IE 11 is not supported. For an optimal experience visit our site on another browser.

Feds recover millions from pipeline ransom hackers, hint at U.S. internet tactic

A Russian ransomware gang hacked into Colonial Pipeline in May as part of a monthslong crime spree, leading the company to shut down operations.
Get more newsLiveon

The United States has recovered much of the ransom payment the Russian hacker group DarkSide extorted from Colonial Pipeline this year, the Justice Department said Monday.

The announcement details a rare disruption of the cryptocurrency payment systems favored by hackers that have enabled ransomware efforts around the world.

The FBI was able to seize control of DarkSide's proceeds by gaining access to a central account holding about 63.7 bitcoins, worth around $2.3 million, Deputy Director Paul Abbate said. A court document said that the seizure took place in Northern California, putting it within reach of U.S. law, and that the FBI was able to access the "private key," or password, for one of the gang's bitcoin wallets. It was unclear how the key was compromised.

Elvis Chan, an assistant special agent in charge at the FBI's San Francisco office, said in a news call Monday that the funds were specifically seized from hacker subcontractors who had used the DarkSide ransomware to hack Colonial.

He declined to give specifics of how the FBI was able to gain access to the wallet, but he said it did not rely on waiting for criminals to use U.S. cryptocurrency services. It did, however, rely on the fact that so much internet infrastructure is based in the U.S., where the FBI can get warrants.

"I don't want to give up our tradecraft in case we want to use this again for future endeavors," he said.

DarkSide hacked into Colonial in May as part of a monthslong crime spree, leading the company to shut down operations. The group demanded $4.4 million in ransom, which the company quickly paid. DarkSide's decryptor program was so slow that Colonial ended up not using it and instead restored its system from old backup files.

The pipeline's systems came back online five days after the hack.

"Today, we turned the tables on DarkSide," Deputy Attorney General Lisa Monaco said at a news conference.

"Ransomware attacks are always unacceptable, but when they target critical infrastructure, we will spare no effort in our response," she said.

Ransomware gangs have been responsible for more than 1,000 hacks worldwide this year, mostly in the U.S., according to figures prepared for NBC News by Allan Liska, an analyst at the cybersecurity company Recorded Future.

"Overseas is not an issue for this technique," Chan said.

Microsoft's Threat Intelligence Center, which tracks ransomware groups, aided the investigation, Chan said.

The Colonial hack was the first to have a direct effect on everyday American life; most attacks are on smaller targets. The threat of a major pipeline shutdown led the U.S. to issue an emergency order for truckers to work overtime delivering fuel, and some gas stations reported shortages as drivers rushed to the pumps.

Colonial CEO Joseph Blount, who oversaw the company's response, praised the FBI in a statement for its "swift work and professionalism in responding to this event."

"Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature," he said.

Jen Ellis, a co-author of a landmark Ransomware Task Force report studying how to slow the pace of ransomware attacks, welcomed the Justice Department's announcement as "fantastic news."

"This kind of collaboration between victims and law enforcement is exactly what we need to see," she said.

"Hopefully, if we see actions like this continue, it will encourage other victims to disclose attacks to law enforcement and also make it harder for ransomware attackers to realize a payday," Ellis said.

The recovered payment announced Monday is still a small fraction of the $90 million that DarkSide has been able to steal since it became active around October, Tom Robinson, CEO of Elliptic, a British company that tracks bitcoin payments, said in an email.

CORRECTION (June 8, 2021, 2:24 p.m. ET): A previous version of this article misstated when Colonial Pipeline was hacked. It was in May, not April.