The Department of Justice has recovered a significant portion of the Bitcoin ransom that the Colonial Pipeline Co. paid to the DarkSide ransomware actors who targeted the company last month.
The department obtained a seizure warrant to remove about 63.7 Bitcoin from wallet housed on a computer in Northern California, a sum that’s equivalent to about $2.3 million at the time of the seizure. The operation was the work of the Ransomware and Digital Extortion task force, which includes members from the FBI, the Executive Office of United States Attorneys, and the Department of Justice, and it’s the first incident in which the task force was able to trace and recover ransom funds.
Colonial Pipeline officials notified the FBI on May 8 that the DarkSide actors had demanded a payment of 75 Bitcoin, which it later paid. The FBI was able to trace the payment and identify the wallet in which about 63 of the Bitcoin eventually wound up. The bureau was able to get the private key for the wallet and on Monday used the warrant to seize the funds.
“The old adage, follow the money still applies. When they target critical infrastructure, we will spare no effort in our response. Today we turned the tables on DarkSide by going after the entire ecosystem that fuels this and we will continue to increase the cost of doing business for these attackers,” Deputy Attorney General Lisa Monaco said during a press conference Monday.
The attack on Colonial Pipeline’s network disrupted the distribution of fuel in several southern states in early May, and it seems to have marked something of a turning point for the way that the federal government approaches ransomware attacks in general and intrusions on critical infrastructure networks in particular. The attack drew the attention of the White House, and last week Monaco issued a memorandum instructing all federal prosecutors to file urgent notifications for any new ransomware incident in their jurisdictions. The U.S government is now treating ransomware as a whole as a national security threat, and Monaco advised enterprises to consider it an existential threat to their business.
“We may not be able to do this in every instance."
“Pay attention now. Invest resources now. Failure to do so may be the difference between being secure now and being attacked later,” she said.
“There is no higher priority for the Department of Justice than using all of our available tools to protect our nation from threats.”
Disrupting the payment ecosystem is one of several tactics that researchers, law enforcement, and government agencies have been pursuing as a way to deter ransomware actors and break their business model. But that is much easier said than done given that essentially all ransoms are paid in cryptocurrency, and law enforcement agencies have historically had a hard time tying specific payments to specific wallets. But that has been changing of late, and in the Colonial Pipeline case the FBI seems to have caught a break when the ransom eventually landed in a wallet housed on a computer in the U.S. Much of the infrastructure used in ransomware attacks and payments is located outside of the U.S., as are the vast majority of the actors, which makes it quite difficult for U.S. officials to reach them. The Colonial Pipeline case was the rare exception.
“Today we deprived a cybercriminal enterprise of the object of their conspiracy. Cutting off access to revenue is one of the most impactful consequences we can impose,” said Paul Abbate, deputy director of the FBI.
However, relying on attackers’ mistakes is not a long-term solution to the ransomware problem, as Monaco acknowledged.
“We may not be able to do this in every instance,” she said.