WASHINGTON—The pipeline company hit by a multimillion-dollar ransomware attack last month is still working to fully restore some of its computer systems, its chief executive told lawmakers Tuesday, as he defended his decision to pay hackers a ransom.

Joseph Blount of Colonial Pipeline Co. confirmed that investigators believe Russia-based hackers broke into his company’s computer system by logging into an out-of-use virtual private network that lacked the routine requirement that the user provide a second method of identity verification, such as a code sent to a registered phone number. A virtual private network, or VPN, enables employees to access corporate networks remotely and can provide some security protections.

“We are deeply sorry for the impact that this attack had,” Mr. Blount told the Senate Homeland Security Committee. During the hearing, he faced sharp questions from Democrats and Republicans about Colonial Pipeline’s cybersecurity practices, his decision to pay the hackers more than $4 million in the cryptocurrency bitcoin and the company’s communication with federal authorities during the hack.

U.S. Deputy Attorney General Lisa Monaco said investigators have recovered more than $2 million in cryptocurrency paid in ransom to hackers responsible for the Colonial Pipeline shutdown in early May. Photo: Jonathan Ernst/Getty Images The Wall Street Journal Interactive Edition

Mr. Blount sat before the Senate panel one month after the attack on the company’s business computer systems prompted Colonial Pipeline to shut down the 5,500-mile pipeline pumping gasoline, diesel, jet fuel and other refined products from the Gulf Coast to Linden, N.J. The six-day shutdown spurred a run on gasoline along parts of the East Coast that pushed prices to the highest levels in more than six years and left thousands of gas stations without fuel.

On Monday, the Justice Department said authorities had recovered roughly $2.3 million in digital currency paid to the hackers, a suspected Russian gang known as DarkSide. The attack has prompted senior Biden administration officials to warn that ransomware represents an elevated national security risk. President Biden is due to meet with Russian President Vladimir Putin next week and has said he intends to discuss ransomware attacks as a top area of concern.

SHARE YOUR THOUGHTS

Do you think it’s a good idea for companies to pay a ransom? Join the conversation below.

Much of the hearing focused on Colonial’s decision to pay the hackers that seized its systems. Mr. Blount said the company initiated the payment on May 8, a day after the discovery of the hack. The Federal Bureau of Investigation officially discourages victims from paying ransoms because doing so can foster a booming criminal marketplace and often won’t lead to a restoration of systems.

“I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible,” Mr. Blount said. While the decryption keys the hackers provided in exchange for the payment were somewhat “advantageous,” they didn’t work perfectly and didn’t provide for an immediate restoration of the pipeline’s services, he said.

Digital extortion schemes now routinely tally into the tens of millions of dollars, according to U.S. officials and security companies that track ransomware.

Senior U.S. officials have acknowledged that companies often have little choice but to pay steep ransoms, but some lawmakers have said in recent weeks they may be open to considering legislation that could make payments in some cases illegal, or requiring companies to disclose when they make a ransom payment to hackers.

Energy Secretary Jennifer Granholm said Sunday on NBC that she was supportive of a ban on ransomware payments, but added, “I don’t know whether Congress or the president is at that point.”

Sen. Rob Portman, the top Republican on the Senate committee, asked Mr. Blount whether certain cybersecurity requirements could be helpful for critical infrastructure operators. “Anything that can help industry have better security practices standards to follow would be extremely helpful,” Mr. Blount replied.

Write to Dustin Volz at dustin.volz@wsj.com