JUNE 8, 2021
The U.S. has recovered much of the ransom payment that the Russian hacker group DarkSide extorted from Colonial Pipeline earlier this year, the Justice Department said Monday.
The announcement details a rare disruption of the cryptocurrency payment systems favored by hackers, which have enabled ransomware efforts around the world.
The FBI was able to seize control of DarkSide’s proceeds by gaining access to a central bitcoin account holding about 63.7 bitcoin, worth around $2.3 million, FBI Deputy Director Paul Abbate said. A court document detailed that then seizure took place in Northern California, putting it within reach of U.S. law. It was unclear why the hackers didn’t immediately move their funds to make them more difficult for the U.S. government to seize, as most cybercriminals do.
DarkSide hacked into Colonial in April as part of a months-long crime spree, leading the company to shut down operations. The group demanded a $4.4 million ransom, which the company quickly paid.
The pipeline’s systems came back online five days after the initial hack.
“Today we turned the tables on DarkSide,” Deputy Attorney General Lisa Monaco said in a press conference.
“Ransomware attacks are always unacceptable, but when they target critical infrastructure we will spare no effort in our response,” she saiid.
Ransomware gangs are responsible for more than 1,000 hacks worldwide this year, mostly in the U.S., according to figures prepared for NBC News by Allan Liska, an analyst at the cybersecurity company Recorded Future.
Most attacks are on smaller targets, but the Colonial hack was the first to have direct effect on everyday American life. The threat of a major pipeline shutdown led to the U.S. issuing an emergency order for truckers to work overtime delivering fuel, and some gas stations reported shortages as drivers rushed to the pumps.
Jen Ellis, a coauthor of a landmark Ransomware Task Force report studying how to slow the pace of ransomware attacks, praised the DOJ’s announcement as “fantastic news.”
“This kind of collaboration between victims and law enforcement is exactly what we need to see,” Ellis said.
“Hopefully if we see actions like this continue, it will encourage other victims to disclose attacks to law enforcement, and also make it harder for ransomware attackers to realize a pay day,” she said.
The recovered payment that the Justice Department announced Monday is still a small fraction of what DarkSide has been able to steal since the gang became active around October 2020, said Tom Robinson, CEO of Elliptic, a British company that tracks bitcoin payments. The gang had been paid at least $90 million since it became active, Robinson said in an email.