The U.S. Department of Justice has seized a majority of the $4.3 million paid by Colonial Pipeline to the Darkside ransomware gang following last month’s attack.
Law enforcement officials said they were able to track multiple transfers of Colonial’s May 8 ransom payment by reviewing the Bitcoin public ledger and identified $2.3 million of proceeds that had been transferred to a specific address. The Federal Bureau of Investigation was able to obtain the “private key”—the rough equivalent of a password—needed to access assets from that specific Bitcoin address.
“New financial technologies that attempt to anonymize payments will not provide a curtain from behind which criminals will be permitted to pick the pockets of hardworking Americans,” said Stephanie Hinds, Acting U.S. Attorney for the Northern District of California. “This case demonstrates our resolve to develop methods to prevent evildoers from converting new methods of payment into tools of extortion.”
The private key for the Bitcoin address used by Darkside is now in the possession of the FBI in the Northern District of California, according to an affidavit filed Monday to seize money from the Bitcoin wallet. This Bitcoin represents proceeds traceable to a computer intrusion, and property involved in money laundering may be seized pursuant to criminal and civil forfeiture statues, according to officials.
“Today, we deprived a cybercriminal enterprise of the object of their activity, their financial proceeds and funding,” FBI Deputy Director Paul Abbate said during a press conference Monday. “For financially motivated cybercriminals, especially those presumably located overseas, cutting off access to revenue is one of the most impactful consequences we can impose.”
Abbate said the FBI has been pursuing an investigation into Darkside since last year and has to date identified more than 90 victims across multiple U.S. critical infrastructure sectors. American victims of the Darkside ransomware gang can be found in the manufacturing, legal, insurance, health care and energy sectors, according to Abbate.
“The threat of severe ransomware attacks pose a clear and present danger to your organization, to your company, to your customers, to your shareholders and to your long-term success,” Deputy Attorney General Lisa Monaco said during a press conference Monday. “So pay attention now. Invest resources now. Failure to do so could be the difference between being secure now or a victim later.”
Darkside was also reportedly behind the huge ransomware attack against Fort Mill, S.C.-based CompuCom, No. 46 on the 2021 CRN Solution Provider 500, that’s expected to cost the Office Depot subsidiary more than $20 million. CompuCom wasn’t able to substantially restore its service delivery capabilities until March 17, 16 days after the crippling malware attack took place.
Monaco cautioned that the U.S. Department of Justice might not always be able to recover the funds if victims of an attack opt to pay the ransom. Colonial’s decision to pay Darkside a ransom in exchange for a decryption tool was highly controversial and is likely come up when Colonial CEO Joseph Blount testifies before the Homeland Security Committees for the U.S. Senate and House of Representatives.
The U.S. Department of Justice has in recent years issued indictments against Russian, Chinese and North Korean hackers accused of carrying out high-profile attacks against American businesses and government agencies. But given the lack of extradition treaties between the U.S. and these nations, the alleged hackers are very unlikely to ever see the inside of an American courtroom.
“Law enforcement agencies need to broaden their approach beyond building cases against criminals who may be beyond the grasp of the law,” John Hultquist, vice president of analysis for Mandiant Threat Intelligence, said in a statement. “In addition to the immediate benefits of this approach [recovering ransom payment], a stronger focus on disruption may disincentivize this behavior.”