retained Earnings (Deficit) (72) (178) (218)
Accumulative Other Comprehensive Income (28) (30) (31)
Total Stockholders' Deficit (278) (386) (427)
Income Statement Items: - - -
Operating Revenue 1,228 1,321 1,386
Operating Expenses (782) (705) (779)
Operating Income 446 616 607
Interest Expense (133) (135) (129)
Unusual or Infrequent Items (101) - -
Other Income (Expense) 38 70 53
Total Other Income (Expenses) (197) (65) (75)
Income Taxes Expense (Net of Deferred Taxes) (64) (129) (127)
Net Income 186 422 405
Source: Casewriters; adapted from Colonial Pipeline Company FERC Financial Annual Report (FERC Form No.6), filed April
18, 2022 and April 20, 2021, https://elibrary.ferc.gov/eLibrary/search, accessed February, 2023.

Note: Minor line items have been combined. The unusual item charge of $101 million in 2021 was related to an asset
impairment unrelated to the ransomware attack.

10
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

Ransomware Attack at Colonial Pipeline Company 123-069

Exhibit 2 Global Ransomware Attack Count and Total Ransom Paid Estimates

Source: Casewriters with data from SonicWall, “Annual number of ransomware attacks worldwide from 2016 to first half 2022
(in millions) [Graph],” Statista, June 22, 2022, https://www-statista-com.ezp-
prod1.hul.harvard.edu/statistics/494947/ransomware-attacks-per-year-worldwide/, accessed January, 2023; see also
Chainalysis, “As Ransomware Payments Continue to Grow, So Too Does Ransomware’s Role in Geopolitical Conflict,”
February 10, 2022, https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-ransomware/, accessed
February, 2023.

11
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

123-069 Ransomware Attack at Colonial Pipeline Company

Exhibit 3 Standard DarkSide Ransom Note

---------[ Welcome to Dark ] ------>

What happened?

Your computers and servers are encrypted, backups are deleted. We use strong encryption
algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special
program from us – universal decryptor. This program will restore all your network. Follow our
instructions below and you will recover all your data.

Data Leak

First of all we have uploaded more than 100 GB data.

Example of data: Accounting data, Executive data, Sales data, customer support data, marketing
data, quality data, and more other…

Your personal leak page: [URL]

The data is preloaded and will be automatically published if you do no pay. After publication, your
data will be available for at least 6 months on our tor cdn servers.

We are ready to provide you the evidence of stolen data, to give you universal decrypting tool for
all encrypted files, to delete all the stolen data

What guarantees?

We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in
our interests. All our decryption software is perfectly tested and will decrypt your data. We will also
provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact
us.

How to get access on website?

Using a TOR browser:

1) Download and install TOR browser from this site: [URL]

2) Open our website: [URL]

When you open our website, put the following data in the input form:

Key: [Key Code]

!!! DANGER !!!

DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.

!!! DANGER !!!

Source: Lawrence Abrams, “DarkSide: New Targeted Ransomware Demands Million Dollar Ransoms,” August, 21, 2020,
https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-
ransoms/, accessed February, 2023.

12
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

Ransomware Attack at Colonial Pipeline Company 123-069

Exhibit 4 Excerpts of Press Releases by Colonial Related to May 2021 Ransomware Attack

Saturday, May 8, 12:30 p.m.

On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We
have since determined that this incident involves ransomware. In response, we proactively took certain
systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected
some of our IT systems. Upon learning of the issue, a leading, third-party cybersecurity firm was
engaged, and they have launched an investigation into the nature and scope of this incident, which is
ongoing. We have contacted law enforcement and other federal agencies.

Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary
focus is the safe and efficient restoration of our service and our efforts to return to normal operation.
This process is already underway, and we are working diligently to address this matter and to
minimize disruption to our customers and those who rely on Colonial Pipeline.

Sunday, May 9, 5:10 p.m.

Over the past 48 hours, Colonial Pipeline personnel have taken additional precautionary measures
to help further monitor and protect the safety and security of its pipeline.

The Colonial Pipeline operations team is developing a system restart plan. While our mainlines
(Lines 1, 2, 3 and 4) remain offline, some smaller lateral lines between terminals and delivery points
are now operational. We are in the process of restoring service to other laterals and will bring our full
system back online only when we believe it is safe to do so, and in full compliance with the approval
of all federal regulations.

