by Theodore Bunker
"Today, we turned the tables on DarkSide"
U.S. law enforcement on Monday announced that they have seized millions of dollars in cryptocurrency that was paid to a criminal cybergroup known as DarkSide by Colonial Pipeline after the attack on their systems last month.
Colonial Pipeline CEO Joseph Blount told The Wall Street Journal in May that he thought he had to pay the ransom because he didn’t know how deeply the company’s systems had been infiltrated or how long it would take to get everything up and running again. The company paid about $4.4 million in ransom, most of which has since been recovered.
"Earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the DarkSide network in the wake of last month's ransomware attack. Ransomware attacks are always unacceptable — but when they target critical infrastructure, we will spare no effort in our response," Deputy Attorney General Lisa Monaco said during a news conference on Monday, according to ABC News.
"Today, we turned the tables on DarkSide," she said. "By going after the entire ecosystem that fuels ransomware and digital extortion attacks, including criminal proceeds in the form of digital currency, we will continue to use all of our tools, and all of our resources to increase the cost and the consequences of ransomware attacks and other cyber-enabled attacks."
Blount told the Journal last month, "I know that’s a highly controversial decision. I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this. But it was the right thing to do for the country."
FBI Director Christopher Wray added, "I don't want to suggest that this is the norm, but there have been instances where we've even been able to work with our partners to identify the encryption keys, which then would enable a company to actually unlock their data — even without paying the ransom.”
The company said in a statement at the time: "We needed to do everything in our power to restart the system quickly and safely. The decision was made to pay the ransom," the company said. "This decision was not made lightly, however, one that had to be made. Tens of millions of Americans rely on Colonial — hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the traveling public. Our focus remains on continued operations to safely deliver refined products to communities we serve.”
The Justice Department said the Federal Bureau of Investigation was able to track the 75 bitcoin Colonial paid in ransom -- $4.4 million at the time -- as it moved through multiple anonymous transfers.
Eventually it was able to seize from a cryptocurrency wallet 63.7 bitcoin, which due to the digital currency's fall over the past month, was only worth $2.3 million on Monday.
It was the first seizure of a paid ransom by the Justice Department's new Ransomware and Digital Extortion Task Force, tasked to go after the so-called "ransomware as a service" industry that has extracted hundreds of millions of dollars from targets like schools, hospitals, local governments, and businesses over the past several years.
"Ransom payments are the fuel that propels the digital extortion engine, and today's announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises," said Monaco.
Monaco gave no details on how the money was recovered from Darkside, but analysts believe it could have involved both FBI investigators and possibly the US military's offensive cyber warfare operations.
One week after Colonial was forced to shut its operations on May 7, an online comment believed to be by Darkside operator "Darksupp" admitted that it had lost control of part of its operating infrastructure, including payment and other servers, and that ransom payments had been removed from its servers.
Its dark-web site also went down.
Cyber security experts say many of the independent ransomware extortionists appear to be located in Russia or former Soviet satellites in eastern Europe.
The attacks have grown so frequent that the issue has been elevated in seriousness in the Justice Department to the level of terror attacks.
On May 31 the U.S. subsidiary of the world's largest meat processing group, Brazil-based JBS, said its systems had been hacked by ransomware extortionists, whom the US government tied to Russia.
Last week the company that operates the ferries between the Massachusetts mainland and the popular tourist destinations Nantucket and Martha's Vineyard was also hit, just as the summer season was opening.
After the JBS attack, last week President Joe Biden said he was "looking closely" at possible retaliation over the cyberattacks.
The issue is likely to figure in Biden's summit with Russian President Vladimir Putin in Geneva later this month.
AFP contributed to this report.