The Justice Department has recovered most of the $4.4 million cryptocurrency ransom that Colonial Pipeline paid to the Russia-based DarkSide ransomware hacker group last month.
“Ransomware and digital extortion pose a national security and an economic security threat to the United States. The Department of Justice, with our partners, is committed to using all the tools at our disposal to disrupt these networks and the abuse of the online infrastructure that allows this threat to persist,” Deputy Attorney General Lisa Monaco said Monday. “The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st-century challenge — but the old adage ‘follow the money’ still applies. And that’s exactly what we do.”
Monaco added: “After Colonial Pipeline’s quick notification to law enforcement and pursuant to a seizure warrant issued by the United States District Court for the Northern District of California earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the DarkSide network in the wake of last month’s ransomware attack. Ransomware attacks are always unacceptable, but when they target critical infrastructure, we will spare no effort in our response.”
The cyberattack and ransomware effort by DarkSide last month forced Colonial Pipeline to halt its operations in an effort to deal with the incident. The pipeline, which begins in Texas and transports gasoline and jet fuel to the East Coast and the southeastern U.S., was responsible for delivering up to 45% of fuel for the East Coast. President Joe Biden declared a state of emergency on May 9 related to the fuel disruption, and what was likely the largest cyberattack on U.S. infrastructure yet led to a nearly weeklong shutdown.
Biden said in May that the ransomware hack of the Colonial Pipeline by the DarkSide gang wasn’t directed by the Kremlin, saying: ”We don’t believe the Russian government was involved in this attack, but we have strong reason to believe the criminals who did the attack are living in Russia.”
Biden said members of the Russian government “have some responsibility to deal with this” because DarkSide was operating inside Russia. The White House said it has been in “direct communication” with Moscow, calling on Russian President Vladimir Putin’s government to take action against the ransomware attackers.
Joseph Blount, the Colonial Pipeline CEO, said he had approved a $4.4 million ransomware payment.
“I know that’s a highly controversial decision,” he said. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this. … But it was the right thing to do for the country.”
DarkSide sells software hacking tools to other criminals to carry out attacks on organizations and entities in the U.S. and around the world, and the FBI confirmed last month that the group was responsible for the pipeline attack. Monaco said that “DarkSide and its affiliates have been digitally stalking U.S. companies for the better part of last year, and indiscriminately attacked victims that include key players in our nation’s critical infrastructure.”
Monaco added: “Today, we turned the tables on DarkSide. By going after the entire ecosystem that fuels ransomware and digital extortion attacks — including criminal proceeds in the form of digital currency — we will continue to use all of our tools and all of our resources to increase the cost and consequences of ransomware attacks and other cyber-based attacks.” The deputy attorney general said it was the first of its kind operation by DOJ’s recently launched Ransomware and Digital Extortion Task Force.
The Justice Department said Monday that it had seized 63.7 bitcoins currently valued at roughly $2.3 million after Colonial had paid the hackers approximately 75 bitcoins in early May. The DOJ said that “law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.”
Biden national security adviser Jake Sullivan echoed during a Monday press conference that the Biden administration was considering ransomware attacks to be a national security priority.
Research released last month by the British blockchain analytics firm Elliptic showed that DarkSide had received an estimated $90 million in bitcoin ransom payments over the past nine months from dozens of online victims. The firm said that the average amount that DarkSide received from 47 online victims was approximately $1.9 million.
DOJ officials said Monday that they had identified roughly 90 DarkSide victims from the past year.
Last month, security researchers Intel 471 confirmed that DarkSide had closed down its operations after being cut off from its online servers and having its cryptocurrency wallets forcibly removed. The hackers also blamed “pressure from the U.S.” for shutting down, according to a note from the group obtained by Intel 471.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” DarkSide said. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
The hacking group claimed it had plans to donate some of its profits to charity, adding, “No matter how bad you think our work is, we are pleased to know that we helped change someone’s life… Today we sended [sic] the first donations.”
Biden signed a new cybersecurity executive order in May, and it named three recent prominent cyberattacks, SolarWinds, Colonial Pipeline, and Microsoft, with a White House fact sheet saying that those “recent cybersecurity incidents … are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.”
The U.S. has said Russian intelligence is behind the SolarWinds hack and that a Russian hacker gang is behind the Colonial Pipeline attack, but the government has not publicly attributed the Microsoft hack to anyone, though cybersecurity experts believe Chinese hackers were behind it.