US authorities recovered most of the ransom paid by Colonial Pipeline

US officials announced to have recovered most of the $4.3 million ransom that Colonial Pipeline paid to the DarkSide ransomware gang last month.

During a video press conference, US officials announced to have recovered most of the $4.3 million ransomware that Colonial Pipeline paid to the DarkSide ransomware gang.

The Colonial Pipeline facility in Pelham, Alabama, was hit by a ransomware attack in May and its operators were forced to shut down its systems. The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.

A few days later, the U.S. Federal Bureau of Investigation confirmed that the Colonial Pipeline was shut down due to a cyber attack carried out by the Darkside ransomware gang.

Source WSJ

Multiple media, citing people familiar with the matter, reported that the company had initially refused to pay the ransom. However, the quick restoration of the operations is suspicious and suggests that the operators of the Colonial Pipeline have paid the ransom.

The New York Times reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files.

“After Colonial Pipeline’s quick notification to law enforcement, and pursuant to a seizure warrant issued by the United States District Court for the Northern District of California earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the Dark Side Network in the wake of last month’s ransomware attack,” said Lisa Monaco, Deputy Attorney General for the US Department of Justice. “Ransomware attacks are always unacceptable, but when they target critical infrastructure, we will spare no effort in our response.”

This is the first seizure ever made by the Justice Department task force to hijack a cybercriminal group’s profits through a hack of its Bitcoin wallet. The DoJ had seized 63.7 Bitcoins out of the 75 Bitcoin paid by Colonial Pipeline, currently valued at about $2.3 million.

The US authorities were able to follow the funds through multiple Bitcoin addresses managed by the Darkside gang and identified their main wallet (bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq) containing 75 Bitcoin.

FBI investigators said they tracked the ransom payment across multiple Bitcoin addresses, as the Darkside group moved funds around. They were able to seize the funds after they gained access to one account’s private key, which acts as a password for that account.

At the time of this writing, it is still unclear if the FBI received the private key from the Darkside gang or if it was obtained in another way.

“This address was emptied at around 1.40pm (Eastern Time) today – presumably by US authorities. (There was also the movement of an additional 5.9 BTC not mentioned in the affidavit).” reported the security firm Elliptic.

“This action by US authorities demonstrates the value of blockchain analytics to track down proceeds of crime in cryptocurrency, and ensure that ransomware does not pay for the criminals behind it.”

“The seizure announced today was conducted as part of the Department’s recently launched Ransomware and Digital Extortion Task Force, which was established to investigate, disrupt and prosecute ransomware and digital extortion activity,” Monaco added. “This is the Task Force’s first operation of this kind.”

FBI is currently tracking more than one hundred ransomware gangs that have targeted US companies.

The U.S. Department of Justice plans to equate investigations into ransomware attacks with investigations into terrorism in the wake of the Colonial Pipeline hack. Colonial Pipeline before, and recently the JBS attack, demonstrated that allegedly financially motivated ransomware attack could have a dramatic impact on the targeted organizations and on the related sectors.

The US authorities created a special task force to coordinate investigation into ransomware attacks in the country.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.