Investigators recovered $2.3 million in bitcoin paid by the Colonial Pipeline Company to DarkSide following a ransomware attack in early May. On June 7, the Department of Justice (DOJ) revealed that law enforcement agencies had been tracking transfers of bitcoin when they spotted the movement of 63.7 bitcoins associated with the Colonial Pipeline Company’s ransom payment.

Private Key Obtained by the FBI

Investigators evaluated the transfer and found that someone had moved those 63.7 bitcoins to a wallet address for which the FBI had the private key. Nicholas Weaver, a lecturer in the computer science department at the University of California – Berkeley, explained to KrebsonSecurity that gaining access to that private key involved “doing a lot of work” on the part of the FBI.

The FBI subsequently acted on criminal and civil forfeiture statutes to seize those funds, explained DOJ’s Deputy Attorney General Lisa O. Monaco, as quoted in a press release:

“Following the money remains one of the most basic, yet powerful tools we have. Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide.”

The 63.7 bitcoins identified by the FBI amounted to 85% of a ransom paid by the Colonial Pipeline Company. That portion went to the DarkSide affiliate who perpetrated the attack. The other 15%, or 11.3 bitcoins, went to DarkSide’s developers.

As of this writing, no public reporting indicated that Colonial Pipeline had successfully recovered the remaining 11.3 bitcoins. To put this development into context, I sat down with Cybereason CSO Sam Curry and asked him a few questions. Our conversation is replicated below:

What is your reaction to the partial recovery of the Colonial Pipeline Company’s ransom payment?

There is no doubt an incredible story behind the scenes that we look forward to hearing more about. However, this sends a clear message to the criminals: you are not immune to repercussions. Ransomware gangs are, in a dark sense, startups with their own venture capital and business models. The “investors” in these organizations must be getting nervous that their ill-gotten gains can be recouped.

Is there any other message that this recovery sends to those “investors?”

Ransomware writers and other malware authors now know the gloves are off.

In recent years, cryptocurrency has helped to afford basic anonymity to malicious actors. How do the investigation and recovery effort involving Colonial Pipeline affect this?

It’s an escalation, but the bad guys here have vested interests, investments, and tools. DarkSide took almost $100 million in a month. This is a start, but this is the tip of the tip of the iceberg. The battle went to the light side, but there’s much more in this war on cybercrime to play out.

What is the Biden Administration communicating about attacks on U.S. companies and critical infrastructure providers with this ransom recovery? 

Now is the time to continue in the same vein and put pressure using all fronts – technological, economic, diplomatic, and more – on malware authors and cyber-criminal gangs. DarkSide looks like a privateer that wasn’t directly sponsored by a state. Still, it’s to be hoped that states like Russia will begin distancing themselves from ransomware gangs and cyber-criminal outfits by clearly moving them into the “pirate” category. In other words, Russia and others need to truly make it clear that these gangs are enemies of the connected world.

How does this ransom recovery fit within the broader threat landscape? Could we see more developments such as what we saw with the Colonial Pipeline Company?

The enormity of the cybercrime ecosystem makes it nearly impossible to recover most ransoms. That’s the way things stand now.

Defending Against Attackers like DarkSide

Curry’s last response serves as a reminder for organizations that they need to defend themselves against ransomware attacks. One of the best ways they can do that is by augmenting their ability to detect a ransomware infection like Darkside that’s in progress. 

This necessitates moving toward Indicators of Behavior (IOBs) so that they can visualize and then shut down a malicious operation (Malop).  Learn more about the Cybereason Malop here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

About the Author

David Bisson

David Bisson is an information security writer and security junkie. He’s a contributing editor to IBM’s Security Intelligence and Tripwire’s The State of Security Blog, and he’s a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.

All Posts by David Bisson