‘Majority’ of ransom paid by Colonial Pipeline seized and returned by DOJ

Of the $4.4 million the company paid, $2.3 million was returned.
Written by Jonathan Greig, Contributor

The Department of Justice announced on Monday that it managed to recover some of the ransom that was paid by Colonial Pipeline to the cybercriminals behind the DarkSide ransomware last month. 

While this is not the first time the government has been able to get some money back to victims, Deputy Attorney General Lisa Monaco said during a press conference that this was a first for the new Ransomware and Digital Extortion Task Force that was created in April to address the growing number of cyberattacks.  

Monaco explained that the Justice Department and FBI seized 63.7 Bitcoins -- now valued at $2.3 million after a large dip in the cryptocurrency market -- of the 75 Bitcoins that the CEO of Colonial Pipeline admitted to paying. Despite paying for the ransom, the encryption tools handed over did not work or help the company's efforts to restore its systems.   

The Justice Department obtained a warrant from a California district court on Monday in order to seize the money. 

"Following the money remains one of the most basic, yet powerful tools we have," Monaco said. "Today's announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide."

Monaco and FBI deputy director Paul Abate explained that the seizure was part of a larger effort to impose more costs on ransomware gangs, who have spent years holding hospitals, schools, businesses and government systems hostage. 

Both begged companies to be prepared for attacks and focus on contingencies in case of an eventual attack and reiterated much of the guidance that was handed down by the White House last week. 

"Cybercriminals are employing ever more elaborate schemes to convert technology into tools of digital extortion. We need to continue improving the cyber resiliency of our critical infrastructure across the nation, including in the Northern District of California," said Stephanie Hinds, acting US Attorney for the Northern District of California.

"We will also continue developing advanced methods to improve our ability to track and recover digital ransom payments." 

Colonial Pipeline faced significant backlash for paying the ransom but the FBI and Justice Department said they were able to use the Bitcoin public ledger to trace the payments back to "a specific address, for which the FBI has the 'private key,' or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address."

"There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors," Abbate said. 

"We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public."

Despite the success in this instance, Abbate and Monaco stressed that they would not be able to retrieve all ransom payments from now on and urged companies to take measures to protect themselves while also notifying the FBI as soon as possible in the event of an attack.

"What we are saying today is that if you come forward, as law enforcement, we may be able to take the type of action that we took today to deprive the criminal actors of what they're going after here which is the proceeds of their criminal scheme," Monaco said. 

"We cannot guarantee and we may not be able to do this in every instance."

Editorial standards