Ransomware attacks have expanded during 2021 with the attacks on Fujifilm, JBS Meat, and—of course—the Colonial Pipeline. Even U.S. Deputy Attorney General Lisa Monaco said in an announcement from the Department of Justice, "Ransomware attacks have increased in both scope and sophistication in the last year—targeting our critical infrastructure, businesses of all types, whole cities, and even law enforcement."
The ransom that Colonial Pipeline paid to Russian hacker group DarkSide went into the millions, but the U.S. government achieved a major milestone in recovering most of the ransom.
Colonial Pipeline paid a hefty chunk of change in ransom to the hackers
Ransomware negotiation is a sensitive practice. The negotiation process starts immediately, which gives defensive hackers the chance to attempt to secure their systems without needing to pay a ransom. That doesn't always work out, as evidenced by the Colonial Pipeline.
Ultimately, Colonial had to shell out $4.4 million to DarkSide in order to secure its systems. Now, the Department of Justice reports that most of the ransom has been recovered.
The DOJ traced a Bitcoin wallet to recover the Colonial Pipeline ransom
Monaco reported in her announcement, "After Colonial Pipeline’s quick notification to law enforcement, and pursuant to a seizure warrant issued by the United States District Court for the Northern District of California earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the Dark Side Network in the wake of last month’s ransomware attack."
The $4.4 million that Colonial paid to DarkSide came in the form of 75 Bitcoin. The Department of Justice recovered 63.7 of those Bitcoin tokens. Because of Bitcoin's recent bear market, the value of that Bitcoin has diminished, which left the company with about $2.3 million.
How the government tracked DarkSide Russian hackers
How did the FBI find the Bitcoin used for the ransom? They traced the IP addresses that DarkSide hackers used for the cryptocurrency transfer. This wasn't an easy feat and took them weeks to accomplish.
While the identification system that Bitcoin uses is technically anonymous, the data behind that trade isn't. Because of this behind-the-curtain digging, officials were able to trace and ultimately recover the Bitcoin wallet containing most of the tokens.
DarkSide ransomware goes well beyond Colonial Pipeline
The shutdown of the 5,550-mile pipeline was a huge blow to cybersecurity, but the company isn't alone in its struggles. DarkSide has attacked other companies in the U.S., Brazil, Scotland, and beyond.
Monaco's suggestion to "invest the resources now" highlights the importance and uniqueness of a decidedly 21st-century problem. Ransomware has come into the spotlight over the course of the last year. It shows the need for upgraded cybersecurity and also the fickle nature of our world's supply chains.
Ultimately, the ability to recover ransomware that's already paid out could be the best chance for the U.S. to combat this until companies are able to defend themselves properly. For the Colonial Pipeline, that's a reality already in place.