Washington, D.C.
FBI National Press Office
(202) 324-3691
June 7, 2021

FBI Deputy Director Paul Abbate’s Remarks at Press Conference Regarding the Ransomware Attack on Colonial Pipeline

FBI Deputy Director Paul Abbate delivered the following remarks during a press conference in Washington, D.C., with Department of Justice officials announcing the seizure of ransom proceeds from the group DarkSide following the Colonial Pipeline network compromise. (Remarks as delivered)

Good afternoon, everyone.

Today the FBI successfully seized criminal proceeds from a bitcoin wallet that DarkSide ransomware actors used to collect a cyber ransom payment from a victim.

Since last year, we’ve been pursuing an investigation into DarkSide—a Russia-based cybercrime group.

The DarkSide ransomware variant is one of more than 100 ransomware variants that the FBI is currently investigating. DarkSide developers market their ransomware to criminal affiliates, who then conduct attacks and share a percentage of the proceeds with the developers, a scheme known as ransomware-as-a-service.

In this case, the FBI has identified more than 90 victims across multiple U.S. critical infrastructure sectors. Those include manufacturing, legal, insurance, health care, and energy.

Based on our investigation into DarkSide, and incredible work with other U.S. government partners, we identified a virtual currency wallet that the DarkSide actors used to collect a payment from a victim. Using law enforcement authorities, victim funds were seized from that wallet, preventing DarkSide actors from using them.

FBI Deputy Director Paul M. Abbate speaks at June 7, 2021 press conference in Washington, D.C., with Department of Justice officials announcing the seizure of ransom proceeds from the group DarkSide following the Colonial Pipeline network compromise.

FBI Deputy Director Paul Abbate speaks at a June 7, 2021 press conference regarding the seizure of $2.3 million in cryptocurrency allegedly representing the proceeds of a ransom payment to individuals in a group known as DarkSide, which targeted Colonial Pipeline and resulted in critical infrastructure being taken out of operation.

This is just the latest disruption that the FBI and DOJ have taken to impose risk and consequences on cyber adversaries.

Since announcing our new cyber strategy last year, we have dismantled the infrastructure of the Emotet criminal botnet through an unprecedented coalition of U.S. and international law enforcement and private industry partners. Additionally, we have joined other government partners to expose a cyber tool developed by the Russian GRU. We have also used legal authorities to remove malicious back doors installed on the networks of Microsoft Exchange Server customers across the United States. And just last week, DOJ announced the seizure of two command-and-control domains used by the perpetrators of a wide spear phishing campaign.

This focus on joint action and collaboration is exemplified by the National Cyber Investigative Joint Task Force, which brings together intelligence community, law enforcement, and cybersecurity agencies for a whole-of-government approach against these cyber threats.

Our partners in the intelligence community and across government are central to these efforts. Leveraging each of our authorities and capabilities enables us to conduct coordinated operations to respond to and deter malicious activity from groups like DarkSide.

There’s a lot of exceptional behind-the-scenes teamwork that goes into both identifying effective ways to target adversaries, and predicating actions that we may take against them.

I want to give major thanks to the incredibly hard-working agents, intelligence analysts, and professional staff of the FBI’s Atlanta and San Francisco Field Offices and the FBI Cyber Division, along with the government-wide partners who assisted in this investigation and seizure.

These cases require a significant level of determination and technical expertise, and without a doubt, every individual involved displayed that through the achievements reflected here today.

We continue to be committed to using the information and intelligence we develop through our investigations to take early, meaningful steps to protect the public and be preventative.

We will continue to work relentlessly and seek innovative ways to use our unique authorities, world-class capabilities, and enduring partnerships for maximum impact against our adversaries.

Today, we deprived a cyber-criminal enterprise of the object of their activity—their financial proceeds and funding. For financially motivated cyber criminals, especially those presumably located overseas, cutting off access to revenue is one of the most impactful consequences we can impose.

When the FBI combines our law enforcement and intelligence authorities with those of our partners in government and the cooperative relationship with private industry, and when we have victims willing to share information to further our collective efforts against cyber adversaries, we can have immediate, permanent effect on ransomware actors.

That is why it is so critical for victims to report intrusions to us as soon as possible and then work with us to provide evidence and intelligence for our investigations, leading to recovery, attribution, and, ultimately, prevention.

Victim reporting not only can give us the information we need to have immediate, real-world impact on the actors, it can also help prevent future intrusions into other victim networks and prevent further harm from occurring.

With continued cooperation and support from victims, private industry, and our U.S. and international partners, we will bring to bear the full weight and strength of our combined efforts and resources against those actors who think nothing of threatening public safety and our national security for profit.

Thank you.