U.S. law enforcement officials say they have hit back at the Russian-based criminal network that caused gas pipelines to shut down across parts of the country last month, seizing much of the multimillion-dollar ransom payment before it could be used.
The Justice Department announced Monday it recovered $2.3 million of the approximately $5 million Colonial Pipeline paid to the DarkSide Network following the ransomware attack, which resulted in fuel shortages along the U.S. East Coast.
“We turned the tables on DarkSide,” said Deputy Attorney General Lisa Monaco, describing the seizure as a “significant development.”
“Ransomware attacks are always unacceptable, but when they target critical infrastructure, we will spare no effort in our response,” she added.
Colonial Pipeline, the target of DarkSide’s May 7 attack, is the top fuel pipeline operator in the U.S., responsible for about half of the fuel supply for the East Coast.
Following the attack, the company made the decision to meet DarkSide’s demands, paying out about $5 million in Bitcoin cryptocurrency. But U.S. government officials said Colonial also worked closely with law enforcement agencies, who were able to track the payment to a virtual wallet.
Specifically, officials said they were able to obtain a virtual key that unlocked the contents of the wallet.
As a result, the Justice Department said it was able to recover about 80% of the cryptocurrency, which has dropped in value in recent weeks, before DarkSide could access it.
“We deprived a cybercriminal enterprise of the object of their activity,” said FBI Deputy Director Paul Abbate. “For financially motivated cybercriminals, especially those presumably located overseas, cutting off access to revenue is one of the most impactful consequences we can impose.”
Officials said this is not the first time they have been able to recover ransom payment made to groups like DarkSide, and encouraged other companies to cooperate with the government if they are targeted.
“The message we are sending today is that if you come forward and work with law enforcement, we may be able to take the type of action that we took today to deprive the criminal actors of what they're going after,” Monaco said.
But she added that this type of operation is a “significant undertaking” and “we cannot guarantee, and we may not be able to do this, in every instance.”
The FBI has been investigating DarkSide since last October, blaming the network for attacks against 90 victims across critical sectors such as manufacturing, health care and energy.
DarkSide and its affiliates have also been connected to ransomware attacks in at least 14 other countries. Last month, The Wall Street Journal reported the group made almost $60 million in seven months, including $46 million in the first three months of this year.
In a statement late Monday, Colonial Pipeline President Joseph Blount said the company was grateful for the help from both the Justice Department and the FBI, calling them “instrumental in helping us to understand the threat actor and their tactics.”
“Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature,” Blount added. “As our investigation into this event continues, Colonial will continue its transparency in sharing intelligence and learnings with the FBI and other federal agencies.”
The Justice Department announcement also earned praise from some private cybersecurity firms, with one calling the seizure of the ransom payment a “welcome development.”
“In addition to the immediate benefits of this approach, a stronger focus on disruption may disincentivize this behavior, which is growing in a vicious cycle,” John Hultquist, vice president of analysis at Mandiant, said in a statement. “Law enforcement agencies need to broaden their approach beyond building cases against criminals who may be beyond the grasp of the law.”
U.S. President Joe Biden is expected to raise the issue of the DarkSide ransomware attack when he meets with Russian President Vladimir Putin in Geneva, Switzerland, next week.
Biden has previously said Moscow bears “some responsibility” to deal with the attack.
“The president’s message will be that responsible states do not harbor ransomware criminals, and responsible countries take decisive action against these ransomware networks,” White House press secretary Jen Psaki told reporters last week.
National Security Adviser Jake Sullivan said Monday that Biden will also use meetings next week with G-7 leaders to discuss “increasing the robustness and resilience of our defense against ransomware attacks.”
Sullivan said the U.S. also hopes to discuss ways to better share information about ransomware attacks.
Information from Reuters was used in this report.