US recovers most of $4.4 million ransom paid to Colonial Pipeline hackers

The company says it is grateful to FBI for its 'swift work and professionalism'

The US Justice Department says it has recovered the majority of the $4.4 million (£3.1m) ransom that was paid to perpetrators of the ransomware attack on Colonial Pipeline last month.

In an affidavit filed in the court, the US Justice Department said that the FBI was in possession of the private key to the criminals' Bitcoin wallet, which enabled agents to unlock the wallet and transfer bitcoins to another wallet under their control.

It is unclear how federal agents gained access to the key.

A judge in San Francisco approved the recovery of funds of this "cryptocurrency address," which the affidavit said was located in the Northern District of California.

"Today we turned the tables on DarkSide," Deputy Attorney General Lisa Monaco said in a press conference on Monday.

DarkSide is a Russia-linked cybercrime group blamed in Colonial Pipeline attack.

Monaco said that investigators had "recaptured" 63.7 bitcoins, now valued at about $2.3 million, following a drop in the value of cryptocurrency in recent weeks.

"Following the money remains one of the most basic, yet powerful, tools we have," Monaco noted.

"Ransom payments are the fuel that propels the digital extortion engine, and today's announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises," she added.

Monaco also revealed that ransom recovery operation was conducted as part of the "Department's recently launched Ransomware and Digital Extortion Task Force, which was established to investigate, disrupt and prosecute ransomware and digital extortion activity."

Deputy FBI Director Paul Abbate told reporters that investigators had identified more than 90 firms victimised by DarkSide.

Joseph Blount, CEO of Colonial Pipeline, said his company had worked closely with the FBI from the beginning and was grateful for the "swift work and professionalism" of the agency.

"Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks," he added.

Blount is scheduled to appear before the Senate today.

In an interview with Bloomberg earlier this week, Charles Carmakal, senior vice president at cybersecurity firm Mandiant, revealed that Colonial Pipeline attackers used a single compromised VPN password to gain access into the company's network.

Carmakal said that attackers entered the company's networks on 29th April using a VPN account that was no longer in use.

A Colonial control room employee discovered the attack on 7th May, after seeing a ransom note demanding cryptocurrency. The employee immediately notified a supervisor, who started the process of shutting down the pipeline to contain the threat.

The shutdown sparked panic in the southeastern US, where residents were seen lining up at petrol pumps for several hours over fears of fuel shortage. Petrol prices rose as a result of fuel supply disturbance, and some stations ran out of fuel.

After it emerged that Colonial Pipeline had paid ransom to hackers, President Biden said that the government would take all necessary steps to disrupt hackers' operations.

"We have been in direct communication with Moscow for the imperative for responsible countries to take decisive action against these ransomware networks," he said.

"We're also going to pursue a measure to disrupt their ability to operate."