Written by Tim Starks

The Justice Department announced Monday that it had retrieved $2.3 million in cryptocurrency payments Colonial Pipeline made in the DarkSide ransomware attack.

In May, Colonial — which delivers an estimated 45% of fuel consumed on the East Coast — paid its attackers $4.4 million worth of cryptocurrency in an incident that propelled ransomware into visibility it didn’t previously have in the U.S.

On Monday, pursuant to a seizure warrant issued by the United States District Court for the Northern District of California, the department got some of that payment back, DOJ officials said at a news conference.

“The sophisticated use of technology to hold businesses and even whole cities hostage for profit is a decidedly 21st century challenge — but the old adage ‘follow the money’ still applies,” Deputy Attorney General Lisa Monaco said. “Today we turned the tables on DarkSide.”

It’s not the first time DOJ has seized cryptocurrency proceeds from the grasp of ransomware gangs. The government seized the equivalent of $454,530 in a January operation against a gang known as NetWalker. The $2.3 million is a relative fraction of the haul for ransomware operators, who netted an estimated tens of billions of dollars in 2020.

The DOJ’s seizure in the Colonial case is part of a barrage of actions the Biden administration is taking against the ransomware scourge, elevated in part by the Colonial attack and also in part by an attack on major meat supplier JBS.

The FBI is currently investigating more than 100 ransomware variants and has identified more than 90 DarkSide victims across U.S. critical infrastructure, including the energy, health care, insurance, legal and manufacturing sectors, said FBI Deputy Director Paul Abbate. DarkSide is believed to be Russia-based and works with affiliates who use its ransomware.

Working with government partners, “we identified a virtual currency wallet that the DarkSide actors used to collect a payment from a victim,” Abbate said. “Using law enforcement authorities, victim funds were seized from that wallet, preventing Darkside actors from using it.”

Monaco said the message from the retrieval was that working with law enforcement may be able to deprive ransomware attackers of what they’re seeking, although there’s no guarantee. The FBI officially discourages ransomware victims from paying, since doing so may only fuel further attacks.

Colonial said in response to the cryptocurrency seizure that the company made the right decision to “quickly and quietly” notify law enforcement. “Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature,” said CEO Joseph Blount.

Besides the Biden administration surge of anti-ransomware activity, policymakers are debating other ways to combat the phenomenon, many of them focused on payment methodology. Energy Secretary Jennifer Granholm said over the weekend that she supports a legal ban on ransomware payments, although some senators weren’t quite ready to go that far on weekend news shows. The Biden administration writ large is studying how better to regulate cryptocurrency, the preferred payment method of most ransomware gangs.

Updated, 6/7/21: with statement from Colonial.