Skip to main content
A scary good deal on trusted journalism
Get full digital access to globeandmail.com
$0.99
per week for 24 weeks SAVE OVER $140
OFFER ENDS OCTOBER 31
A scary good deal on trusted journalism
$0.99
per week
for 24 weeks
SAVE OVER $140
OFFER ENDS OCTOBER 31
// //

Deputy Attorney General Lisa Monaco announces the recovery of millions of dollars worth of cryptocurrency from the Colonial Pipeline Co. ransomware attacks at a news conference at the Justice Department in Washington, June 7, 2021.

JONATHAN ERNST/The Associated Press

The Justice Department has recovered most of a multimillion-dollar ransom payment made to hackers after a cyberattack that caused the operator of the nation’s largest fuel pipeline to halt its operations last month, officials said Monday.

The operation to recover the cryptocurrency from the Russia-based hacker group is the first undertaken by a specialized ransomware task force created by the Biden administration Justice Department, and reflects a rare victory as U.S. officials scramble to confront a rapidly accelerating ransomware threat that has targeted critical industries around the world.

“By going after the entire ecosystem that fuels ransomware and digital currency, we will continue to use all of our tools and all of our resources to increase the costs and the consequences of ransomware attacks and other cyber-enabled attacks,” Deputy Attorney General Lisa Monaco said at a news conference announcing the operation.

Story continues below advertisement

Georgia-based Colonial Pipeline, which supplies roughly half the fuel consumed on the East Coast, temporarily shut down its operations on May 7 after a gang of cybercriminals using the DarkSide ransomware variant broke into its computer system. The ransomware variant used by DarkSide, which has been the subject of an FBI investigation for the last year, is one of more than 100 that law enforcement officials have identified, said FBI Deputy Director Paul Abbate.

Colonial officials have said they took their pipeline system offline before the attack could spread to its operating systems, and decided soon after to pay ransom of 75 bitcoin – then valued at roughly $4.4 million – in hopes of bringing itself back online as soon as it could. The company’s chief executive is set to testify before congressional panels this week.

Cryptocurrency is favoured by cybercriminals because it enables direct online payments regardless of geographical location, but in this case, the FBI was able to identify a virtual currency wallet used by the hackers and recovered the proceeds from there, said the FBI’s Abbate.

Though the FBI generally discourages the payment of ransom, fearing it could encourage additional hacks, Monaco said one take-away for the private sector is that if companies come quickly to law enforcement after ransomware incidents, officials may be able to help them recover funds too.

The Bitcoin amount seized – 63.7, currently valued at $2.3 million after the price of Bitcoin tumbled – amounted to 85% of the total ransom paid, which is the exact amount that the cryptocurrency-tracking firm Elliptic says it believes was the take of the affiliate who carried out the attack. The ransomware software provider, DarkSide, would have gotten the other 15%.

“The extortionists will never see this money,” said Stephanie Hinds, the acting U.S. attorney for the Northern District of California, where a judge approved the seizure warrant earlier Monday.

Ransomware attacks – in which hackers encrypt a victim organization’s data and demand a hefty sum for returning the information – have flourished. Last year was the costliest on record for such attacks. Hackers have targeted vital industries, as well as hospitals and police departments.

Story continues below advertisement

Weeks after the Colonial Pipeline attack, a ransomware attack attributed to REvil, a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months, disrupted production at Brazil’s JBS SA, the world’s largest meat processing company.

The ransomware business has evolved into a highly compartmentalized racket, with labour divided among the provider of the software that locks data, ransom negotiators, hackers who break into targeted networks, hackers skilled at moving undetected through those systems and exfiltrating sensitive data – and even call centres in India employed to threaten people whose data was stolen to pressure for extortion payments.

Be smart with your money. Get the latest investing insights delivered right to your inbox three times a week, with the Globe Investor newsletter. Sign up today.

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow topics related to this article:

View more suggestions in Following Read more about following topics and authors
Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies