crisis and response
How a Ransomware
 In May 2021, hackers broke into the data networks
of Colonial Pipeline, a
company that supplies gas through a major pipeline from Texas to New Jersey. The hackers locked out the com- pany’s own IT staff, encrypted huge numbers of business- critical files, and demanded millions of dollars to provide the decryption key.
Not only did this ransom- ware attack disrupt the daily lives of millions of Americans, it also consumed the work lives of hundreds, even thou- sands, of people in jobs of
all kinds. Read on to find out how this drama played out.
MAY 7: The Attack
4:45 A.M. An employee at Colonial Pipeline discovers
a ransom note on a system
in the IT network. The note says that hackers have taken files from the company’s data networks, and it demands about $5 million in exchange for the files.
5:55 A.M. The company de- cides to shut down the entire pipeline network to contain any possible risk of physical harm or damage.
6:10 A.M. Along with the pipeline shutdown, systems throughout the company go
offline. Everyone’s job– from billing to administra- tion to communications
to personnel–becomes figuring out how to do what they are supposed to do without fully functioning computer networks. The company contacts the FBI.
MAY 8: Ransom Paid
With the help of the FBI, Colonial Pipeline
pays a $5 million ransom (in bitcoin) to DarkSide, a cyber- criminal group operating
out of Russia. The hackers then send Colonial Pipeline
a decryption tool to restore their network, but it operates very slowly.
MAY 8: Damage Assessment
The communications team releases an announcement of the attack to news organi- zations. All departments figure out which systems
can still function and which cannot. Colonial Pipeline employees engage with law enforcement, government agencies involved with the energy industry, and clients and customers suddenly cut off from gasoline supplies. The shutdown causes major disruptions to gas delivery up and down the East Coast, as

