In a video press conference today, US officials said they recovered the vast majority of the $4.3 million that Colonial Pipeline paid to a ransomware gang last month after the hackers encrypted its IT network in a security incident that disrupted fuel supply for the entire US East Coast.
“After Colonial Pipeline’s quick notification to law enforcement, and pursuant to a seizure warrant issued by the United States District Court for the Northern District of California earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the Dark Side Network in the wake of last month’s ransomware attack,” said Lisa Monaco, Deputy Attorney General for the US Department of Justice.
According to court documents, officials said they recovered 63.7 Bitcoin out of the 75 Bitcoin payment that Colonial Pipeline sent to the Darkside ransomware gang in early May.
The recovered sum, seized from this Bitcoin account, represents around 85% of the initial ransom payment, which is around the sum that a Darkside affiliate group would keep from the ransom payment, with the rest going to the creators and operators of the Darkside ransomware-as-a-service (RaaS) platform.
FBI investigators said they tracked the ransom payment across multiple Bitcoin addresses, as the Darkside group moved funds around. They were able to seize the funds after they gained access to one account’s private key, which acts as a password for that account.