Monday, May 10, 12:25 p.m.

Colonial Pipeline continues to dedicate vast resources to restoring pipeline operations quickly and
safely. Segments of our pipeline are being brought back online in a stepwise fashion, in compliance
with relevant federal regulations and in close consultation with the Department of Energy, which is
leading and coordinating the Federal Government’s response.

Restoring our network to normal operations is a process that requires the diligent remediation of
our systems, and this takes time. In response to the cybersecurity attack on our system, we proactively
took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and
affected some of our IT systems. To restore service, we must work to ensure that each of these systems
can be brought back online safely.

While this situation remains fluid and continues to evolve, the Colonial operations team is executing
a plan that involves an incremental process that will facilitate a return to service in a phased approach.
This plan is based on a number of factors with safety and compliance driving our operational decisions,
and the goal of substantially restoring operational service by the end of the week. The Company will
provide updates as restoration efforts progress.

We continue to evaluate product inventory in storage tanks at our facilities and others along our
system and are working with our shippers to move this product to terminals for local delivery. Actions
taken by the Federal Government to issue a temporary hours of service exemption for motor carriers
and drivers transporting refined products across Colonial’s footprint should help alleviate local supply
disruptions and we thank our government partners for their assistance in resolving this matter.

13
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

123-069 Ransomware Attack at Colonial Pipeline Company

Monday, May 10, 7:50 p.m.

We can now report that Line 4, which runs from Greensboro, N.C., to Woodbine, Md., is operating
under manual control for a limited period of time while existing inventory is available. As previously
announced, while our main lines continue to be offline, some smaller lateral lines between terminals
and delivery points are now operational as well. We continue to evaluate product inventory in storage
tanks at our facilities and others along our system and are working with our shippers to move this
product to terminals for local delivery.

Tuesday, May 11, 5:15 p.m.

Since our pipeline system was taken offline, working with our shippers, Colonial has delivered
approximately 967,000 barrels (~41 million gallons) to various delivery points along our system. This
includes delivery into the following markets: Atlanta, Ga., Belton and Spartanburg, S.C., Charlotte and
Greensboro, N.C., Baltimore, Md., and Woodbury and Linden N.J. Additionally, in preparation for our
system restart, we have taken delivery of an additional 2 million barrels (~84 million gallons) from
refineries for deployment upon restart.

Consistent with our safety policies and regulatory requirements, Colonial has increased aerial
patrols of our pipeline right of way and deployed more than 50 personnel to walk and drive ~ 5,000
miles of pipeline each day.

Actions taken by the Federal Government to issue a temporary hours of service exemption for motor
carriers and drivers transporting refined products across Colonial’s footprint and actions taken by
several Governors to lift weight restrictions on tanker trucks should help alleviate local supply
disruptions. This is in addition to the Reid Vapor Pressure wavier issued today by the U.S. EPA that
will also help alleviate supply constraints in several states serviced by our system. We would like to
thank the White House for their leadership and collaboration in resolving this matter as well as the
DOE, PHMSA, FERC and other federal agencies for their ongoing support.

Wednesday, May 12, 5:10 p.m.

Colonial Pipeline initiated the restart of pipeline operations today at approximately 5 p.m. ET.

Following this restart, it will take several days for the product delivery supply chain to return to
normal. Some markets served by Colonial Pipeline may experience, or continue to experience,
intermittent service interruptions during the start-up period. Colonial will move as much gasoline,
diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal.

As we initiate our return to service, our primary focus remains safety. As part of this startup process,
Colonial will conduct a comprehensive series of pipeline safety assessments in compliance with all
Federal pipeline safety requirements.

This is the first step in the restart process and would not have been possible without the around-
the-clock support of Colonial Pipeline’s dedicated employees who have worked tirelessly to help us
achieve this milestone. We would also like to thank the White House for their leadership and
collaboration, as well as the Department of Energy, Department of Transportation, FBI, PHMSA, FERC
and other federal, state and local agencies for their ongoing support.

Thursday, May 13, 9 a.m.

