The seizure of ransom paid by Colonial Pipeline to Russian hacking ring DarkSide is the first recovery by a new U.S. Department of Justice task force dedicated to ransomware.
"The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st century challenge," Deputy Attorney General Lisa Monaco said, announcing the recovery. "But the old adage, follow the money still applies."
"Today we turned the tables on DarkSide," she said.
The department said it seized approximately $2.3 million in Bitcoin paid to the criminal hacking group. For more than a year, the Federal Bureau has been investigating DarkSide - which is said to share malware tools with other criminal hackers.
The ransom recovery conducted by the department's new digital extortion unit is a positive conclusion for a company that suffered a crippling cyberattack as a result of ransomware.
In an interview in May, Colonial Pipeline chief executive Joseph Blount told The Wall Street Journal the company complied with the $4.4 million ransom demand because authorities didn't know the scope of the hacker intrusion or how long it would take to restore operations.
However, behind the scenes, the company took early efforts to notify the FBI and followed instructions that assisted investigators in tracking the payment to a cryptocurrency wallet used by the hackers believed to be based in Russia.
The ransomware attack on Colonial Pipeline in early May forced the company to shut its pipeline operations for 11 days, resulting in panic buying and fuel shortages over most of the southeastern U.S. The hackers encrypting data on the company's networks demanded millions of dollars in ransom to unlock the system.
According to Chainanalysis, DarkSide received $14 million in ransom in 2020. It made $46 million in the first three months of this year before it declared it had lost access to its servers.
In April, the department created a task force to combat ransomware and digital extortion. Officials said its objective was to investigate, disrupt and prosecute ransomware and digital extortion.