The Justice Department Strikes Back and Recovers Ransom Paid by Colonial Pipeline
You just can’t make this stuff up – the Justice Department, displaying its growing sophistication of the cyber world, announced it recovered most of the ransom paid to criminal hackers of Colonial Pipeline Co. (Colonial). As you will recall, Colonial’s pipeline had been the victim of a cyberattack resulting in a shutdown of a critical supplier of gasoline, diesel and jet fuel.
Colonial paid the ransomware demand for 75 bitcoin by the criminal hackers to restore its pipeline operations. Federal law enforcement quickly recovered 63.7 bitcoins, which was worth approximately $2.3 million, from the criminal group known as DarkSide, based in Russia. The criminal hackers orchestrated the attack on Colonial’s computer network, infiltrated Colonial’s system to embed ransomware, resulting in the freezing of Colonial’s pipeline on the east coast.
Colonial paid DarkSide a total of 75 bitcoins on May 8, 2021 to restore its pipeline service. DarkSide also threatened to release sensitive data to the public. At the time, the ransom paymentwas worth a total of $4.4 million, but the price of bitcoin dropped significantly after the cyberattack.
Federal law enforcement traced DarkSide’s bitcoin transactions by reviewing transactions on bitcoin’s blockchain, its public ledger. During the review, law enforcement identified 63.7 bitcoins that were located in a digital wallet linked to one of the members of DarkSide. To access the digital wallet, the FBI obtained a private key to recover the funds. It is not clear how the FBI obtained the private key to the digital wallet.
The FBI’s seizure was the first time that federal law enforcement recovered a ransomware payment since DOJ announced the creation of the Ransomware and Digital Extortion Task Force in April 2020. The Task Force was created to target ransomware attacks and actors, and to recover ill-gotten gains.
In the last year, ransomware attacks have been carried out against a variety of organizations, including COVID-19 vaccine researchers, businesses, hospitals, and schools. The latest victim was JBS, a global meat processing company, which was the victim of another Russian-based group, REvil.
The key to the recovery was the fact that Colonial promptly reported the cyberattack to law enforcement. In past years, Congress has tried to enact a notification on private businesses but has been able to overcome lobbying efforts by business and high-tech companies against such a notification requirement.
The Colonial case is an example of how prompt notification of law enforcement led to the recovery of the ransomware payment. The problem of ransomware attacks is growing quickly – victims in 2020 paid over $400 million to cyber criminals to lift a ransomware freeze on a company’s operations or avoid release of sensitive personal data.
The Justice Department and the FBI have urged businesses that fall victim to an attack to report the incident as soon as possible to maximize the possibility of recovering any ransomware attack. Colonial quickly notified the FBI after the attack, and DOJ prosecutors and FBI agents responded to coordinate Colonial’s response to the cyberattack.