Colonial Pipeline has made substantial progress in safely restarting our pipeline system and can
report that product delivery has commenced in a majority of the markets we service. By mid-day today,
we project that each market we service will be receiving product from our system. The green segments

14
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

Ransomware Attack at Colonial Pipeline Company 123-069

on this map are operational, meaning product delivery has commenced. Blue lines will be operational
later today.

This would not have been possible without the commitment and dedication of the many Colonial
team members across the pipeline who worked safely and tirelessly through the night to get our lines
up and running. We are grateful for their dedicated service and professionalism during these
extraordinary times.

Thursday, May 13, 4:40 p.m.

Colonial Pipeline has continued to make substantial progress in safely restarting our pipeline
system. We can now report that we have restarted our entire pipeline system and that product delivery
has commenced to all markets we serve.

Following this restart, it will take several days for the product delivery supply chain to return to
normal. Some markets served by Colonial Pipeline may experience, or continue to experience,
intermittent service interruptions during this start-up period. Colonial will move as much gasoline,
diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal.

Monday, May 17, 5:25 p.m.

Colonial Pipeline continues to make substantial progress in safely moving other’s product
throughout our pipeline system. We can now report that we are transporting refined products
(gasoline, diesel and jet fuel) at normal levels and are fully operational. It will take some time for the
fuel supply chain to fully catch-up.

Colonial’s role in the fuel delivery supply chain is outlined in the following infographic.

Thank you to all the terminal operators, the truck drivers making deliveries, and all others who are
key in helping to complete the fuel delivery supply chain.
Source: Excerpted from Colonial Pipeline Company, “Media Statement Update: Colonial Pipeline System Disruption – System
Restart and Operational Update,” May, 2021, https://www.colpipe.com/news/press-releases/media-statement-
colonial-pipeline-system-disruption, accessed February, 2023.

15
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

123-069 Ransomware Attack at Colonial Pipeline Company

Exhibit 5 Colonial Pipeline Timeline

1961 • Colonial Pipeline Company founded

• Marie Mouchet joined Colonial as its first CIO
2016
• Started series of cybersecurity risk assessment and IT upgrades
April 29, 2021 • DarkSide accessed Colonial’s IT system
May 6, 2021 • DarkSide stole 100 gigabyte of data and began encrypting data
• Ransom note found; Colonial shut down all pipeline operation
• Colonial brought in Mandiant experts and contacted FBI, CISA, DOE,
May 7, 2021
and other governmental agencies
• Blount and executives decided to pay ransom
• DarkSide received ransom payment and provided the decryption tool
(later proved inefficient)
May 8, 2021
• President Biden briefed of the incident
• Pipeline shutdown news broke to the public
• Regional emergency declared to lift ground fuel transportation
May 9, 2021
restriction in 17 states and Washington D.C.
• FBI identified DarkSide affiliates as the perpetrator
May 10, 2021 • Georgia declared state of emergency and temporarily lifted state taxes
collection on diesel and gasoline
• Mandiant and Colonial determined that the attack had been contained;
pipeline operation restarted using backup system files
May 12, 2021
• President Biden signed executive order aimed to improve cybersecurity
for government and private entities
• Ransom payment information leaked to the public
May 13, 2021
• Most impacted states reported fuel shortage; gas price broke $3 a gallon
May 14, 2021 • DarkSide announced shutting down business
May 17, 2021 • Pipelines operation back to pre-attack volume
May 18, 2021 • Colonial customers filed a putative lawsuit against Colonial
May 19, 2021 • Blount publicly admitted the ransom payment
June 7, 2021 • FBI recovered most of the bitcoins Colonial paid to DarkSide
June 8, 2021 • Blount testified in front of a Senate committee
June 9, 2021 • Blount and Mandiant executive testified in front of a House committee
February, 2022 • Adam Tice named Colonial’s first CISO
May, 2022 • Colonial received award for crisis communication management
June, 2022 • Darrell Riekena replaced Marie Mouchet as CIO
July, 2022 • Lawsuit against Colonial dismissed
December, 2022 • Melanie Little replaced Joseph Blount as CEO

Source: Compiled by casewriters.

