The U.S. Justice Department on Monday recovered some $2.3 million in cryptocurrency ransom paid by Colonial Pipeline Co, after last month's hack of its systems that led to the shutdown of the East Coast pipeline.
Colonial Pipeline had said it paid the hackers almost $5 million to regain access. "This was an attack against some of our most critical infrastructure".
While the DOJ has seized cryptocurrency belonging to ransomware operators before, the recovery of the Colonial Pipeline ransom was the task force's first major operation, Monaco said.
The hack, attributed by the Federal Bureau of Investigation to a gang called DarkSide, caused a days-long shutdown that led to a spike in gas prices, panic buying and localised fuel shortages.
The CEO of Colonial Pipeline ended up publicly confirming that he authorized the $4.4 million payment to the hackers, acknowledging it was "a highly controversial decision". In an affidavit (pdf) supporting the warrant application, authorities said they reviewed bitcoin's public ledger and pinpointed the transfer of the ransom to a specific address.
He said he "didn't make [that decision] lightly", but believed "it was the right thing to do for the country". Influenced by Colonel A "ransomware" attack, in which hackers often encrypt information to prevent access to computer systems, disrupt networks, and then demand a large ransom to free the network.
In an interview with Bloomberg Charles Carmakal, senior vice president at cybersecurity firm Mandiant, said the attackers entered Colonial's networks on 29 April using a VPN account that was no longer in use. Sometimes stolen data is more valuable to ransomware criminals than the leverage they get from a network shell, because some victims are reluctant to see their confidential information published online. DarkSide's product is one of about 100 ransomware variants the FBI is investigating, Abbate said.
The United States authorities have recovered part of Colony pipeline ransom, the company that operates the country's oil pipeline He was subjected to a cyber attack in May by From the group "Darkside" based in Russian Federation.
"The old adage "follow the money" still applies", Monaco, the deputy attorney general, said.
"Cutting off access to revenue is one of the most impactful consequences we can impose", Abbate said.
Attempts at cyber extortion have grown in the United States over the past year, with attacks delaying cancer treatment in hospitals, disrupting studies and crippling police and city governments. They noted that is a conservative analysis, since many victims do not report their ransom payments.
Cybersecurity experts and former federal prosecutors and agents blamed several trends for the spike. The Kremlin, for example, allows hackers to operate with impunity if they do not target Russian businesses or citizens and focus their energy on sowing chaos and confusion in the West.
The Biden administration is under increasing pressure to do something about the epidemic of ransomware attacks.
The recovery reflected the increasingly aggressive response of the USA government in the face of high-profile ransomware attacks whose impacts have hit wide swaths of the economy, including the transportation and logistics sector.
Monaco said the money has been recovered by the department's recently launched Ransomware and Digital Extortion Task Force. "The question is: Will this be big enough to change the behavior of DarkSide or of other cyber actors?" It's a slow game, a long-term game.