Justice Department turns tables on DarkSide: part of ransom recovered

US investigators recovered $2.3 million out of the ransom Colonial Pipeline paid to hackers

Colonial Pipeline paid ransom to Russian hackers - FBI recovered the sum.

Law enforcement officials report that around 64 Bitcoins were restored out of the sum paid when the attack that led to the closure of the East Cost Fuel conduit happened.^[1] Around $4.4 million got paid for the DarkSide ransomware creators when Colonial Pipeline got affected by the threat a month ago.^[2] On May 7th, the company suffered a ransomware attack and needed to shut down all fuel pipeline operations. The attack had major consequences because people faced temporary gas shortages on the east coast.

The amount in cryptocurrency got seized from the virtual wallet that belongs to the hacker group responsible for the attack. It is suspected that a Russian-based criminal gang is the one that targeted Colonial Pipeline Co.^[3] The company paid about 75 Bitcoins, so the DOJ recovered most of the ransom. The acting U.S attorney for the Northern District of California, Stephanie Hinds, told that it was extremely important to take the profit from criminals.

Since the outage was critical, the company decided to pay the $4.4 million in Bitcoin ransom. Ransomware operators send the decryption key in return, so the pipeline systems got back online. Since the attack, DarkSide ransomware creators received a huge amount of scrutiny from the US government alone, so the hacker gang needed to shut down their activities.^[4]

Agents were able to access the virtual currency wallet and collect the payment

Law enforcement reports^[5] that officials gained access to the private key belonging to the DarkSide Bitcoin wallet holding the Colonial Pipeline ransom payment. This is how agents gained full access to the wallet and transferred funds. Unfortunately, Bitcoin has decreased since the ransomware attack and payment, so the recovered amount is smaller than the paid sum.

Lisa Monaco, Department of Justice deputy attorney general, said to the press:

Today we turned the tables on DarkSide

These funds were seized via court order, so criminals cannot access these funds. It is unknown how the FBI managed to get the needed private key, but the same ransomware gang stated that the access to one of their payment servers got lost a week after the attack. It is possible that law enforcement agents recovered the key when the servers belonging to ransomware creators got seized.

FBI tracks at least hundreds of ransomware variants

According to the Department of Justice, DarkSide ransomware creators operate in Russia and sell various malicious tools in exchange for successful targeted attacks. FBI tracked the destination of the payment after the Colonial Pipeline attack. DarkSide ransomware belongs to the list of hundreds that the FBI tracks.

During these tracings and investigations, the FBI identified at least 90 separate victims. Those manufacturing companies, legal, health care, insurance, other firms suffered the same attack as Colonial. Ransomware creators rely on Bitcoin and other cryptocurrencies because it is anonymous and secretive so that criminal operators can disguise activities.

However, that doesn't always prevent law enforcement from accessing payments or uncovering the owners of those wallets. Cutting off access to revenue is the worst consequence for these criminals.