16
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

Ransomware Attack at Colonial Pipeline Company 123-069

Endnotes

1 Collin Eaton and Dustin Volz, “Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom,” The Wall Street
Journal, May 19, 2021, https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-
11621435636, accessed February, 2023.
2 Kelly Jackson Higgins, “What the CEO Saw: Colonial Pipeline, Accellion Execs Share Cyberattack War Stories,” October 6,
2021, https://www.darkreading.com/threat-intelligence/what-the-ceo-saw-colonial-pipeline-accellion-execs-share-
cyberattack-war-stories, accessed February, 2023.
3 Aaron Gregg, “CEO Defends Colonial Pipeline’s Ransomware Response during Senate Hearing,” The Washington Post, June 8,
2021, https://www.washingtonpost.com/business/2021/06/08/colonial-pipeline-ceo-blount-congress/, accessed February,
2023; see also Hearing Before the Committee on Homeland Security House of Representatives, “Cyber Threats in the Pipeline:
Using Lessons from the Colonial Ransomware Attack to Defend Critical Infrastructure,” Serial No. 117-15, June, 9, 2021,
https://www.govinfo.gov/content/pkg/CHRG-117hhrg45085/html/CHRG-117hhrg45085.htm, accessed February, 2023.
4 Joseph Blount, “Testimony of Joseph Blount, President and Chief Executive Officer, Colonial Pipeline Company,” June 8,
2021, https://www.congress.gov/117/meeting/house/112689/witnesses/HHRG-117-HM00-Wstate-BlountJ-20210609.pdf,
accessed February, 2022; see also Colonial Pipeline Company, “Our History,” https://www.colpipe.com/about-us/our-
history, accessed February, 2023; see also Colonial Pipeline Company, “Our Company,” https://www.colpipe.com/about-
us/our-company, accessed February, 2023. See also Colonial Pipeline Company FERC Financial Annual Report (FERC Form
No.6), filed April 20, 2021, https://elibrary.ferc.gov/eLibrary/search, accessed February, 2023; see also Chris Isidore, “Who
Owns the Colonial Pipeline? It’s Complicated,” CNN Business, May 12, 2021,
https://www.cnn.com/2021/05/12/investing/colonial-pipeline-
ownership/index.html#:~:text=Marathon%20and%20BP%20(BP)%20sold,of%20the%20privately%2Dheld%20shares., accessed
February, 2023.
5 Ibid.; see also Zippia, “Colonial Pipeline Revenue,” https://www.zippia.com/colonial-pipeline-careers-19622/revenue/,
accessed February, 2023.
6 Colonial Pipeline Company FERC Financial Annual Report (FERC Form No.6), accession no. 20220418-8098, filed April 18,
2022, https://elibrary.ferc.gov/eLibrary/search, accessed February, 2023.
7 LinkedIn Profile, “Marie Mouchet,” accessed February, 2023.

8 Ibid.

9 Frank Bajak, “Tech Audit of Colonial Pipeline Found ‘Glaring’ Problems,” AP, May 12, 2021,
https://apnews.com/article/va-state-wire-technology-business-1f06c091c492c1630471d29a9cf6529d, accessed February, 2023
10 Ibid.; see also Aaron Gregg, “CEO Defends Colonial Pipeline’s Ransomware Response during Senate Hearing,” The
Washington Post, June 8, 2021, https://www.washingtonpost.com/business/2021/06/08/colonial-pipeline-ceo-blount-
congress/, accessed February, 2023.
11 Frank Bajak, “Tech Audit of Colonial Pipeline Found ‘Glaring’ Problems,” AP, May 12, 2021,
https://apnews.com/article/va-state-wire-technology-business-1f06c091c492c1630471d29a9cf6529d, accessed February, 2023
12 This section largely drew from HBS Case 123-065 “Ransomware Attack at Springhill Medical Center” by Suraj Srinivasan
and Li-Kuan (Jason) Ni.
13 Checkpoint.com, “How Ransomware Works,” https://www.checkpoint.com/cyber-hub/threat-
prevention/ransomware/#:~:text=After%20ransomware%20has%20gained%20access,originals%20with%20the%20encrypted
%20versions., accessed February, 2023.
14 IBM Security, “Cost of a Data Breach Report 2022,” July, 2022, https://www.ibm.com/downloads/cas/3R8N1DZJ, accessed
February, 2023; see also SonicWall, “2022 SonicWall Cyber Threat Report,” 2022,
https://www.sonicwall.com/medialibrary/en/white-paper/2022-sonicwall-cyber-threat-report.pdf, accessed February, 2023;
see also Coveware, “Average Duration of Downtime after a Ransomware Attack from 1st Quarter 2020 to 4th Quarter 2021
[Graph],” In Statista, February 3, 2022, https://www-statista-com.ezp-prod1.hul.harvard.edu/statistics/1275029/length-of-
downtime-after-ransomware-attack/, accessed February, 2023.
15 Edward Segal, “Why Experts Disagree On Whether Businesses Should Pay Ransomware Demands,” Forbes, July 29, 2022,
https://www.forbes.com/sites/edwardsegal/2022/07/29/why-experts-disagree-on-whether-businesses-should-pay-
ransomware-demands/?sh=17ab27a74fca, accessed February, 2023; see also Sally Adam, “The State of Ransomware 2021,”

