DoJ recovers 'majority' of ransom paid by Colonial Pipeline

Department of justice sign on a building — (Image credit: Shutterstock)

The Department of Justice (DoJ) has recovered 63.7 Bitcoins ($2.3 million) paid out by Colonial Pipeline to the DarkSide ransomware gang.

Deputy Attorney General Lisa Monaco said this "demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises."

Colonial Pipeline CEO confirms $4.4 million payment to DarkSide hackers DarkSide hackers have raked in more than $90 million in Bitcoin US to give ransomware 'terrorism' status

"We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today's announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide," she said.

In a filed affidavit, the FBI said it was able to track multiple transfers of Bitcoin and identify 63.7 Bitcoins, representing the "majority" of the victim's ransom payment. This had been transferred to a specific address, for which the FBI had the "private key" to access this specific Bitcoin address.

A judge in San Francisco then approved the seizure of funds from this cryptocurrency address.

Colonial Pipeline previously admitted it had paid hackers $4.4 million to regain access to its systems after consulting experts who have dealt with the DarkSide hacking group.

Ilia Kolochenko, founder of ImmuniWeb, and a member of Europol Data Protection Experts Network told IT Pro that the seizure sends a message that the DoJ now has tolerance-zero for ransomware gangs.

"The seizure continues the previously announced efforts to combat surging ransomware and is likely to be a first palpable step to deter cybercriminals. Importantly, the DoJ will certainly need more funding to gradually expand its cybercrime prosecution unit (CCIPS) and foster interagency collaboration," he said.

"Moreover, international cooperation is essential to curb surging ransomware attacks, including baseline cooperation with traditionally hostile jurisdictions. Otherwise, even though uncovered, the perpetrators will likely enjoy impunity due to missing extradition treaties with foreign jurisdictions."

Chris Grove, product evangelist at Nozomi Networks, added that the joint action and collaboration by the government and National Cyber Investigative Joint Task Force is exactly what defenders are asking for.

"Defending against run-of-the-mill threats is affordable, and achievable. Some threats rise to a new level and must be dealt with differently. While it's great that the government recovered some of the $4.4 million paid by Colonial Pipeline, we can't lose sight of the fact that while Colonial is a happier ending story, there are dozens of victims we can also discuss who haven't fared as well. Not to mention 100s we know about, but can't discuss, and another 1,000 that we don't even know about," he said.

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.