Justice Department recovers $ 2.3 million paid by Colonial Pipeline to ransomware gang – Krebs on Security
The US Department of Justice said today that he recovered $ 2.3 million worth of Bitcoin which Colonial pipeline paid to ransomware extortionists last month. The funds had been sent to Dark side, a ransomware-as-a-service syndicate that disbanded after a May 14 farewell message to affiliates saying its internet servers and cryptocurrency stash had been seized by unknown law enforcement entities.
On May 7, the DarkSide ransomware gang launched its attack on Colonial, which ultimately paid 75 Bitcoin (~ $ 4.4 million) to its tormentors. The company said the attackers only affected its corporate computer networks – not its pipeline security and safety systems – but still shut down the pipeline as a precaution. [several publications noted Colonial shut down its pipeline because its billing system was impacted, and it had no way to get paid].
On or around May 14, DarkSide’s representative on several Russian-language cybercrime forums posted a message saying the group was calling for a withdrawal.
“Servers were seized, advertisers and founders’ money was transferred to an unknown account,” the farewell message read. “The hosting support, apart from the information ‘at the request of the law enforcement’, does not provide any other information.”
Numerous security experts have said they suspect DarkSide will be keeping a low profile for some time thanks to the heat of the colonial attack, and that the group will reappear under a new banner in the coming months. And while that may be true, the seizure announced today by the DOJ certainly supports the DarkSide administrator’s claims that their shutdown was unintentional.
Security firms have suspected for months that the DarkSide gang shares some leadership with that of REvil, aka Sodinokibi, another ransomware-as-a-service platform that shut down in 2019 after bragging about it. ” extorting more than $ 2 billion from the victims. That suspicion was further heightened when the REvil admin added his comments to the announcement of DarkSide’s shutdown (see screenshot above).
First appearing on Russian-language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that controlled cybercriminals can use to infect businesses with ransomware and conduct negotiations and payments with them. victims. DarkSide Says It Only Targets Large Corporations And Bans Affiliates From Dropping Ransomware On Organizations Across Multiple Industries Including Healthcare, Funeral Services, Education, Public Sector, And Nonprofits .
According to analysis released on May 18 by cryptocurrency security company Elliptical, 47 cybercrime victims paid DarkSide a total of $ 90 million in Bitcoin, bringing the average ransom payment for DarkSide victims to just under $ 2 million.
HOW DID HE DO IT?
The DoJ announcement left open the question of exactly how he was able to recover part of the payment made by Colonial, which shut down its Houston fuel pipeline to New England for a week and caused long queues, price hikes. gas prices and shortages at gas stations across the country.
The DOJ said law enforcement was able to track multiple bitcoin transfers and identify that around 63.7 bitcoin (~ $ 3.77 million on May 8), “representing the proceeds of the payment of the victim’s ransom, had been transferred to a specific address, for which the FBI has the “private key” or the approximate equivalent of a password needed to access assets accessible from the specific Bitcoin address . “
How did he get this private key is the key question. Nicolas Tisserand, lecturer in the computer science department of University of California, Berkeley, said the most likely explanation is that law enforcement officers seized money from a specific DarkSide affiliate tasked with providing the criminal gang with initial access to Colonial’s systems.
“The ‘obtained the private key’ part of their statement does a lot of work,” Weaver said, noting that the amount recovered by the FBI was less than the total amount paid by Colonial.
“This is ONLY the Colonial Pipeline ransom, and it appears to be just the Affiliate’s take.” “
Elliptic experts have come to the same conclusion.
“Any ransom payment made by a victim is then shared between the affiliate and the developer” writing Co-founder of Elliptic Tom robinson. “In the case of the Colonial Pipeline ransom payment, 85% (63.75 BTC) went to the affiliate and 15% went to the developer DarkSide. “
The Biden administration is under increasing pressure to do something about the epidemic of ransomware attacks. Along with today’s action, the GM drew attention to the victories of its ransomware and digital extortion task force, which have included successful prosecutions of crooks behind threats such as the Netwalker and SamSam ransomware strains.
The DOJ also published a memo from June 3 of Deputy Attorney General Lisa O. Monaco call on all federal prosecutors to heed new guidelines to centralize reporting on ransomware victims.
One of the main recommendations of a ransomware task force led by some of the world’s largest tech companies was to have a central place for law enforcement and intelligence agencies to come together and take action. against ransomware threats. In an 81-page report, the industry-led task force called for an international coalition to fight ransomware criminals and a global network of investigation centers. Their recommendations primarily focus on disrupting cybercriminal ransomware gangs by limiting their ability to get paid and targeting the individuals and finances of the organized thieves behind these crimes.