The US Department of Justice said on Monday that it has recovered 63.7 bitcoins (worth $2.3 million) paid by Colonial Pipeline to the DarkSide ransomware extortionists on May 8, due to a seizure warrant issued by the Northern District of California.
Even though the corporation paid a ransom of about 75 bitcoins ($4.4 million as of May 8) to recover access to its systems, the ransomware attack slowed the pipeline firm’s fuel supply, causing the government to declare an emergency.
“Ransomware attacks are always unacceptable but when they target critical infrastructure we will spare no effort in our response,” Attorney General Lisa Monaco told reporters on Monday.
Law enforcement identified a virtual wallet used in the ransom payment and then retrieved the funds, according to Deputy FBI Director Paul Abbate.
Investigators have discovered more than 90 organizations that have been affected by DarkSide, a Russia-linked cybercrime gang suspected for the pipeline breach, according to Abbate.
Also read: DarkSide ransomware gang extorted $90 million ransom in 9 months
The ransomware-as-a-service syndicate dissolved with a May 14 farewell message to affiliates, alleging that its internet servers and cryptocurrency stash had been seized by undisclosed law enforcement authorities, a week after the highly publicized attack.
While DarkSide’s announcement was interpreted as a hoax, the Department of Justice’s current move validates earlier reports of law enforcement involvement.
The DarkSide ransomware gang shut down their operations after coming under increased scrutiny from the US government and law enforcement.
The US Department of Justice revealed at the press conference that it had seized a cryptocurrency wallet used by the DarkSide ransomware, which held the ransom payment from Colonial Pipeline.
An FBI agent claims that law enforcement obtained control of a private key belonging to a DarkSide Bitcoin wallet containing the Colonial Pipeline ransom payment in an affidavit filed in the United States District Court for the Northern District of California.
Having access to the private key of a cryptocurrency wallet grants you complete control over the wallet and its contents.
It’s unclear how the intelligence agency obtained the secret key, although DarkSide had previously stated that one of its payment servers had been compromised.
According to Deputy Attorney General Lisa O. Monaco, the Ransomware and Digital Extortion Task Force, which was recently established, this is the first operation of its kind.
The FBI was able to recover 63.7 Bitcoins out of a total of 75 Bitcoins transferred by Colonial Pipeline using that same private key.
The discovered bitcoins are worth around $2.26 million at today’s values, according to the dramatic drop in the price of Bitcoins after the payment.
This could be the first time the US government has officially announced that a ransom money made to a ransomware organization has been recovered.
Also read: Colonial Pipeline hit by ransomware attack, shuts down operation
You might also like: Colonial Pipeline ransomware attack: Paid $5 million ransom