US Department of State of justice It said today that it has recovered $2.3 million worth of Bitcoin at Colonial Pipeline Paid to ransomware extortionists last month The money has been sent to dark sideransomware-as-a-service syndicate That collapsed after a May 14 farewell message to affiliates. by saying that the internet server and the repository cryptocurrency Confiscated by an unknown law enforcement agency
On May 7th, the DarkSide ransomware gang attacked Colonial. That ultimately paid 75 Bitcoin (about $4.4 million) to the torturer. The company said the attackers only attacked the business’s IT network. It’s not a pipeline security and safety system – but rather shutting down the pipeline as a precaution. [several publications noted Colonial shut down its pipeline because its billing system was impacted, and it had no way to get paid].
On or around May 14, DarkSide representatives on several Russian-language cybercrime forums posted a message calling for the group to quit.
“The server was confiscated. The advertiser and founder’s money was transferred to an unknown account,” read the farewell message. “Hosting support in addition to information ‘At the request of law enforcement,’ did not provide any other information.”
Several security experts said they suspected DarkSide would not last long due to the heat of colonial attacks. And the group will reappear under a new banner in the coming months. And while that might be true The arrests announced today by the DOJ certainly support DarkSide admins’ claims that the shutdown was unintentional.
The security firm had suspected for months that the DarkSide gang shared its leadership with REvil, also known as Sodinokibi, the ransomware platform, as another service that closed its stores in 2019 after bragging it had extorted more than 2 victims. billion dollar The suspicions were strengthened when admin REvil added his comments to the announcement about the closure of DarkSide (see screenshot above).
DarkSide first appeared on Russian hacking forums in August 2020 as a platform. ransomware-as-a-service That vetted cybercriminals can use to infect companies with ransomware and conduct negotiations and payments with victims, DarkSide says it specifically targets large companies. And it prohibits affiliates from placing ransomware on organizations in many industries. This includes healthcare, funeral services, education, government, and non-profits.
According to an analysis published May 18 by a security company, cryptocurrency oval47 cybercrime victims paid DarkSide $90 million in Bitcoin, bringing the average ransom for DarkSide victims to just $2 million.
How do they do it?
The DoJ announcement opened up the issue of how part of the payment by Colonial could be recovered, which shut the Houston-to-New England pipeline for a week and prompted long lines, rising prices and gas shortages. at filling stations nationwide
The DOJ said law enforcement was able to track multiple bitcoin transfers and identified approximately 63.7 bitcoins (~$3.77 million as of May 8) “representing the proceeds of the victims’ ransom payments. It has been transferred to a specific address where the FBI has a ‘private key’ or password equivalent required to access assets that can be accessed from a specific Bitcoin address.”
How is having a private key a key question? Nicholas Weaver, Lecturer at the Department of Computer Science at University of California, BerkeleyExplains that the most likely explanation is that law enforcement agents seized funds from the DarkSide subsidiary responsible for initially bringing criminal gangs access to the colonial system.
“The ‘Get Private Key’ section of their statement is working a lot,” Weaver said, pointing out that the amount the FBI recovered was less than the full amount paid by Colonial.
“It’s just a colonial pipeline ransom. And it seems to be the only ransom for the partners.”
The experts at Elliptic came to the same conclusion.
Elliptic’s co-founder wrote, “Paying any ransom Any actions taken by the victims will be divided between the affiliates and the developers.” Tom Robinson“In the case of Colonial Pipeline ransom payments, 85% (63.75 BTC) goes to affiliates and 15% goes to the developer DarkSide.”
Biden’s management is under increasing pressure to do something about the ransomware attack epidemic. In conjunction with today’s action, the DOJ calls attention to the victory of the Ransomware and Digital Extortion Task Force, which includes its success in prosecuting the crooks behind threats such as Netwalker and SamSam ransomware.
The DOJ also released a memo on June 3 from Deputy Attorney General Lisa O. Monaco Advising all federal prosecutors to follow new guidelines that collect centralized reporting on ransomware victims.
Having a central place for law enforcement and intelligence agencies to collect and act on ransomware threats is one of the key recommendations of the tech company-led ransomware team. Some of the world’s leading In an 81-page report, the industry has led a task force to call for international integration to combat ransomware criminals. and for a global network of investigative centers Their advice focuses on thwarting cybercriminal gangs by limiting their ability to earn money. and target the individuals and finances of the thieves behind these crimes.