Justice Department recovers majority of Colonial Pipeline ransom: 'We turned the tables on DarkSide'

WASHINGTON — The Department of Justice announced Monday that it had recovered $2.3 million in cryptocurrency from criminal hackers who compromised a major U.S. pipeline in mid-May that resulted in fuel outages and hoarding across the East Coast for six days.

The U.S. District Court for the Northern District of California issued a seizure warrant on Monday, allowing the DOJ to take action to confiscate a large chunk of the $4.4 million paid by Colonial Pipeline to the DarkSide ransomware operators, who demanded payment in exchange for unlocking their victims’ stolen digital files.

“The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st century challenge, but the old adage ‘follow the money’ still applies,” said Lisa Monaco, President Biden’s deputy attorney general, during a press conference on Monday afternoon. “Today we turned the tables on DarkSide.”

Lisa Monaco
Deputy U.S. Attorney General Lisa Monaco. (Jonathan Ernst/Pool via Reuters)

According to U.S. intelligence officials, DarkSide is a criminal group operating somewhere in Russia that sells access to its malicious tools in exchange for a cut of the profits from successful extortions.

The FBI was able to track the destination of Colonial’s payment in bitcoin to a virtual wallet used by the criminal perpetrators, Monaco said.

DarkSide’s malware is one of hundreds of ransomware variants the FBI is currently tracking, according to FBI Deputy Director Paul Abbate, who also spoke at the press conference. During its investigation into DarkSide, the FBI identified “more than 90 victims” of the same kind of attack that hit Colonial, from manufacturing companies to legal, insurance, health care and energy firms, Abbate said.

While bitcoin has a reputation of being anonymous and secretive, leading criminal operators to use it to try to disguise their activities, the online ledger of payments is actually designed to be entirely public. A bitcoin user can use a pseudonym to open a virtual wallet, for instance, but that doesn’t always prevent law enforcement from accessing it or uncovering its owner.

However, there are other, more protected forms of digital currency like Monero, the use of which requires little extra effort on the part of criminal actors. The tactics used to recover Colonial’s payment likely won’t work across the board, according to cybersecurity experts. Even so, the DOJ’s actions on Monday prevented DarkSide from accessing millions of dollars. Plus, the combination of public attention and negative consequences following the Colonial attack led DarkSide to quite literally go dark, at least temporarily. Last month, it announced it was closing up shop.

“Cutting off access to revenue is one of the most impactful consequences we can impose,” Abbate said.

Storage tanks
A Colonial Pipeline facility in Avenel, N.J. (Mark Kauzlarich/Bloomberg via Getty Images)

The Biden administration has been under increasing pressure to respond to the growing tide of ransomware attacks that have so far affected U.S. cities, hospitals, infrastructure and a range of small and large private businesses. Ransomware attacks have gone up by over 300 percent in the last year, costing victims over $350 million, according to Homeland Security Secretary Alejandro Mayorkas.

The DOJ and the FBI will continue to play a role responding to attacks and assisting victims after the fact. Monaco said one of her first moves in her new role was to launch a strategic cyber review within the department. The DOJ also recently created a ransomware task force to marshal its resources against the problem. While the DOJ has seized cryptocurrency belonging to ransomware operators before, the recovery of the Colonial Pipeline ransom was the task force’s first major operation, Monaco said. According to Abbate, victims who report quickly and share information with the FBI have the best chance of recovering access to their files and allowing the FBI to investigate the perpetrators.

In addition, according to national security adviser Jake Sullivan, who spoke during Monday’s White House press briefing, Biden will be discussing ransomware with allies during his upcoming trip to Europe, where he will meet with a range of leaders before holding a summit with Russian President Vladimir Putin.

While Biden has said he does not believe the Russian government was behind the Colonial Pipeline incident, he does expect Russia to take action against criminal actors inside its borders.

According to Sullivan, Biden will discuss an “action plan” to deal with ransomware during the G-7 summit in the United Kingdom, which will involve discussions on how to increase resilience of digital networks, share information about attacks and “deal with the cryptocurrency challenge.”

____

Read more from Yahoo News: