DOJ seizes millions in ransom paid by Colonial Pipeline

WASHINGTON, DC — The U.S. Justice Department has recovered the majority of a multimillion-dollar ransom payment to hackers after a cyberattack that caused the operator of the nation’s largest fuel pipeline to halt its operations last month.

The operation to recover the cryptocurrency from the Russia-based hacker group is the first undertaken by a specialized ransomware task force created by the Biden administration Justice Department.

Colonial Pipeline, which originates in Houston and supplies roughly half the fuel consumed on the East Coast, temporarily shut down its operations on May 7 after a gang of criminal hackers known as DarkSide broke into its computer system.

“Earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the DarkSide network in the wake of last month’s ransomware attack. Ransomware attacks are always unacceptable — but when they target critical infrastructure, we will spare no effort in our response,” Deputy Attorney General Lisa Monaco said at a news conference.

“Today, we turned the tables on DarkSide,” she added. “By going after the entire ecosystem that fuels ransomware and digital extortion attacks, including criminal proceeds in the form of digital currency, we will continue to use all of our tools, and all of our resources to increase the cost and the consequences of ransomware attacks and other cyber-enabled attacks.”

Asked by ABC News whether the seizure would really operate as a deterrent for other hacking groups given it only amounts to roughly half of what Colonial paid in ransom and, given the group operates out of Russia, will not likely face criminal consequences for the attack — Monaco said she “wouldn’t get ahead of the investigative efforts and full consequences associated with the ongoing investigation.

“The message today is we will bring all of our tools to bear, to go after these criminal networks, including the ecosystem and the illicit and the abuse, frankly, of the online infrastructure that they use in terms of the digital currency to perpetrate these schemes,” she said.

Monaco also used Monday’s announcement to urge companies to take preemptive action.

“In this heightened threat landscape, we all have a role to play in keeping our nation safe. No organization is immune. So today I want to emphasize to leaders of corporations and communities alike, the threat of severe ransomware attacks pose a clear and present danger to your organization, to your company, to your customers, to your shareholders, and to your long-term success,” she warned.

“So pay attention now. Invest resources now. Failure to do so could be the difference between being secure now, or a victim later,” she said.

In an effort to get more cooperation from companies, the Department of Homeland Security announced shortly after Colonial Pipeline was hacked that it will mandate that all pipeline companies report a cyber incident hours after it happens.

The directive came from the Transportation Security Administration, an arm of DHS known for protecting the skies that also oversees pipeline security.

Companies will be mandated to report pipeline related cyberattacks to the Cybersecurity and Infrastructure Security Administration within 12 hours of the breach; put in place a 24/7 cyber coordinator who can respond to incidents and coordinate with the TSA; and fix the breached pipeline within 30 days and outline a plan to proceed.