On June 7, 2021, the US Department of Justice announced that they had managed to seize 63.69 BTC (valued at around $2.5 million) of the 75 BTC ransom Colonial Pipeline was forced to pay to DarkSide. This ransom recovery is notably the very first undertaken by the recently formed DOJ Ransomware and Digital Extortion Task Force.
Although the Federal Bureau of Investigation (FBI) was able to recover around 85% of the BTC that was paid out to DarkSide, this accounts for just half of the USD-equivalent that had initially been paid “due to a fall in the price of bitcoin since the ransom payment,” the CipherTrace team noted in a blog post while pointing out that the remaining 11.3 BTC “remained in a different DarkSide or DarkSide affiliate controlled address.”
According to an analysis of the flow of funds (shared by CipherTrace) and DarkSide’s operation as a Ransomware-as-a-Service (RaaS) model, the unseized funds could be “held by DarkSide operators while the funds seized were those held by the RaaS affiliates that conducted the hack.” As noted by the blockchain security firm, it’s common practice for ransomware operators to “take a 15-30% cut of the ransom, leaving the RaaS affiliates (those that conduct the attack) with the remainder.”
The CipherTrace update further noted that the 63.69 BTC funds recovered seem to have been seized through “direct access to the ransomware actor’s wallet, as indicated in the seizure warrant by referencing FBI’s control of the private key, and not through an Exchange which is more typical of asset recovery.”
The CipherTrace report further revealed that the Darkside operators “consolidated the remainder of the Colonial Pipeline funds with multiple other ransom payments, including with that of global chemical distribution company Brenntag, which had been attacked just days earlier.” They added that this consolidation of 107.8 BTC of DarkSide funds were “not seized by the DOJ as of yet, and have been dormant since May 13.”
As noted by CipherTace:
“According to the DarkSide Seizure Warrant, the Cyber Crimes Squad of the FBI’s San Francisco Field Division used blockchain analysis to determine the Colonial Pipeline ransom payment funds flow. In this warrant, the FBI also announced that they were in possession of the private key for the cryptocurrency address linked to 63.7 BTC directly tracible to the Colonial Pipeline ransom payment. These private keys were likely obtained as a result of the recent seizure of DarkSide servers on or around May 13, as reported by messages sent to affiliates of the DarkSide RaaS operation.”
The seizure of virtual currency by direct, physical access to the wallet is “not common,” CipherTrace confirmed while adding that to actually seize crypto, law enforcement agencies need to have access to the private key, or have access to “an individual who can access the private key.” This is why most crypto is “seized either via an exchange, since exchanges hold the private keys, or after an arrest of an individual that has a wallet on them or amongst their belongings.”
The CipherTrace team also noted that on May 7, 2021, Russia-headquartered cybercrime outfit DarkSide had attacked the Colonial Pipeline— which is part of the “critical infrastructure” sector of the US.
As part of the ransomware, DarkSide actors “encrypted devices on the network and stole unencrypted files, threatening to release them to the public if the company failed to pay.” According to blockchain analysis, the next day Colonial Pipeline “paid the 75 BTC ransom, worth more than $4.2 million at the time.”
As noted by CipherTrace:
“Following the attack, the White House issued an executive order on improving US cybersecurity against ‘persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.'”
CipherTrace also mentioned that 4 days after the Colonial Pipeline attack, global chemical distribution company Brenntag “suffered a ransomware attack that targeted their North America division.”
On May 11 the company “paid 78.5 BTC, worth roughly $4.4 million at the time, to the ransomware operators,” CipherTrace noted while adding that similar to the Colonial Pipeline attack, “as part of this attack, DarkSide actors encrypted devices on the network and stole unencrypted files.”
But unlike Colonial Pipeline, Brenntag funds have “not yet been recovered,” CipherTrace confirmed.
As noted by CipherTrace, DarkSide is a Ransomware-as-a-Service (RaaS) operation. In RaaS operation “models the malware developers partner with third-party affiliates, or hackers, who are responsible for gaining access to a network, encrypting devices, and negotiating the ransom payment with the victim.”
As a result of this relatively new model, ransomware can now be “easily used by bad actors who lack the technical capability to create the malware themselves but are more than willing and able to infiltrate a target,” the CipherTrace team explained.
“Ransom payment are then split between the affiliate and the operator (developer). This split between ransomware operators and the affiliate who caused the infection, is often a telltale sign of Ransomware-as-a-Service models. In most RaaS models, this split is between 15-30% to the operator and 70-85% to the affiliate.”
They also noted that the rapid growth of ransomware-as-a-service operations such as NetWalker and Darkside has become a “lucrative business for threat actors.” These recent attacks against critical infrastructure “prove that ransomware doesn’t only impact individuals,” CipherTrace noted while adding that this is why on June 3 the Justice Department released a Memorandum for All Federal Prosecutors announcing prosecutors “must now report ransomware incidents in the same way they we report critical threats to our national security.”
To properly counter ransomware, information sharing is “key,” CipherTrace noted while pointing out that in mid-June, RaaS operator REvil announced it had “updated its ethos and their expected behavior for consideration in choosing ransomware victims, such as deeming schools and hospitals off-limits for attacks.”
This updated methodology was “most likely an effort to lower the REvil profile so as not to become a priority target for US DOJ,” CipherTrace claims.