17
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

123-069 Ransomware Attack at Colonial Pipeline Company

April 27, 2021, https://news.sophos.com/en-us/2021/04/27/the-state-of-ransomware-2021/, accessed February, 2023; see

also, IBM Security, “Cost of a Data Breach Report 2022,” July, 2022, https://www.ibm.com/downloads/cas/3R8N1DZJ,
accessed February, 2023.
16 Fawad Ali, “The Top 5 Deadliest Ransomware Groups in the World,” August 1, 2022,
https://www.makeuseof.com/worlds-deadliest-ransomware-gangs/, accessed February, 2023; see also Terry Gross, “Inner
Workings Of DarkSide Cybergang Reveal It's Run Like Any Other Business,” NPR, June 10, 2021,
https://www.npr.org/2021/06/10/1005093802/inner-workings-of-darkside-cybergang-reveal-its-run-like-any-other-
business, accessed February, 2023.
17 Charlie Osborne, “Researchers Track Down Five Affiliates of DarkSide Ransomware Services,” ZD Net, May 12, 2021,
https://www.zdnet.com/article/researchers-track-down-five-affiliates-of-darkside-ransomware-service/, accessed February,
2023.
18 Joe Tidy, “Mysterious ‘Robin Hood’ Hackers Donating Stolen Money,” BBC, October 20, 2020,
https://www.bbc.com/news/technology-54591761, accessed February, 2023.
19 Tom Robinson, “DarkSide Ransomware has Netted Over $90 Million in Bitcoin,” May 18, 2021,
https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin, accessed February, 2023.
20 Jordan Robertson and William Turton, “Colonial Hackers Stole Data Thursday Ahead of Shutdown,” Bloomberg, May 8,
2021, https://www.bloomberg.com/news/articles/2021-05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-
shutdown, accessed February, 2023; see also Brian Fung, “Colonial Pipeline Says Ransomware Attack also led to Personal
Information Being Stolen,” CNN, August, 16, 2021, https://www.cnn.com/2021/08/16/tech/colonial-pipeline-
ransomware/index.html, accessed February, 2023.
21 Joseph Blount, “Testimony of Joseph Blount, President and Chief Executive Officer, Colonial Pipeline Company,” June 8,
2021, https://www.congress.gov/117/meeting/house/112689/witnesses/HHRG-117-HM00-Wstate-BlountJ-20210609.pdf,
accessed February, 2022; see also Evan Perez, Zachary Cohen and Alex Marquardt, “First on CNN: US Recovers Millions in
Cryptocurrency Paid to Colonial Pipeline Ransomware Hackers,” CNN, June 8, 2021,
https://www.cnn.com/2021/06/07/politics/colonial-pipeline-ransomware-recovered/index.html, accessed February, 2023;
see also Collin Eaton and Dustin Volz, “Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom,” The Wall
Street Journal, May 19, 2021, https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-
ransom-11621435636, accessed February, 2023.
22 Joseph Blount, “Testimony of Joseph Blount, President and Chief Executive Officer, Colonial Pipeline Company,” June 8,
2021, https://www.congress.gov/117/meeting/house/112689/witnesses/HHRG-117-HM00-Wstate-BlountJ-20210609.pdf,
accessed February, 2022.
23 Hearing Before the Committee on Homeland Security House of Representatives, “Cyber Threats in the Pipeline: Using
Lessons from the Colonial Ransomware Attack to Defend Critical Infrastructure,” Serial No. 117-15, June, 9, 2021,
https://www.govinfo.gov/content/pkg/CHRG-117hhrg45085/html/CHRG-117hhrg45085.htm, accessed February, 2023.
24 Ibid.

