Deputy Attorney General Lisa Monaco said Monday, “Earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the Darkside network in the wake of last month’s ransomware attack. Ransomware attacks are always unacceptable, but when they target critical infrastructure, we will spare no effort in our response.”
On May 8, Colonial Pipeline paid a ransom worth roughly $4.3 million in bitcoin to the Russia-based hacking group known as DarkSide, which had used malicious software to hold the company hostage. Colonial Pipeline CEO Joseph Blount told The Wall Street Journal that the company paid the pricey ransom because the company feared a prolonged shutdown and did not know how long it would take to restore operations.
The ransom allowed Colonial to restore fuel transport through its pipeline, which stretches from Texas to the Northeast and delivers 45% of all fuel consumed on the East Coast.
The Colonial Pipeline hack was carried out by DarkSide actors, the FBI said in a brief statement days after the attack. The Justice Officials said investigators tracked the bitcoins on the cryptocurrency’s public ledger and identified the virtual currency account known as “wallet” used by DarkSide to collect payment.
Officials from the Justice Department said the FBI was able to track and recover 63.7 bitcoins, currently valued at about $2.3 million. The FBI was able to obtain the wallet’s private “key” enabling agents to seize the funds under a court order by a federal judge in the Northern District of California.
“The message today is we will bring all of our tools to bear, to go after these criminal networks, including the ecosystem and the illicit and the abuse, frankly, of the online infrastructure that they use in terms of the digital currency to perpetrate these schemes,” Deputy A.G. Monaco added.
The operation marks a rare ransom recovery for the critical infrastructure company that fell victim to the devastating cyberattack, as the “ransomware-as-a-service” business model booms. It marks the first recovery by the department’s new Ransomware Task Force.