About half of the ransom that was taken last month from Colonial Pipeline by the ransomware hacker group DarkSide has been seized back, announced the Department of Justice on June 7.
The total taken back amounts to 63.7 bitcoin, which currently amounts to $2.3 million. The Department of Justice believes these seized funds were the ones taken by the hacker gang on May 8, after Colonial Pipeline was attacked just a day earlier.
Colonial Pipeline was the victim of a publicized ransomware attack by the hacker ground DarkSide in early May, which forced the company to shut down parts of its pipeline along the Eastern Coast of the U.S. Then, Colonial Pipeline paid the group just under $5 million in ransom at the time.
The funds were partially recovered by a number of official divisions that all coordinated through the Department’s Ransomware and Digital Extortion Task Force, which was created with the sole purpose of combating the increasing number of ransomware and digital extortion attacks.
Breaking news conference by DOJ on the Colonial ransomware incident https://t.co/PVS4cVaNnQ— Chris Bing (@Bing_Chris) June 7, 2021
"Cyber criminals are employing ever more elaborate schemes to convert technology into tools of digital extortion," said Acting U.S. Attorney for the Northern District of California Stephanie Hinds in a statement. "We need to continue improving the cyber resiliency of our critical infrastructure across the nation."
Creating task forces like the aforementioned one is one way of improving the U.S.'s cyber resiliency.
How the money was taken back
The FBI was allegedly able to gain access to the "private key" — the equivalent of a password or physical key — for one of the hacker gang's bitcoin wallets. No information about how the feds got access to the private key was shared.
The team followed the trail of where the illicit funds went, found part of it, and seized it. "Following the money remains one of the most basic, yet powerful tools we have," said Deputy Attorney General Lisa Monaco for the U.S. Department of Justice.
"Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks," she continued.
Ransomware attacks are surging around the world, and cryptocurrency analysts Elliptic, previously identified that just the DarkSide group managed to extort the equivalent of $90 million in bitcoin since it was first discovered in October.
As Elliptic states in its blog, DarkSide operates as a "Ransomeware as a Service," meaning the hackers create the malware, then the ransomware affiliate infects the targeted computer system and negotiates the ransom details with the targeted victim. The affiliate and the ransomware developer then split the proceeds in a number of possible ways.
This latest seizure of funds by the FBI and the Department of Justice will hopefully deter future ransomware attackers, but it's only the start of a long journey.