25 Kelly Jackson Higgins, “What the CEO Saw: Colonial Pipeline, Accellion Execs Share Cyberattack War Stories,” October 6,
2021, https://www.darkreading.com/threat-intelligence/what-the-ceo-saw-colonial-pipeline-accellion-execs-share-
cyberattack-war-stories, accessed February, 2023.
26 Collin Eaton and Dustin Volz, “Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom,” The Wall Street
Journal, May 19, 2021, https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-
11621435636, accessed February, 2023.
27 Collin Eaton and Dustin Volz, “Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom,” The Wall Street
Journal, May 19, 2021, https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-
11621435636, accessed February, 2023; see also Aaron Gregg, “CEO Defends Colonial Pipeline’s Ransomware Response during
Senate Hearing,” The Washington Post, June 8, 2021, https://www.washingtonpost.com/business/2021/06/08/colonial-
pipeline-ceo-blount-congress/, accessed February, 2023.
28 Collin Eaton and Dustin Volz, “Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom,” The Wall Street
Journal, May 19, 2021, https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-
11621435636, accessed February, 2023; see also Joseph Blount, “Testimony of Joseph Blount, President and Chief Executive
Officer, Colonial Pipeline Company,” June 8, 2021,

18
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

Ransomware Attack at Colonial Pipeline Company 123-069

https://www.congress.gov/117/meeting/house/112689/witnesses/HHRG-117-HM00-Wstate-BlountJ-20210609.pdf,
accessed February, 2022; see also Natasha Bertrand, Evan Perez, Zachary Cohen, Geneva Sands, and Josh Campbell, “Colonial
Pipeline Did Pay Ransom to Hackers, Sources Now Say,” CNN, May 13, 2021,
https://www.cnn.com/2021/05/12/politics/colonial-pipeline-ransomware-payment/index.html, accessed February, 2023.
29 William Turton, Michael Riley and Jennifer Jacobs, “Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom,”
Bloomberg, May 13, 2021, https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-
million-in-ransom, accessed February, 2023.
30 Ibid.

