US recovers most of multimillion-dollar ransom payment made to Colonial Pipeline hackers

The Justice Department has recovered most of a multimillion-dollar ransom payment made to hackers after a cyberattack that caused the operator of the nation’s largest fuel pipeline to halt its operations last month, officials said Monday.

The operation to recover the cryptocurrency from the Russia-based hacker group is the first undertaken by a specialized ransomware task force created by the Biden administration Justice Department, and reflects a rare victory as U.S. officials scramble to confront a rapidly accelerating ransomware threat that has targeted critical industries around the world.

“By going after the entire ecosystem that fuels ransomware and digital currency, we will continue to use all of our tools and all of our resources to increase the costs and the consequences of ransomware attacks and other cyber-enabled attacks,” Deputy Attorney General Lisa Monaco said at a news conference announcing the operation.

Georgia-based Colonial Pipeline, which supplies roughly half the fuel consumed on the East Coast, temporarily shut down its operations on May 7 after a gang of cybercriminals using the DarkSide ransomware variant broke into its computer system. The ransomware variant used by DarkSide, which has been the subject of an FBI investigation for the last year, is one of more than 100 that law enforcement officials have identified, said FBI Deputy Director Paul Abbate.

Colonial officials have said they took their pipeline system offline before the attack could spread to its operating systems, and decided soon after to pay ransom of 75 bitcoin -- then valued at roughly $4.4 million -- in hopes of bringing itself back online as soon as it could. The company’s president and chief executive, Joseph Blount, is set to testify before congressional panels this week.

In a statement, Blount said he was grateful for the FBI’s efforts and said holding hackers accountable and disrupting their activities “is the best way to deter and defend against future attacks of this nature.

“The private sector also has an equally important role to play and we must continue to take cyber threats seriously and invest accordingly to harden our defenses,” he added.

Cryptocurrency is favored by cybercriminals because it enables direct online payments regardless of geographical location.

“The anonymity of cryptocurrency and the ability to transit international borders it infinity more viable for these groups to purchase these services to get paid, and that’s all they’re in it for,” said cybersecurity expert Chris Hamer.

But in the case involving the Colonial Pipeline, the FBI was able to identify a virtual currency wallet used by the hackers and recovered the proceeds from there, said the FBI’s Abbate.

Though the FBI generally discourages the payment of ransom, fearing it could encourage additional hacks, Monaco said one takeaway for the private sector is that if companies come quickly to law enforcement after ransomware incidents, officials may be able to help them recover funds too.

The Bitcoin amount seized -- 63.7, currently valued at $2.3 million after the price of Bitcoin tumbled -- amounted to 85% of the total ransom paid, which is the exact amount that the cryptocurrency-tracking firm Elliptic says it believes was the take of the affiliate who carried out the attack. The ransomware software provider, DarkSide, would have gotten the other 15%.

“The extortionists will never see this money,” said Stephanie Hinds, the acting U.S. attorney for the Northern District of California, where a judge approved the seizure warrant earlier Monday.

Ransomware attacks -- in which hackers encrypt a victim organization’s data and demand a hefty sum for returning the information -- have flourished. Last year was the costliest on record for such attacks. Hackers have targeted vital industries, as well as hospitals and police departments.

Ransomware attacks have become so mainstream that many major companies have bought into cyber insurance, but now that the number of attacks are increasing, insurance premiums are skyrocketing.

Weeks after the Colonial Pipeline attack, a ransomware attack attributed to REvil, a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months, disrupted production at Brazil’s JBS SA, the world’s largest meat processing company.

The ransomware business has evolved into a highly compartmentalized racket, with labor divided among the provider of the software that locks data, ransom negotiators, hackers who break into targeted networks, hackers skilled at moving undetected through those systems and exfiltrating sensitive data -- and even call centers in India employed to threaten people whose data was stolen to pressure for extortion payments.

Hamer said ransomware attacks are a very low effort crime for cybercriminals because the attacker does not physically have to be in the building of a business to cripple it.

“They will buy a list of computers and networks that have been compromised by some other group,” Hamer said.

Hamer said the list of compromised computers are typically purchased on the dark web as part of a mutual service.

“They actually buy the hacks. They buy the server time and support for their ransomware efforts. They pay a percentage of their profits and they pay a percentage of a monthly fee,” Hamer said. “It’s a service like an underground economy.”

Hamer said larger ransomware groups will hire computer programmers to do all the dirty work.

“They’ll hire people who have skills in that area, pay them a ridiculous amount and even offer them a profit share or a flat rate,” he said.

The Department of Justice is now treating ransomware complaints as cases of terrorism.


About the Authors:

Award-winning broadcast and multimedia journalist with 20 years experience.