US officials said they have recovered $2.3m worth of the ransom payment made to hackers who shut down the Colonial Pipeline last month and disrupted the country’s fuel supplies for several days.
Justice department officials said on Monday that they had identified a virtual wallet used by suspected Russia-based ransomware group DarkSide from which they seized the funds in a rare instance of a ransom recovery.
The pipeline, which supplies almost half of the motor fuel consumed on the US east coast, was shut down for five days following the hack by DarkSide, triggering a run on petrol supplies as motorists rushed to fill their tanks.
“Ransomware attacks are always unacceptable, but when they target critical infrastructure, we will spare no effort in our response,” Lisa Monaco, the US deputy attorney-general, said. “Following the money remains one of the most basic, yet powerful tools we have.”
Joseph Blount, Colonial’s chief executive, told The Wall Street Journal that the company had paid a ransom in bitcoin worth $4.4m because it was “the right thing to do for the country” amid a growing debate over whether there should be a blanket ban on making payments to hackers.
Blount, who is due to testify at a congressional hearing this week, thanked the FBI on Monday for its “swift work and professionalism in responding to this event”.
He said the private sector had an “equally important role to play” in holding cyber criminals to account and added that Colonial would continue to collaborate and share information with federal agencies and the industry at large “so that we can thwart these types of attacks before they happen”.
Anonymous cryptocurrencies are the payment method of choice for cyber criminals. However, every transaction is recorded on an immutable blockchain, giving private and public sector investigators opportunities to monitor and trace payments.
The justice department said FBI officers had been able to track “multiple transfers” of cryptocurrency to one particular virtual currency wallet, totalling 63.7 of the 75 bitcoin paid. It said the FBI had the “private key” — the password needed to access the wallet — enabling the agency to seize the funds.
It is unclear how exactly the FBI got hold of the hackers’ private key. Dave Jevans, chief executive of the blockchain analytics group CipherTrace, said the FBI is believed to have seized some of DarkSide’s servers, which “may have hosted wallet private keys”.
The Biden administration has vowed to crack down on ransomware hackers, who have taken advantage of the rise of cryptocurrencies to facilitate their operations. Many ransomware cartels typically operate from regions such as Russia, which lie outside the reach of extradition treaties with the US, leaving officials little recourse other than to attempt to disrupt their infrastructure.
Recovering a ransom is rare. Once hackers have received crypto payments, they typically use high-tech tools and techniques to try to throw investigators off track before cashing their funds into fiat via cryptocurrency exchanges, over-the-counter brokers or illegal marketplaces on the dark web.
The Colonial Pipeline stretches more than 5,500 miles across the eastern US, carrying petrol, diesel and jet fuel from Texas refineries to urban hubs from Atlanta to New York. At the peak of the panic-buying following the outage, as many as three-quarters of fuel stations in North Carolina were left without petrol.
The federal government waived some restrictions on road and sea transport and loosened environmental rules in order to keep supply lines open.
The incident underscored the vulnerability of critical US infrastructure to cyber attacks, following a push in recent years to digitise operations.
FBI deputy director Paul Abbate said the bureau had identified more than 90 victims of DarkSide’s ransomware strain across the manufacturing, legal, insurance, healthcare and energy sectors. The DarkSide strain was just one of more than 100 the bureau was currently investigating, he said.