31 David E. Sanger, Clifford Krauss, and Nicole Perlroth, “Cyberattack Forces a Shutdown of a Top U.S. Pipeline,” The New
York Times, May 8, 2021, https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html, accessed
February, 2023; see also Christopher Bing and Stephanie Kelly, “Cyber Attack Shuts Down U.S. Fuel Pipeline ‘jugular,’ Biden
briefed,” Reuters, May 8, 2021, https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-
cybersecurity-attack-2021-05-08/, accessed February, 2023; see also Grace Segers, “Cyberattack Prompts Major Pipeline
Operator to Halt Operations,” CBS, May 9, 2021, https://www.cbsnews.com/news/colonial-pipeline-cyberattack-shut-
down/, accessed February, 2023.
32 William Turton and Kartikay Mehrotra, “Hackers Breached Colonial Pipeline Using Compromised Password,” Bloomberg,
June 4, 2021, https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-
compromised-password, accessed February, 2023; see also Colonial Pipeline Company, “Media Statement Update: Colonial
Pipeline System Disruption – System Restart and Operational Update,” May 12 and May 17, 2021,
https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption, accessed February,
2023.
33 Colonial Pipeline Company, “Media Statement Update: Colonial Pipeline System Disruption – System Restart and
Operational Update,” May 12 and May 17, 2021, https://www.colpipe.com/news/press-releases/media-statement-colonial-
pipeline-system-disruption, accessed February, 2023; see also Hearing Before the Committee on Homeland Security House of
Representatives, “Cyber Threats in the Pipeline: Using Lessons from the Colonial Ransomware Attack to Defend Critical
Infrastructure,” Serial No. 117-15, June, 9, 2021, https://www.govinfo.gov/content/pkg/CHRG-117hhrg45085/html/CHRG-
117hhrg45085.htm, accessed February, 2023.
34 Collin Eaton and Dustin Volz, “Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom,” The Wall Street
Journal, May 19, 2021, https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-
11621435636, accessed February, 2023.
35 William Turton and Kartikay Mehrotra, “Hackers Breached Colonial Pipeline Using Compromised Password,” Bloomberg,
June 4, 2021, https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-
compromised-password, accessed February, 2023; see also Aaron Gregg, “CEO Defends Colonial Pipeline’s Ransomware
Response during Senate Hearing,” The Washington Post, June 8, 2021,
https://www.washingtonpost.com/business/2021/06/08/colonial-pipeline-ceo-blount-congress/, accessed February, 2023.
36 Jessica Davis, “DHS Warns Hackers Compromising Patched VPNs with Stolen Credentials,” April 17, 2020,
https://healthitsecurity.com/news/dhs-warns-hackers-compromising-patched-vpns-with-stolen-credentials, accessed
February, 2023.
37 Staff, “Cyber Daily: Colonial Pipeline Missed Requested Security Review Before Hack | Tesla’s Data Promise in China,” The
Wall Street Journal, May 27, 2021, https://www.wsj.com/articles/cyber-daily-colonial-pipeline-missed-requested-security-
review-before-hack-teslas-data-promise-in-china-11622121407?mod=Searchresults_pos10&page=1, accessed February, 2023.
38 Colonial Pipeline Company, “Colonial Pipeline Recognized Nationally for Crisis Communication Response to Company
Cyberattack,” May 26, 2022, https://www.colpipe.com/news/press-releases/colonial-pipeline-recognized-nationally-for-
crisis-communication-response-to-company-cyberattack, accessed February, 2023.
39 Federal Motor Carriers Safety Administration, “ESC-SSC-WSC - Regional Emergency Declaration 2021-002 - 05-09-2021,”
May 9, 2021, https://www.fmcsa.dot.gov/emergency/esc-ssc-wsc-regional-emergency-declaration-2021-002-05-09-2021,
accessed February, 2023; see also Colonial Pipeline Company, “Colonial Press Release: Media Statement Update: Colonial
Pipeline System Disruption,” May 11, 2021, https://www.colpipe.com/news/press-releases/media-statement-colonial-
pipeline-system-
disruption#:~:text=Colonial%20Pipeline%20continues%20to%20make,levels%20and%20are%20fully%20operational. Accessed
February, 2023; see also

19
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.
 For the exclusive use of A. Nguyen, 2025.

