The US Department of Justice has recovered the majority of the $4.4 million ransom payment paid by Colonial Pipeline to the DarkSide ransomware operation.
On May 7th, Colonial Pipeline suffered a DarkSide ransomware attack that forced them to shut down their fuel pipeline operation. This shutdown led to temporary gas shortages on the east coast as people began to rush to stock up on gasoline.
Due to the critical nature of the outage, Colonial Pipeline paid a $4.4 million ransom to the DarkSide ransomware operation that allowed them to receive a decryption key and quickly bring their systems back online.
Faced with increased scrutiny by the US government and law enforcement, the DarkSide ransomware gang shut down their operation.
DOJ recovers a portion of ransom payment
In a Justice Department press conference, the US Department of Justice announced today that seized a cryptocurrency wallet used by DarkSide ransomware that contained the ransom payment from Colonial Pipeline.
In an affidavit submitted to the U.S. Court for the Northern District of California, an FBI agent states that law enforcement gained control of a private key belonging to a DarkSide Bitcoin wallet holding the Colonial Pipeline ransom payment.
Having access to a cryptocurrency wallet’s private key allows for full access to the wallet and its funds.
Using this private key, the FBI recovered 63.7 Bitcoins of the approximately 75 Bitcoin payment sent by Colonial Pipeline. With the significant decrease in the price of Bitcoins since the payment, the recovered bitcoins are worth roughly $2.26 million at today’s prices.
It is not clear how the FBI gained access to the private key for the DarkSide wallet, but on May 14th, the ransomware gang claimed to have lost access to one of their payment servers.
“In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account,” the DarkSide ransomware operation told its affiliates.
If the private key was stored on this server to send payments to their affiliates, it is possible that the FBI recovered it when law enforcement seized the server.
Deputy Attorney General Lisa O. Monaco states that this is the first operation of this kind conducted by the recently launched Ransomware and Digital Extortion Task Force.
“The seizure announced today was conducted as part of the Department’s recently launched Ransomware and Digital Extortion Task Force, which was established to investigate, disrupt and prosecute ransomware and digital extortion activity. This is the Task Force’s first operation of this kind.”
This recovery may be the first time the US government has publicly stated that they have recovered a ransom payment paid to a ransomware operation.