US authorities recovered most of the ransom paid by Colonial Pipeline

Pierluigi Paganini June 08, 2021

US officials announced to have recovered most of the $4.3 million ransom that Colonial Pipeline paid to the DarkSide ransomware gang last month.

During a video press conference, US officials announced to have recovered most of the $4.3 million ransomware that Colonial Pipeline paid to the DarkSide ransomware gang.

The Colonial Pipeline facility in Pelham, Alabama, was hit by a ransomware attack in May and its operators were forced to shut down its systems. The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.

A few days later, the U.S. Federal Bureau of Investigation confirmed that the Colonial Pipeline was shut down due to a cyber attack carried out by the Darkside ransomware gang.

Multiple media, citing people familiar with the matter, reported that the company had initially refused to pay the ransom. However, the quick restoration of the operations is suspicious and suggests that the operators of the Colonial Pipeline have paid the ransom.

The New York Times reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files.

“After Colonial Pipeline’s quick notification to law enforcement, and pursuant to a seizure warrant issued by the United States District Court for the Northern District of California earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the Dark Side Network in the wake of last month’s ransomware attack,” said Lisa Monaco, Deputy Attorney General for the US Department of Justice. “Ransomware attacks are always unacceptable, but when they target critical infrastructure, we will spare no effort in our response.”

This is the first seizure ever made by the Justice Department task force to hijack a cybercriminal group’s profits through a hack of its Bitcoin wallet. The DoJ had seized 63.7 Bitcoins out of the 75 Bitcoin paid by Colonial Pipeline, currently valued at about $2.3 million.

The US authorities were able to follow the funds through multiple Bitcoin addresses managed by the Darkside gang and identified their main wallet (bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq) containing 75 Bitcoin.

FBI investigators said they tracked the ransom payment across multiple Bitcoin addresses, as the Darkside group moved funds around. They were able to seize the funds after they gained access to one account’s private key, which acts as a password for that account.

At the time of this writing, it is still unclear if the FBI received the private key from the Darkside gang or if it was obtained in another way.

“This address was emptied at around 1.40pm (Eastern Time) today – presumably by US authorities. (There was also the movement of an additional 5.9 BTC not mentioned in the affidavit).” reported the security firm Elliptic.

“This action by US authorities demonstrates the value of blockchain analytics to track down proceeds of crime in cryptocurrency, and ensure that ransomware does not pay for the criminals behind it.”

“The seizure announced today was conducted as part of the Department’s recently launched Ransomware and Digital Extortion Task Force, which was established to investigate, disrupt and prosecute ransomware and digital extortion activity,” Monaco added. “This is the Task Force’s first operation of this kind.”

FBI is currently tracking more than one hundred ransomware gangs that have targeted US companies.

The U.S. Department of Justice plans to equate investigations into ransomware attacks with investigations into terrorism in the wake of the Colonial Pipeline hack. Colonial Pipeline before, and recently the JBS attack, demonstrated that allegedly financially motivated ransomware attack could have a dramatic impact on the targeted organizations and on the related sectors.

The US authorities created a special task force to coordinate investigation into ransomware attacks in the country.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment