The US Department of Justice has managed to track down and recapture 63.7 bitcoin worth of ransom from a wallet allegedly used by hackers who extorted Colonial Pipeline. The ransomware attack had caused widespread gas shortages.
With cooperation from Colonial, the DOJ got a warrant in a federal court in California and successfully “found and recaptured the majority of the ransom” from a bitcoin wallet, Deputy Attorney General Lisa Monaco announced on Monday. It was the first seizure of this kind ever, she said.
Colonial’s CEO admitted last month the company had paid a ransom in cryptocurrency – estimated at US$ 4.4 million at the time – and argued: “it was the right thing to do for the country.”
Asked by reporters what may have happened to the other part of the ransom – estimated at US$ 2 million – Monaco brushed off the question, circling back to her announcement that this was the first time that the DOJ’s Ransomware and Digital Extortion Task Force had seized a bitcoin ransomware payment.
Just because they were able to recover some of the funds this time, she cautioned, doesn’t mean they will be able to do so in every case. If a company chooses to ignore the FBI advice and pay ransom anyway, they should come forward and work with law enforcement if they want to get some of it back.
FBI Deputy Director Paul Abbate described DarkSide, the alleged authors of the ransomware that was used in the attack, as a “Russia-based cybercrime group,” offering no evidence for the claim.
The cybersecurity company Elliptic announced on May 17 that it had tracked down 47 distinct cryptocurrency wallets used by DarkSide, which had processed at least US$ 90 million worth of bitcoin before they were suddenly closed under pressure from US authorities. About 80% of the money was sent to criminal affiliates, with DarkSide keeping US$15.5 million as payment for the ransomware they allegedly developed.
The pipeline that runs from Texas to New York supplies much of the southeastern US with fuel. Its weeklong shutdown in mid-May, due to the ransomware attack on its invoicing systems, left millions of Americans queuing up at gas stations. The Biden administration denied there was a shortage while denouncing “hoarders” and price-gouging.
Hackers were able to access Colonial’s servers by using a single password from a ‘legacy’ virtual private network (VPN), Charles Carmakal of the cybersecurity company Mandiant, which consulted on the breach, reported. Colonial confirmed that this particular VPN was not “routinely” used and that only a handful of employees had access to it.