Threat Management, Threat Management, Malware, Ransomware

Feds recover $2.3 million from Colonial Pipeline ransom

The Department of Justice announced Monday it had recovered $2.3 million in ransom paid by Colonial Pipeline.

The update comes about a month after the Colonial Pipeline briefly shut down following a ransomware attack by DarkSide, which infected its business networks. Colonial is a major gasoline supplier to the East Coast, and the shutdown spurred fears of a gas shortage.

The announcement is compelling, as the public and private sector alike struggle to manage the response to a recent surge of ransomware attacks. More frequent recovery of funds after a ransom payment could shift the risk dynamic associated with these attacks for the business community, while also removing the payoff for attackers.

"Today we deprived a cybercriminal enterprise of the object of their activity, their financial proceeds and funding," said FBI Deputy Director Paul Abbate at a press conference announcing the recovery. "For financially motivated cybercriminals, especially those presumably located overseas, cutting off access to revenue is one of the most impactful consequences we can pose."

The recovered funds totaled 63.7 bitcoin out of the 75 bitcoin originally paid. In terms. of bitcoin, that's 85% of the original ransom. But due to fluctuations in the price of bitcoin, the equivalent dollar value of that bitcoin is substantially lower than what Colonial initially paid. Colonial will retrieve around $2.3 million worth of the cryptocurrency. The original ransom was valued at $4.4 million.

According to the Department of Justice, the FBI executed a warrant to seize the bitcoin from a wallet it had the private keys to access. The warrant was issued by Laurel Beeler, U.S. Magistrate Judge for the Northern District of California.

"Ransomware attacks are always unacceptable. But when they target critical infrastructure, we will spare no effort in our response," said Deputy Attorney General Lisa Monaco.

Monaco urged business owners to tighten security against ransomware, noting it could be the "difference between being secured now, or a victim, later."

Colonial accelerated a nascent debate on how businesses and governments need to disrupt a growing ransomware threat. Since the Colonial Pipeline attack, similar attacks have plagued the massive meat supplier JBS and FujiFilm. A multi-stakeholder task force offered several potential paths for the government.

Tom Kellermann, the head of cybersecurity strategy for VMware who serves on Secret Service's Cyber Investigations Advisory Board, said any ability for the Department of Justice to claw back funds is an opportunity to address the issues that lead to ransomware in the first place.

"It’s critical that recovered ransomware payments be invested back into cybersecurity," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.