Gas shortages at the pumps have spread from the South, all but emptying stations in Washington, D.C., following a ransomware cyberattack that forced a shutdown of the nation's largest gasoline pipeline. Though the pipeline operator paid a ransom, restoring service was taking time.
As Georgia-based Colonial Pipeline reported making "substantial progress" in restoring full service, two people briefed on the matter confirmed that the company had paid the criminals a ransom of about $5 million in cryptocurrency for the software decryption key required to unscramble their data network. The people spoke on condition they not be further identified because they were not authorized to divulge the information. Bloomberg first reported the payment.
Locally, the cyberattack resulted in extra costs for the Hall school system.
Hall County Schools Superintendent Will Schofield said a $3,400 premium was paid to secure a load of diesel from Louisville, Kentucky, which was expected to arrive late Friday. Schofield said this delivery would get them through the end of the school year.
The superintendent said the school system burns between 1,500-2,500 gallons a day of fuel with its fleet of 350 buses and fueling tanks across the county.
“The one in East Hall is bone dry,” Schofield said. “We currently have those buses fueling up at the central station there on Atlanta Highway, and so that tank is going down dangerously quickly. If we could get everybody to where the fuel is, there would have been a chance we could have scraped through the end of the year, but with all we’ve been through, that’s the last thing we want our folks to experience.”
Gainesville City School System Chief Operating Officer Adrian Niles said the schools were not adversely affected by the shortages.
“Both our yellow and white fleet continues to function as normal,” Niles wrote in an email.
Hall County Sheriff’s Office spokesman Derreck Booth said the agency’s officers “have been and continue to be in good shape,” adding there is a contingency plan in place if needed.
Gov. Brian Kemp signed an extension Friday, May 14, to the executive order declaring a state of emergency for petroleum shortage. The executive order will expire at 11:59 p.m. Saturday, May 22.
The executive order suspended the gas tax, increased the weight limits for trucks transporting fuel and prohibited price gouging.
"While Colonial Pipeline is now operational, the company has informed the public that it will be a few days until full service is available statewide," Kemp said in a statement. "This executive order will ensure fuel supply chains have every resource needed to deliver gas quickly and safely, and that Georgians aren't hit with state gas taxes at the pump during this shortage. I continue to ask Georgians to only purchase the fuel they need for essential travel through the upcoming weekend."
President Joe Biden, when asked by a reporter on Thursday if he had been briefed about the ransom payment, said "I have no comment on that."
Biden also said that his administration "will pursue a measure to disrupt their ability to operate. And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law."
The attack against Colonial Pipeline was a “particularly nasty type of attack, one that’s being used by cybercriminals primarily, but it’s something that even nation-states deploy,” said Bryson Payne, a professor of computer science and director of UNG's Center for Cyber Operations Education.
“The sad thing is this is hitting people in our communities. If an older person gets their data stolen and gets their computer taken over by a cyberattacker, it can cost them their life savings, their security.”
The Colonial situation has exposed concerns not so much about gas supply but in public response to a gas crisis.
“It’s not that there’s not enough for everybody,” Payne said. “It’s just not enough for everybody to buy it all right then.”
He continued: “In the United States, most of our critical infrastructure is privately owned. This pipeline, most of our electrical grids are not owned by the government. We have to look at diversifying our critical infrastructure, making sure we have back-ups, making sure that we have redundancies in case one or more suppliers gets attacked like this.”
While some drivers and workers were affected by the shortages, others were able to adjust.
Steve Syfan, co-founder and executive vice president of Syfan Logistics transportation firm, said earlier in the week that pipeline disruptions hadn’t caused any severe issues, such as drivers being stranded.
“We are taking some outer routes, adding miles and costs, to get to where we’re being told there’s fuel — and so far, there has been,” Syfan said. “We’re not going to Texas to get to New York, but we are going up through some of the Midwestern states before we cut into the East Coast just to fuel up and have enough fuel to get out and get back.”
