Colonial Pipeline’s Bitcoin Ransom Mostly Recouped by U.S.

Colonial Pipeline paid about $4.4m in Bitcoin to Dark Side hackers

The U.S. Justice Department announced on Monday that it recovered $2.3 million dollars worth of Bitcoin paid by Colonial Pipeline to DarkSide, the Russian-based ransomware group authorities blame for the most disruptive cyberattack in the U.S. on record.

Deputy Atty. Gen. Lisa Monaco said the Federal Bureau of Investigation on Monday seized the majority of the ransom that Colonial Pipeline paid to hackers who used malware developed by DarkSide, a Russia-linked hacking group, to encrypt and lock up the company's computer systems.

It's short of the $4.4 million ransom paid by Colonial Pipeline originally in more ways than one. The ransomware variant used by DarkSide, which has been the subject of an FBI investigation since past year, is one of more than 100 that law enforcement officials are now scrutinizing, said FBI Deputy Director Paul Abbate.

Ransomware gangs can move around, do not need much infrastructure to operate and can shield their identities.

The ransom was paid in bitcoins by Colonial Pipeline on the same day it was demanded by DarkSide, a ransomware developer that leases its software for a fee or a share in the proceeds.

The hack caused a shutdown lasting several days, leading to a spike in gas prices, panic buying and localized fuel shortages in the U.S. Southeast.

Despite the success to date of the task force, some $2 million in bitcoin paid to the Colonial hackers remains at large.

Blount is scheduled to appear before Congressional committees on 9 June, where he will provide further detail about the attack, including the firm's decision to pay a ransom to the attackers.

He said he "didn't make [that decision] lightly", but believed "it was the right thing to do for the country". To date, no one behind the Colonial Pipeline attack has been publicly indicted, and the hackers still made off with a small portion of the ransom. Sometimes stolen data is more valuable to ransomware criminals than the leverage they get from a network shell, because some victims are reluctant to see their confidential information published online.

But the difficulties of taking down ransomware gangs and other cybercriminals have always been clear.

The bureau has been investigating DarkSide, a Russia-based criminal group, since past year, but he said it is only one of hundreds into which the FBI is looking.

First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims.

Specifically, officials said they were able to obtain a virtual key that unlocked the contents of the wallet.

"The old adage "follow the money" still applies", Monaco, the deputy attorney general, said. "And that's exactly what we do", Lisa Monaco, deputy attorney general, told a press conference in Washington.

The FireEye-owned subsidiary is now assisting Colonial Pipeline with the incident response efforts following a ransomware attack on May 7 that led to the company halting its operations for almost a week.

A public-private task force including Microsoft and Amazon made similar suggestions in an 81-page report that called for intelligence agencies and the Pentagon's U.S. Cyber Command to work with other agencies to "prioritize ransomware disruption operations". Last month, The Wall Street Journal reported the group made nearly $60 million in seven months, including $46 million in the first three months of this year.