U.S. recovers $2.3 million in ransom paid to Colonial Pipeline hackers

U.S. recovers millions in Bitcoin paid in Colonial Pipeline ransom

Washington — The federal government has recovered millions of dollars in cryptocurrency paid in ransom to cybercriminals whose attack prompted the shutdown of the country's largest fuel pipeline and gas shortages across the southeastern U.S. last month, the Department of Justice announced Monday.

On May 8, Colonial Pipeline paid a ransom worth roughly $4.3 million in bitcoin to the Russia-based hacking group known as DarkSide, which had used malicious software to hold the company hostage. Colonial Pipeline CEO Joseph Blount told The Wall Street Journal that the company paid the pricey ransom because the company feared a prolonged shutdown and did not know how long it would take to restore operations.

The ransom allowed Colonial to restore fuel transport through its pipeline, which stretches from Texas to the Northeast and delivers 45% of all fuel consumed on the East Coast. 

Justice Department officials said the FBI was able to track and recover 63.7 bitcoins, currently valued at about $2.3 million. The operation marks a rare ransom recovery for the critical infrastructure company that fell victim to the devastating cyberattack, as the "ransomware-as-a-service" business model booms. It marks the first recovery by the department's new Ransomware Task Force.

"Earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the DarkSide network," Deputy Attorney General Lisa Monaco said during a press conference Monday. "Using technology to hold businesses, and even whole cities, hostage for profit is decidedly a 21st-century challenge, but the old adage 'follow the money' still applies."

Justice Department officials said investigators tracked the bitcoins on the cryptocurrency's public ledger and identified the virtual currency account known as a "wallet" used by DarkSide to collect payment. The FBI obtained the wallet's private "key," enabling agents to seize the funds under a court order by a federal judge in the Northern District of California.

"Today, the FBI successfully seized criminal proceeds from a Bitcoin wallet that DarkSide ransomware actors used to collect a cyber ransom payment from a victim," FBI Deputy Director Paul Abbate said. "Since last year, we've been pursuing an investigation into DarkSide, a Russia based cybercrime group. The DarkSide ransomware variant is one of more than 100 ransomware variants that the FBI is currently investigating."

DOJ to prioritize ransomware attacks on the same level as terrorism

Last week, FBI Director Christopher Wray likened the threat of ransomware to the September 11 terrorist attacks. The Justice Department also issued a memo to federal prosecutors elevating ransomware probes to the same priority level as terrorism investigations.

During the Colonial attack, the hackers threatened to publicly release company data, prompting the company to shut down operations. The stoppage led to fuel shortages in more than a dozen states, sending gas prices soaring and threatening to halt airline travel. 

"When Colonial was attacked on May 7, we quietly and quickly contacted the local FBI field offices in Atlanta and San Francisco, and prosecutors in Northern California and Washington D.C. to share with them what we knew at that time," Blount, the CEO, said in a statement following Monday's announcement. "The Department of Justice and FBI were instrumental in helping us to understand the threat actor and their tactics. Their efforts to hold these criminals accountable and bring them to justice are commendable."

Blount is expected to appear before lawmakers on Capitol Hill on Tuesday and Wednesday at his first public hearing since the attack. 

Last week, Russian-associated cyber criminals known as "Revil" employed ransomware in an extortion scheme against JBS, the world's largest meat processor. The attack forced the Brazil-based company to cease cattle-slaughtering operations at 13 of its meat processing plants in the U.S., threatening the U.S. food supply.

The recent onslaught in cyber extortion schemes has prompted emergency White House meetings as U.S. corporations rethink protection against cyberthreats. 

"The move by the Department of Justice to recover ransom payments from the operators who disrupted U.S. critical infrastructure is a welcome development,"John Hultquist, vice president of analysis at Mandiant Threat Intelligence, said in a statement to CBS News. 

"It has become clear that we need to use several tools to stem the tide of this serious problem, and even law enforcement agencies need to broaden their approach beyond building cases against criminals who may be beyond the grasp of the law," Hultquist added. "In addition to the immediate benefits of this approach, a stronger focus on disruption may disincentivize this behavior, which is growing in a vicious cycle."

Last month, the Biden administration said pipeline companies must report cyber incidents to federal authorities. The directive required pipeline owners and operators to designate "a 24/7, always available cybersecurity coordinator" to coordinate with both the Transportation Security Administration and the Cybersecurity and Infrastructure Security Agency in the event of a cyber incident, but fell short of addressing other critical infrastructure sectors.

Energy Secretary Jennifer Granholm said in an interview Sunday that she supports a law banning companies from paying ransom to hackers in cyberspace. Lawmakers have expressed a willingness to consider the measure. But according to Chris Painter, a co-chair of the Ransomware Task Force, such a prohibition on the payment of ransom demands would likely need to be phased in. 

Andy Triay contributed to this report. 

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.