Law enforcement officials said they were able to track multiple transfers of Colonial's May 8 ransom payment by reviewing the Bitcoin public ledger and identified $2.3 million of proceeds that had been transferred to a specific address.
Colonial Pipeline CEO Joseph Blount first said during an interview with The Wall Street Journal that about $4.4 million in cryptocurrency was paid to free the company's systems.
Monaco gave no details on how the money was recovered from Darkside, but analysts believe it could have involved both FBI investigators and possibly the U.S. military's offensive cyber warfare operations.
Ransomware gangs can move around, do not need much infrastructure to operate and can shield their identities.
The shutdown of Colonial Pipeline, which delivers approximately 45 percent of all fuel to the USA east coast, pushed up gas prices and led to days of outages at a significant percentage of gas stations in states such as Virginia, North Carolina, South Carolina and Georgia. "I know that's a highly controversial decision", he said. "I didn't make it lightly". However, it took nearly a week to decrypt the data encrypted with the hacked key and restart the fuel transfer.
The development, which was reported by Bloomberg on Friday, involved gaining an initial foothold into the networks as early as April 29 through the VPN account, which allowed employees to access the company's networks remotely. DarkSide's malware poses a double whammy - it can also siphon out information, giving hackers more leverage because they can threaten to disclose sensitive data if they are not paid. The ransomware software provider, DarkSide, would have gotten the other 15%.
He said investigators found more than 90 companies victimized by DarkSide, a Russia-linked cybercrime group blamed in the pipeline attack.
The private key for the Bitcoin address used by Darkside is now in the possession of the Federal Bureau of Investigation in the Northern District of California, according to an affidavit filed Monday to seize money from the Bitcoin wallet. "But the old adage, follow the money still applies". "We are all in this together", she said.
The 5,500-mile Colonial Pipeline system was closed after the most disruptive cyberattack on record, preventing millions of barrels of gasoline, diesel and jet fuel from flowing to the East Coast from the Gulf Coast.
Victims worldwide paid at least $412 million in ransom previous year, according to Chainalysis, a firm that tracks cryptocurrency payments. Ransom payments rose to $350 million a year ago, a 300% increase over 2019, the report said.
Cybersecurity experts and former federal prosecutors and agents blamed several trends for the spike. U.S. Cyber Command also has carried out offensive operations related to election security, including against Russian misinformation efforts during the U.S. midterm elections in 2018. Following the incident and an, the Department of Homeland Security's Transportation Security Administration (TSA). The Justice Department has launched a task force to better coordinate its approach to the crime wave.
The Justice Department announcement also earned praise from some private cybersecurity firms, with one calling the seizure of the ransom payment a "welcome development". This is a significant, big business.