123-069 Ransomware Attack at Colonial Pipeline Company

40 Rachel Treisman, “Colonial Pipeline Restarts: There’s No Need To Panic-Buy Gas (And Never Was),” NPR, May 12, 2021,
https://www.npr.org/2021/05/12/996323371/colonial-pipeline-restarts-theres-no-need-to-panic-buy-gas-and-never-was,
accessed February, 2023; see also Max Rust and Roque Ruiz, “Why the Colonial Pipeline Shutdown Is Causing Gas Shortages,”
The Wall Street Journal, May 13, 2021, https://www.wsj.com/articles/why-the-colonial-pipeline-shutdown-is-causing-gasoline-
shortages-11620898203?mod=Searchresults_pos1&page=1, accessed February, 2023.
41 Leslie Josephs, “Pipeline Outage Forces American Airlines to Add Stops to Some Long-haul Flights, Southwest Flies in
Fuel,” CNBC, May 10, 2021, https://www.cnbc.com/2021/05/10/colonial-pipeline-shutdown-forces-airlines-to-consider-
other-ways-to-get-fuel.html, accessed February, 2022.
42 Exiger, “Key Points of Biden’s Executive Order 14028,” September 13, 2022,
https://www.exiger.com/perspectives/executive-order-14028/, accessed February, 2023.
43 Michael Schwirtz and Nicole Perlroth, “DarkSide, Blamed for Gas Pipeline Attack, Says It Is Shutting Down,” The New York
Times, May 14, 2021, https://www.nytimes.com/2021/05/14/business/darkside-pipeline-hack.html, accessed February, 2023.
44 Rebecca Smith, “After Colonial Pipeline Hack, U.S. to Require Operators to Report Cyberattacks,” The Wall Street Journal,
May 25, 2021, https://www.wsj.com/articles/tsa-to-require-pipeline-operators-to-notify-it-of-cyberattacks-
11621960244?mod=Searchresults_pos7&page=1, accessed February, 2023.
45 Alexander Mallin and Luke Barr, “DOJ Seizes Millions in Ransom Paid by Colonial Pipeline,” ABC, June 7, 2021,
https://abcnews.go.com/Politics/doj-seizes-millions-ransom-paid-colonial-pipeline/story?id=78135821, accessed February,
2023.
46 Hearing Before the Committee on Homeland Security House of Representatives, “Cyber Threats in the Pipeline: Using
Lessons from the Colonial Ransomware Attack to Defend Critical Infrastructure,” Serial No. 117-15, June, 9, 2021,
https://www.govinfo.gov/content/pkg/CHRG-117hhrg45085/html/CHRG-117hhrg45085.htm, accessed February, 2023.
47 Video Recording of Senate Homeland Security and Governmental Affairs Committee Full Committee Hearing, “Threats to
Critical Infrastructure: Examining the Colonial Pipeline Cyber Attack,” June 8, 2021,
https://www.hsgac.senate.gov/hearings/threats-to-critical-infrastructure-examining-the-colonial-pipeline-cyber-attack/,
accessed February, 2023.
48 Office of Senator Maggie Hassan, “Press Release: Senator Hassan on Colonial Pipeline Hearing: ‘I’ve talked with small
school districts in my state of New Hampshire that are better prepared for cyberattacks than Colonial Pipeline’,” June 8, 2021,
https://www.hassan.senate.gov/news/press-releases/senator-hassan-on-colonial-pipeline-hearing-ive-talked-with-small-
school-districts-in-my-state-of-new-hampshire-that-are-better-prepared-for-cyberattacks-than-colonial-pipeline, accessed
February, 2023.
49 Cynthia Brumfield, “Infrastructure Bill Includes $1.9 Billion for Cybersecurity,” November, 2021,
https://www.csoonline.com/article/3639019/whats-next-in-congress-for-cybersecurity-after-enactment-of-the-infrastructure-
bill.html, accessed February, 2023; see also Cynthia Brumfield, “U.S. Cybersecurity Congressional Outlook for the Rest of 2022,
” June 7, 2022, https://www.csoonline.com/article/3662778/u-s-cybersecurity-congressional-outlook-for-the-rest-of-
2022.html, accessed February, 2023.
50 S.3600 - Strengthening American Cybersecurity Act of 2022, Summary and Status, https://www.congress.gov/bill/117th-
congress/senate-bill/3600?s=1&r=70, accessed February, 2023.
51 William Turton and Kartikay Mehrotra, “Hackers Breached Colonial Pipeline Using Compromised Password,” Bloomberg,
June 4, 2021, https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-
compromised-password, accessed February, 2023
52 David Jones, “Colonial Pipeline Names Cybersecurity Veteran as First CISO,” February 23, 2022,
https://www.cybersecuritydive.com/news/colonial-pipeline-ciso-adam-tice/619272/, accessed February, 2023.
53 Colonial Pipelines Company, “Colonial Pipeline’s Joseph Blount Elected Chair of Association of Oil Pipe Lines (AOPL),”
March 7, 2022, https://www.colpipe.com/news/press-releases/colonial-pipelines-joseph-blount-elected-chair-of-association-
of-oil-pipe-lines-aopl, accessed February, 2023.
54 Colonial Pipeline Company, “Colonial Pipeline Names Darrell Riekena Senior Vice President, Chief Information Officer,”
June 14, 2022, https://www.colpipe.com/news/press-releases/colonial-pipeline-names-darrell-riekena-senior-vice-president-
chief-information-officer, accessed February, 2023
55 Colonial Pipeline Company, “Melanie Little Named President & CEO of Colonial Pipeline Company,” December 12, 2022,
https://www.colpipe.com/news/press-releases/melanie-little-named-president-ceo-of-colonial-pipeline-company, accessed
February, 2023.

20
This document is authorized for use only by An Nguyen in INSC 30853 Fundamentals of Cybersecurity taught by LAYNE BRADLEY, ${institution} from Jan 2025 to May 2025.