US officials say they have recovered $2.3m worth of ransom payments made to hackers who shut down the Colonial Pipeline last month, causing several days of disruption to the country’s fuel supplies.
Justice department officials said on Monday that they had identified a virtual wallet used by suspected Russia-based ransomware group DarkSide from which they seized the funds, in a rare instance of a ransom recovery.
The pipeline, which supplies almost half of the motor fuel consumed on the US east coast, was shut down for five days last month following the hack by DarkSide, triggering a run on petrol supplies as motorists rushed to fill their tanks.
“Ransomware attacks are always unacceptable, but when they target critical infrastructure, we will spare no effort in our response,” Lisa Monaco, the US deputy attorney-general, said.
Joseph Blount, Colonial’s chief executive, told The Wall Street Journal that the company had paid a ransom in bitcoin worth $4.4m at the time because it was “the right thing to do for the country”, amid a growing debate over whether there should be a blanket ban on making payments to hackers.
Both the FBI and the White House recommend against doing so, arguing that it only incentivises further blackmail activity.
Anonymous cryptocurrencies are the payment method of choice for cyber criminals. However, every transaction is recorded on an immutable blockchain, giving private and public sector investigators opportunities to monitor and track them.
Recovering a ransom is rare. Once hackers have received crypto payments, they typically use high-tech tools and techniques to try to throw investigators off track, before cashing their funds into fiat via cryptocurrency exchanges, over-the-counter brokers or illegal marketplaces on the dark web.
Colonial did not immediately respond to a request for comment.