https://safirsoft.com US seizes $2.3 million Colonial Pipeline paid to ransomware attackers

Funds seized after Justice Department IDs Bitcoin wallet and obtains its private key.

The FBI said it has seized $2.3 million paid to the ransomware attackers who paralyzed the network of Colonial Pipeline and touched off gasoline and jet fuel supplies up and down the East Coast last month.

In dollar amounts, the sum represents about half of the $4.4 million that Colonial Pipeline paid to members of the DarkSide ransomware group following the May 7 attack, The Wall Street Journal reported, citing the company's CEO. The DarkSide decryptor tool was widely known to be slow and ineffective, but Colonial paid the ransom anyway. In the interview with the WSJ, CEO Joseph Blount confirmed that the shortcomings prevented the company from using it and instead had to rebuild its network through other means.

Cutting off the oxygen supply

On Monday, the US Justice Department said it had traced 63.7 of the roughly 75 bitcoins Colonial Pipeline paid to DarkSide, which the Biden administration says is likely located in Russia. The seizure is remarkable because it marks one of the rare times a ransomware victim has recovered funds it paid to its attacker. Justice Department officials are counting on their success to remove a key incentive for ransomware attacks—the millions of dollars attackers stand to make.

"Today, we deprived a cyber criminal enterprise of the object of their activity, their financial proceeds and funding," FBI Deputy Director Paul M. Abbate said at a press conference. "For financially motivated cyber criminals, especially those presumably located overseas, cutting off access to revenue is one of the most impactful consequences we can impose."

Advertisement

The Justice Department officials didn't say how they obtained the digital currency other than to say they seized it from a bitcoin wallet through court documents filed in the Northern District of California. The seizure is a badly needed victory by law enforcement in its uphill effort to curb the ransomware epidemic, which is hitting governments, hospitals, and companies—many providing critical infrastructure or services—with increasing regularity.

Further ReadingPipeline attacker DarkSide suddenly goes dark—here’s what we knowThe seizure is consistent with statements from almost four weeks ago attributed to a DarkSide team leader. Without providing evidence, the post claimed that the group’s website and content-distribution infrastructure had been seized by law enforcement, along with all the cryptocurrency it had received from victims.

If true, the seizure would represent a small fortune. According to recently released figures from cryptocurrency tracking firm Chainalysis, DarkSide netted at least $60 million in its first seven months starting last August, with $46 million of it coming in the first three months of this year. While corroborating that law enforcement has, in fact obtained that much is not possible, Monday’s disclosure shows it did receive at least some digital assets from DarkSide.

During Monday's conference, Justice Department officials said they had tracked 90 victims who have been hit by DarkSide.

Paying by bitcoin rather than monero

Further ReadingAttack on meat supplier came from REvil, ransomware’s most cutthroat gangOver the past year, ransomware has evolved from representing a financial risk to one that has the potential to disrupt critical services and cause loss of life. On several occasions, infections hitting hospitals caused outages that required the hospitals to cancel elective surgeries or reroute emergency patients to nearby facilities. Last week, JBS, the world's biggest producer of meat, temporarily shut facilities throughout the US and elsewhere after it lost control of its network to a ransomware group known as REvil.

The law enforcement success intensifies speculation that Colonial Pipeline paid the ransom not to gain access to a decryptor it knew was buggy but rather to help the FBI track DarkSide and its mechanism for obtaining and laundering ransoms.

Advertisement

The speculation is reinforced by the fact that Colonial Pipeline paid in bitcoin, despite that option requiring an additional 10 percent added to the ransom. Bitcoin is pseudo-anonymous, meaning that while names aren't attached to digital wallets, the wallets and the coins they store can still be tracked.

It's possible that Colonial Pipeline chose to pay the higher ransom at the behest of law enforcement because bitcoin could be tracked and monero—the other currency accepted by DarkSide—is completely untraceable. Even if that is the case, it's not clear how law enforcement gained possession of the cryptographic key needed to empty the wallet.

"As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim's ransom payment, had been transferred to a specific address, for which the FBI has the 'private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address," Monday's release stated. “This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes."

With most of the ransomware groups headquartered in Russia or other Eastern European countries without extradition treaties with Western nations, US officials have largely been hamstrung in their efforts to bring the attackers to justice. It’s too early to know if the techniques that allowed the officials to track the funds Colonial Pipeline paid to DarkSide can be used in investigations of other ransomware attacks. If they do, law enforcement may have gained a powerful tool when it was needed most.

US seizes $2.3 million Colonial Pipeline paid to ransomware attackers
us-seizes-2-3-million-colonial-pipeline-paid-to-ransomware.html

https://safirsoft.com Here are a bunch of iOS 15 features that Apple didn’t mention earlier

Here are a bunch of iOS 15 features that Apple didn’t mention earlier

As usual, some of the most intriguing changes weren't necessarily the biggest.

As Apple's annual WWDC conference wraps up, we have a whole week ...

https://safirsoft.com CD Projekt Red says its data is likely circulating online after ransom attack

CD Projekt Red says its data is likely circulating online after ransom attack

Data taken in breach disclosed in February likely related to employees and contractors.

CD Projekt Red, the maker of The Witcher series, Cyberpu...

https://safirsoft.com MySQL 101: Installation, care, and feeding on Ubuntu

MySQL 101: Installation, care, and feeding on Ubuntu

If you've got 15 minutes, we can show you the ropes of basic MySQL management.

One of the tasks nearly any sysadmin frequently encounters is the...

https://safirsoft.com Google Chrome ends its war on address bar URLs—for now, at least

Google Chrome ends its war on address bar URLs—for now, at least

As it turns out, hiding URL information does not help security.

Chrome is ending its war on address bar URLs—at least for now. About a year a...

https://safirsoft.com Android 12’s beautiful color-changing UI already lives up to the hype

Android 12’s beautiful color-changing UI already lives up to the hype

Android 12's "Material You" UI debuts in Beta 2, and we go hands-on.

Android 12 Beta 2 came out this week, and with it, a lot of features we've ...

https://safirsoft.com iOS, web versions of Dark Sky weather app will shut down in 2022

iOS, web versions of Dark Sky weather app will shut down in 2022

Apple already shut down the Android version after acquiring the app last year.

A new blog post from the developers of Apple-owned, hyperlocal we...