The tracking service GasBuddy.com on Friday showed that 88% of gas stations were out of fuel in the nation's capital, about half were out in Virginia and 42% of Maryland stations were dry. Nearly 70% of stations were without gas in North Carolina, and about half were tapped out in Georgia and South Carolina.
A gas station owner in Virginia said panic buying is the problem.
"It's like a frenzy," Barry Rieger, who owns a gas station in Burke, Virginia, told WJLA-TV.
Colonial said Thursday that operations had restarted and gasoline deliveries were being made in all of its markets, but it would take "several days" to return to normal, and some areas may experience "intermittent service interruptions during this start-up period."
In North Carolina, at least five school systems canceled in-person learning on Friday as the gasoline supply crisis continued. Wake County, with the largest school system in North Carolina, emailed parents citing "the impact of the gas shortage on staffing availability and student transportation."
Businesses were also feeling the sting.
At Dixie Speedway in Woodstock all the maintenance and safety vehicles have to be filled up, but "all the gas stations close to use -- within a mile of us -- are out of gas," said Mia Green, the track's general manager. She's heard of at least a couple of racetracks in the region that canceled upcoming races this weekend because race crews might not be able to get there due to gas shortages.
Many authorities are warning of the dangers of hoarding gas.
In South Carolina, a woman was severely burned after flipping a car that a deputy tried to pull over for a suspected stolen license plate Thursday night. The fire touched off multiple explosions due to fuel "that she was hoarding in the trunk of the vehicle," a Pickens County sheriff's statement said.
In Florida, a 2004 Hummer was destroyed by fire Wednesday shortly after the driver had filled up four 5-gallon gas containers in Homosassa, according to Citrus County Fire Rescue spokeswoman Courtney Marsh. Firefighters doused the blaze and found the melted gas containers. One man was injured, but refused medical treatment, she said.
The cyberattack by hackers who lock up computer systems and demand a ransom to release them hit the pipeline on May 7. The hackers didn't take control of the pipeline's operations, but Colonial shut it down to prevent the malware from impacting its industrial control systems.
Biden said U.S. officials do not believe the Russian government was involved, but said "we do have strong reason to believe that the criminals who did the attack are living in Russia. That's where it came from."
Biden has promised aggressive action against DarkSide, the Russian-speaking ransomware syndicate responsible for the attack. The syndicate's public-facing darknet site went offline on Thursday and its administrator said in a cybercriminal forum post that the group had lost access to it.
This does not necessarily mean U.S. or allied cyberjockeys knocked it offline. Cybersecurity experts said that DarkSide, which rents out its ransomware to partners to carry out the actual attacks, could have taken it down to prevent Western law enforcement from tracking down the rest of its infrastructure.
And just because DarkSide's public-facing structure is offline doesn't mean its backend operations have been impacted, said Alex Holden, the founder of Hold Security, who closely monitors the cybercriminal underground.
DarkSide's main servers are alive," said analyst Yelisey Boguslavskiy of the cybersecurity firm Advanced Intelligence. While the servers are hidden, encrypted traffic to and from them is being monitored by threat hunters, he said.
DarkSide stole information from Colonial's network prior to locking up the data on Friday. It's not known how long the cybercriminals were inside the network. DarkSide is among the ransomware gangs that employ double extortion, threatening to dump online sensitive data they steal before activating the ransomware. In Colonial's case, that could potentially include data on contracts with suppliers that would be of keen interest to stock and commodities traders.
DarkSide, in fact, recently offered to share data stolen from victims with inside traders.
It would not be surprising if DarkSide were to disappear, experts noted. Ransomware gangs have dissolved and 'rebranded' under different names in the past when the heat was on.
The Colonial Pipeline system stretches from Texas to New Jersey and delivers about 45% of the gasoline consumed on the East Coast.
The Associated Press contributed to this report.