ALPHARETTA, Ga. — The U.S. Department of Justice announced it has found and recaptured the majority of the ransom money Colonial Pipeline paid to a hacker group following last month's cyberattack.
Lisa O. Monaco, Deputy Attorney General of the Justice Department, called the news a "significant development" in the case.
In May, the company - one of the nation's largest sources of fuel - said it proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations. An investigation was launched and the company said it also notified law enforcement and other federal agencies. Days later, the pipeline was restored. However multiple outlets reported that wasn't until the company paid $4.4 million to a gang of hackers who broke into its computer systems.
Monaco said during the news conference that the "old adage 'follow the money' still applies" and explained how they tracked the attack back to an organization known as DarkSide.
"Today, we turned the tables on DarkSide by going after the entire ecosystem that fuels ransomware and digital extortion attacks including criminal proceeds in the form of criminal currency," she said.
The DOJ said DarkSide is a ransomware-as-a-service network where developers sell or lease ransomware to use in attacks. In return, they ask for a fee or to share the proceeds.
FBI Deputy Director Paul Abbate said they were able to seize the funds from the ransom from a bitcoin wallet that DarkSide used to collect the payment. The DOJ said the 63.7 bitcoins seized are valued at approximately $2.3 million.
"Since last year, we've been pursuing an investigation into DarkSide, a Russia-based cybercrime group," Abbate said. "The DarkSide ransomware variant is [one of] more than 100 ransomware variants that the FBI is currently investigating."
Monaco said the network has been digitally stalking companies, including those that are a part of the nation's critical infrastructure. The FBI said it has identified more than 90 victims so far.
"Those include manufacturing, legal, insurance, healthcare, and energy," said Abbate.
Colonial Pipeline, the Alpharetta-based company, is responsible for almost half of the entire East Coast's fuel supply.
When the pipeline shut down, drivers started panic buying, which led to gas shortages in several states, including Georgia. Gov. Brian Kemp even signed an executive order for a state of emergency.
While it is not the first time the federal government has seized funds from a ransomware attack, it is a first-of-its-kind operation for the recently-launched Ransomware and Digital Extortion Taskforce.
Federal officials also encouraged other companies, explaining that if they are ever impacted by a ransomware attack they should work with law enforcement to see if there is a chance to deprive the "criminal actors" behind the scheme.
In a statement, Colonial Pipeline President and CEO Joseph Blount said when they were attacked on May 7, they quickly contacted prosecutors and FBI offices in Atlanta and San Francisco to share with them the information they had regarding the attack.
"Their efforts to hold these criminals accountable and bring them to justice are commendable," the statement reads in part. “As our investigation into this event continues, Colonial will continue its transparency in sharing intelligence and learnings with the FBI and other federal agencies. Our goal is to help our peers in the critical infrastructure space strengthen their cyber defenses and to collaborate across industry so that we can thwart these types of attacks before they happen."
"Together, through intelligence sharing and lessons learned, we can work to better protect our nation, its people, and our most critical assets," he added.