The Justice Department has seized 63.7 bitcoins currently valued at approximately $2.3 million that allegedly represents some portion of a May 8 payment by the Colonial Pipeline company to DarkSide ransomware attackers.
Colonial Pipeline admitted paying the cyber criminals a total ransom of around $4.4 million in bitcoin to restore full functionality to its systems following the crippling ransomware attack announced by the company on May 7.
The Special Prosecutions Section and Asset Forfeiture Unit of the US Attorney's Office for the Northern District of California seized the bitcoin wallet after a magistrate judge for the Northern District of California authorised a seizure warrant.
News of the wallet seizure came as little surprise given that the DarkSide attackers themselves foreshadowed it when they announced in mid-May that the group lost control over some of its servers, including a payment server, and was shutting down due to "pressure" from the United States. At that time, DarkSide also stated that some of its funds had been withdrawn to an unknown account.
The adage of “follow the money” still applies
Lisa Monaco, a deputy attorney general of the Justice Department, said during a press briefing that "the old adage 'follow the money still applies.' And that's exactly what we do.
"After Colonial Pipeline's quick notification to law enforcement and pursuant to a seizure warrant issued by the United States District Court for the Northern District of California earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the DarkSide network in the wake of last month's ransomware attack."
The targeted seizure of the wallet aims to undercut the current wave of increasingly destructive ransomware attacks, particularly those targeted at highly critical infrastructure such as oil and gas pipelines.
"We turned the tables on DarkSide by going after the entire ecosystem that fuels ransomware and digital extortion attacks, including criminal proceeds in the form of digital currency," Monaco said. "We will continue to use all of our tools and all of our resources to increase the cost and the consequences of ransomware attacks and other cyber-enabled attacks."
FBI is vague on how it identified the attacker's wallet
Precisely how law enforcement identified the attacker's wallet is unclear. During the briefing, FBI Deputy Director Paul Abbate said that the Bureau has been investigating Russia-based cyber crime gang DarkSide since last year. DarkSide is only one of 100 ransomware variants affecting 90 identified victims that the FBI is investigating, Abbate said.
"We identified a virtual currency wallet that the DarkSide actors use to collect a payment from a victim using law enforcement authorities. Victim funds were seized from that wallet, preventing DarkSide actors from using it," Abbate said while offering few details on how the operation worked.
In an affidavit accompanying an application for the seizure warrant, an FBI field agent, whose name was redacted, said that Colonial Pipeline informed the FBI on May 8 of the cryptocurrency address it used to make its ransom payment.
From there, the FBI reviewed the bitcoin public ledger to trace the bitcoins to the ultimately seized wallet. "The private key for the [wallet] is in the possession of the FBI in the Northern District of California," the agent said in the affidavit." Private keys, which are 256-bit secret numbers that allow bitcoin to be unlocked and sent, are critical components of how the cryptocurrency is kept anonymous and secure.
Knowing how the FBI obtained the DarkSide actor's private key is critical to determining whether law enforcement might be able to follow the money again and remove the economic incentive for other ransomware attackers in the future.
According to reports of an FBI press call on the wallet seizure, the Bureau said it is deliberately vague regarding how it obtained the private key to avoid tipping off hackers. According to one agent, the method the FBI used is "replicable," which means authorities could use it against the next ransomware attacker. The FBI also revealed it received substantial help from the Microsoft Threat Intelligence Center (MSTIC) in seizing the wallet.
Three theories on how law enforcement found the wallet
"The FBI court documents leave much to speculation, but one thing that is certain is that they did take possession of the hacker group's private key and the 63.7 bitcoin associated with it," Adrian Bednarek CISO of virtual economy company Overflow Labs, tells CSO. Bednarek speculates that one of three scenarios explain how the FBI obtained the hackers' private key.
First, "sloppy operational security by DarkSide led to the FBI discovering the physical location of any computing devices that were used to collect ransomware payments," he says, with the seizure of those devices leading to the forensic recovery of DarkSide's private keys. This notion fits with DarkSide's mid-May statement that it lost control over its servers.
Under another, least likely, scenario, a DarkSide insider cooperated and cut a deal with the FBI to turn over any private key, Bednarek says.
Bednarek's third scenario holds that the FBI used non-public zero-day exploits in either operating systems or software (or both) used by DarkSide to either "reveal the real internet protocol (IP) address of DarkSide computing devices and work with ISPs to get their physical location or execute malicious code to recover any bitcoin private keys forensically," Bednarek says. "From previous experience, I can say that they even seek out and hire firms to specifically discover exploits in software used by adversaries."
Monaco said this latest action is not the first time the US government has seized cryptocurrency connected with ransomware attacks. In January, authorities seized approximately $454,530.19 in cryptocurrency ransom payments in a multi-part offensive against the NetWalker ransomware gang.
Colonial Pipeline's collaboration could encourage other victims to work with the feds
Colonial Pipeline acknowledged its collaboration in working with the FBI to seize the wallet and share knowledge with field officers and prosecutors. "When Colonial was attacked on May 7, we quietly and quickly contacted the local FBI field offices in Atlanta and San Francisco, and prosecutors in Northern California and Washington DC to share with them what we knew at that time," Colonial said in a statement.
The FBI hopes that this successful seizure would encourage other ransomware victims to work with law enforcement to deprive ransomware attackers of financial gain.
"The message we are sending today is that if you come forward and work with law enforcement, we may be able to take the type of action that we took today to deprive the criminal actors of what they're going after here, which is the proceeds of their criminal scheme," Monaco said.
"This was an attack against some of our most critical national infrastructure in the form of the Colonial Pipeline. This represents the swift whole of government response represented in the work of this [FBI ransomware] task force and our determination to go after the entire ransomware criminal ecosystem used by these types of criminal networks and their affiliates."
Ransomware actors could struggle to remain anonymous
Whether authorities successfully weaken the ransomware ecosystem, it is clear that this latest law enforcement action signals that ransomware actors can be traced, which is bound to force some regrouping among the cyber criminals.
"Remaining anonymous on the internet is very difficult and requires meticulous attention to detail," Bednarek says. "There are countless things to keep track of, so it's very hard to remain anonymous online, especially when directing a ransomware attack that deals with the collection of cryptocurrency as a ransom."
Speaking at the Justice Department's press briefing, Acting U.S. Attorney Stephanie Hinds for the Northern District of California underscored the seeming futility of ransomware actors hiding behind supposedly anonymous cryptocurrency payment systems.
"New financial technologies that attempt to anonymise payments will not provide a curtain from behind which criminals will be permitted to pick the pockets of hardworking Americans," she said. "This case demonstrates our resolve to develop methods, to prevent evildoers from converting new methods of payment into tools of extortion for undeserved profits."