The US Department of Justice (DoJ) has recovered the most of the $4.4 million that Colonial Pipeline gave to the Colonial Pipeline gang DarkSide ransomware. On 7 May, Colonial Pipeline (the company that manages the largest US natural gas pipeline) suffered a cyber-attack by DarkSide ransomware gang, forcing it to shut down the pipeline. As a result, this resulted in temporary gas shortages on the east coast of the United States.

Due to the critical nature of the outage, Colonial Pipeline paid a $4.4 million ransom to the hackers to receive a decryption key and quickly bring its systems back online.

Read also: The DarkSide ransomware gang made $90 million in 9 months

Colonial Pipeline: most of the ransom paid to DarkSide recovered

The DarkSide ransomware gang shut down its "business", after it faced a great deal of scrutiny from the US government and law enforcement.

The DoJ announced, on 7 June, at a press conference that confiscated a cryptocurrency wallet used by the DarkSide ransomware gang, which contained the ransom paid by Colonial Pipeline.

In a declaration filed in the U.S. District Court for the Northern District of California, an agent of FBI indicated that law enforcement gained the control of a private key that belonged to a wallet Bitcoin which contained the Colonial Pipeline ransom.

See also: The DarkSide ransomware gang shuts down its "business"!

Access to the private key of the cryptocurrency wallet allows full access to the wallet and the money contained in it. Using this private key, the FBI recovered 63.7 Bitcoin paid by Colonial Pipeline, said the deputy attorney general Lisa Monaco

. With the significant decrease in the price of Bitcoin to 36,000 dollars after a high of 63,000 in April, the recovered Bitcoin is worth approximately $2.26 million at today's prices.
Colonial Pipeline: most of the ransom paid to DarkSide recovered

It is unclear how the FBI gained access to the private key to DarkSide's wallet, however, in 14 May, the gang claimed to have lost access to one of its payment servers.

In addition, a few hours after the seizure, the DarkSide ransomware gang reported to its partners that money from the payment server (owned by it and its customers) was transferred to an unknown account.

Colonial Pipeline: most of the ransom paid to DarkSide recovered

Motion: Coveware: ransom paid by victims of ransomware attacks has increased

Monaco also stated that this is the first enterprise of this kind conducted by the Ransomware and Digital Extortion Task Force which has recently started its activities.

In particular, he said the following: "The seizure announced today was made as part of the recent operation of the Ransomware and Digital Extortion Task Force, created to investigate, disrupt and prosecute ransomware and digital extortion activity. It is the first operation of its kind by the Task Force."

This recovery may be the first time the US government has publicly stated that it has recovered ransoms paid to a ransomware gang.