The FBI said it seized $ 2.3 million paid to the ransomware attackers who crippled the Colonial Pipeline network and disrupted gasoline and jet fuel supplies along the east coast last month.
In dollar terms, the amount is roughly half the $ 4.4 million Colonial Pipeline paid to members of the DarkSide ransomware group after the May 7 attack, the Wall Street Journal reported, citing the company’s CEO . The DarkSide decryption tool was widely known to be slow and ineffective, but Colonial paid the ransom anyway. In an interview with the WSJ, CEO Joseph Blount confirmed that the shortcomings prevented the company from taking advantage of it and instead had to rebuild its network in other ways.
Cut off the oxygen supply
On Monday, the U.S. Department of Justice said it had tracked 63.7 of the roughly 75 Bitcoins Colonial Pipeline paid to DarkSide, which the Biden government says are likely located in Russia. The seizure is noteworthy as it is one of the rare instances where a ransomware victim regains funds that they paid to their attacker. Justice Department officials are counting on their success to remove an important incentive for ransomware attacks – the millions of dollars that attackers can make.
“Today we have deprived a cybercriminal company of the object of its activity, its financial income and its funding,” said FBI Deputy Director Paul M. Abbate at a press conference. “For financially motivated cyber criminals, especially those presumably overseas, blocking access to revenue is one of the most powerful consequences we can impose.”
Justice Department officials did not say how they obtained the digital currency other than that they confiscated it from a Bitcoin wallet through court documents filed in the Northern District of California. The seizure is a much-needed victory for law enforcement agencies in their efforts to contain the ransomware epidemic that hits governments, hospitals, and businesses – many of which are providing critical infrastructure or services – with increasing frequency.
The seizure is in line with statements from just under four weeks ago attributed to a DarkSide team leader. Without providing evidence, the post claimed that the group’s website and content distribution infrastructure, along with all of the cryptocurrency it received from the victims, had been seized by law enforcement agencies.
If so, the seizure would represent a small fortune. According to recently released figures from cryptocurrency tracking firm Chainalysis, DarkSide raised at least $ 60 million in the first seven months from August last year, including $ 46 million in the first three months of this year. While law enforcement confirms that, in fact, that much isn’t possible, Monday’s disclosure shows that it has received at least some digital assets from DarkSide.
During Monday’s conference, Justice Department officials said they had tracked 90 victims who were hit by DarkSide.
Pay with Bitcoin instead of Monero
In the past year, ransomware has gone from being a financial risk to a risk that has the potential to disrupt critical services and lose lives. On several occasions, infections that hit hospitals resulted in outages that forced hospitals to cancel elective surgeries or redirect emergency patients to nearby facilities. Last week, JBS, the world’s largest meat producer, temporarily closed facilities in the US and elsewhere after losing control of its network to a ransomware group called REvil.
Law enforcement’s success fueled speculation that Colonial Pipeline paid the ransom not to gain access to a decryptor it knew was buggy, but to help the FBI find DarkSide and its mechanism for obtaining and laundering Track ransom.
The speculation is compounded by the fact that Colonial Pipeline paid in Bitcoin, although that option requires an additional 10 percent of the ransom. Bitcoin is pseudo-anonymous, which means that the wallets and the coins stored in them can be tracked even though there are no names attached to digital wallets.
It is possible that Colonial Pipeline chose to pay the higher ransom at the behest of law enforcement agencies as Bitcoin has been tracked and Monero – the other currency DarkSide accepts – is completely undetectable. Even if it does, it is not clear how law enforcement agencies got hold of the cryptographic key needed to empty the wallet.
“As claimed in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement officers were able to trace multiple Bitcoin transfers and determine that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address that the FBI has the “private key” or the approximate equivalent of a password needed to access assets that can be accessed through the particular Bitcoin address, “said Monday’s press release. “This bitcoin represents revenue from computer break-in and money laundering-related property and can be confiscated under criminal and civil forfeiture laws.”
With most ransomware groups headquartered in Russia or other Eastern European countries with no extradition agreements with Western nations, US officials have largely been paralyzed in their efforts to bring the attackers to justice. It’s too early to know if the techniques that allowed officials to track the funds paid to DarkSide by Colonial Pipeline can be used in investigating other ransomware attacks. If so, law enforcement may have been given a powerful tool when it was needed most.