United States law enforcement has clawed back approximately $2.3 million of the ransom allegedly paid to DarkSide by Colonial Pipeline last month, the Department of Justice (DOJ) and FBI announced in a joint press conference on Monday.
“Today we turned the tables on DarkSide,” FBI Deputy Director Paul Abbate said in live-streamed remarks.
They seized the money – in the form of 63.7 bitcoins – by reviewing the Bitcoin public ledger, as the DOJ described in a press release. Law enforcement tracked multiple transfers of bitcoin and were able to identify that about 63.7 of the bitcoins paid by Colonial Pipeline Co. after the May 7 ransomware attack were transferred to a specific address – an address that the FBI controls.
“Law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address,” according to the DOJ’s press release. “This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes.”
In fact, the FBI laid the snare from the get-go, when Colonial alerted the bureau to the attack, the DOJ said during Monday’s press conference. In that attack, the DarkSide ransomware-as-a-service (RaaS) gang seized Colonial’s systems, forcing Colonial – a major provider of liquid fuels to the East Coast – to temporarily halt all pipeline operations.
The shutdown sent fuel prices skyrocketing and prompted fuel stockpiling, as images of people piling plastic bags full of gas or stacking fuel containers in their car trunks made the rounds on social media. The ransomware attack also triggered the Biden administration to issue an emergency declaration that covered 17 states and Washington D.C.
Perhaps the tables were turned, but only about half-way: Colonial reportedly shelled out $5 million in ransom to DarkSide. Do the math, and it means that the DarkSide threat actors still walked away with about half of the cryptocurrency. Given that the group is believed to be located in Russia, they’re also unlikely to face criminal action on the part of the US government.
Hit ‘Em Where It Hurts
But, as Abbate pointed out and all those in attendance at the press conference emphasized, law enforcement did manage to deprive DarkSide of what the group is after: Namely, profit. DarkSide said the same thing early on in this, the attack that sent out still-spreading ripples: they were after profit, not to disrupt critical infrastructure. The gang asserted in a statement that they’re “apolitical” and don’t want to be tied to any government activity or disruptions.
Or, to put it more succinctly, as many observers saw it, DarkSide didn’t know what it was getting itself into, making the Colonial attack a “very big oops”, as one security expert put it. DarkSide was paralyzed itself a week after the attack: Its operators announced that they had lost access to the public part of the group’s infrastructure. Specifically, the servers for its blog, payment processing and denial-of-service (DoS) operations had been seized. DarkSide didn’t specify the country in which those servers operated or whose law enforcement seized them.
Turning Off the Bitcoin Tap
“Following the money remains one of the most basic, yet powerful tools we have,” Deputy Attorney General Lisa O. Monaco was quoted as saying in the press release. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”
The task force that handled the Bitcoin seizure included the Special Prosecutions Section and Asset Forfeiture Unit of the U.S. Attorney’s Office for the Northern District of California, with assistance from the DOJ Criminal Division’s Money Laundering and Asset Recovery Section and Computer Crime and Intellectual Property Section, and the National Security Division’s Counterintelligence and Export Control Section. It was coordinated through the DOJ’s Ransomware and Digital Extortion Task Force, which was created to combat the growing number of ransomware and digital extortion attacks. In fact, the DarkSide seizure was the task force’s first action.
Monday’s announcement demonstrates how crucial it is to notify law enforcement early on if an organization is targeted with ransomware, Monaco said, thanking Colonial for doing just that: Quickly notifying the FBI when the company learned that it had been targeted by DarkSide.
The Grateful Company Responds
In response to the DOJ’s press conference, Colonial Pipeline issued a statement that heaped praise on the law enforcement agencies that dragged the ransom funds out of DarkSide’s digital wallet.
“The FBI is the premier law enforcement agency in the world and we are grateful for their swift work and professionalism in responding to this event,” President and CEO Joseph Blount said in the statement. “Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature. The private sector also has an equally important role to play and we must continue to take cyber threats seriously and invest accordingly to harden our defenses.”
He continued, describing how the company “quietly and quickly” contacted the local FBI field offices in Atlanta and San Francisco following the May 7 attack, in addition to reaching out to prosecutors in Northern California and Washington D.C. to share with them what the company knew at that time.
“The Department of Justice and FBI were instrumental in helping us to understand the threat actor and their tactics,” Blount said. “Their efforts to hold these criminals accountable and bring them to justice are commendable.”
Colonial’s investigation into the attack is ongoing. “Our goal is to help our peers in the critical infrastructure space strengthen their cyber defenses and to collaborate across industry so that we can thwart these types of attacks before they happen,” Blount expounded. “Together, through intelligence sharing and lessons learned, we can work to better protect our nation, its people, and our most critical assets.”
060721 17:35 UPDATE: Added response from Colonial Pipeline.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!