[BreachExchange] US recovers most of Colonial Pipeline's $4.4M ransomware payment

[Sophia Kingsbury]

https://www.bleepingcomputer.com/news/security/us-recovers-most-of-colonial-pipelines-44m-ransomware-payment/

The US Department of Justice has recovered the majority of the $4.4 million
ransom payment paid by Colonial Pipeline to the DarkSide ransomware
operation.

On May 7th, Colonial Pipeline suffered a DarkSide ransomware attack that
forced them to shut down their fuel pipeline operation. This shutdown led
to temporary gas shortages on the east coast as people began to rush to
stock up on gasoline.

Due to the critical nature of the outage, Colonial Pipeline paid a $4.4
million ransom to the DarkSide ransomware operation that allowed them to
receive a decryption key and quickly bring their systems back online.

Faced with increased scrutiny by the US government and law enforcement, the
DarkSide ransomware gang shut down their operation.

DOJ recovers a portion of ransom payment

In a Justice Department press conference, the US Department of Justice
announced today that it seized a cryptocurrency wallet used by DarkSide
ransomware that contained the ransom payment from Colonial Pipeline.

In an affidavit submitted to the U.S. Court for the Northern District of
California, an FBI agent states that law enforcement gained control of a
private key belonging to a DarkSide Bitcoin wallet holding the Colonial
Pipeline ransom payment.

Having access to a cryptocurrency wallet's private key allows for full
access to the wallet and its funds.

Using this private key, the FBI recovered 63.7 Bitcoins of the
approximately 75 Bitcoin payment sent by Colonial Pipeline. With the
significant decrease in the price of Bitcoins since the payment, the
recovered bitcoins are worth roughly $2.26 million at today's prices.

It is not clear how the FBI gained access to the private key for the
DarkSide wallet, but on May 14th, the ransomware gang claimed to have lost
access to one of their payment servers.

"In addition, a couple of hours after the seizure, funds from the payment
server (belonging to us and our clients) were withdrawn to an unknown
account," the DarkSide ransomware operation told its affiliates.

If the private key was stored on this server to send payments to their
affiliates, it is possible that the FBI recovered it when law enforcement
seized the server.

Deputy Attorney General Lisa O. Monaco states that this is the first
operation of this kind conducted by the recently launched Ransomware and
Digital Extortion Task Force.

"The seizure announced today was conducted as part of the Department’s
recently launched Ransomware and Digital Extortion Task Force, which was
established to investigate, disrupt and prosecute ransomware and digital
extortion activity. This is the Task Force’s first operation of this kind."

This recovery may be the first time the US government has publicly stated
that they have recovered a ransom payment paid to a ransomware operation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210608/73053f36/attachment.html>