Officials from the Department of Justice (DOJ) confirmed, on June 7th 2021, that close to 85% (63.7 BTC) of the $4.3 million (75 BTC) from a ransomware attack on Colonial Pipeline has been recovered. This news comes after a month since the Darkside ransomware group launched an attack on a major fuel pipeline that delivers gasoline, jet fuel, diesel, etc. to 17 states. The Federal Bureau of Investigation (FBI) claim they traced the ransom amount as the group moved funds around, and later gained access to the private key of one account through which they were able to recover the funds.
BACKGROUND ON THE COLONIAL PIPELINE CASE
On May 7th 2021, a pipeline in the United States was shut down after discovering they were under a ransomware attack. The pipeline, owned by Colonial Pipeline, that runs from Texas to New Jersey is one of the largest pipelines in the US. The FBI later confirmed that the attack was caused by the Darkside Ransomware group. This group of hackers were first found in August of last year, and are credited with being the first ransomware alternate to offer critical information about Public Companies that was used to make stock trades.
After confirmation that Darkside was behind the ransomware attack on Colonial Pipeline, the FBI put out a statement saying that they were working on the investigation. There were also multiple statements from US President Joe Biden where he openly said that the authorities are working to disrupt the entire operation of the group.
Following this statement from the President, the main operator of the ransomware, Darksupp, claimed that the group had lost access to their payment servers and the ransom funds were transferred to an unknown wallet.
You may also like: Understanding WannaCry attack in simpler terms
WHAT WE KNOW
Deputy Attorney General of the DOJ, Lisa Monaco, has now revealed that this was the first major case of the newly-formed “Ransomware and Digital Extortion Task Force” which was formed for this exact reason. This task force is committed to stopping any future attacks of this kind, and also treat such incidents as threats to national security. This has been a long time coming, especially after another high profile attack was launched on JBS Foods which also caused similar disruptions.
The seriousness of the Colonial Pipeline attack can be highlighted by the fact that a national emergency was declared due to the fuel supply disruption across the entire East Coast of the US. In a press conference, Pres. Biden revealed that the group reportedly resides in Russia but also clearly excluded the involvement of the Russian Government. He also mentioned:
“We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks”
All the aforementioned actions were taken based on violations of multiple US legislations namely- Unauthorized Access to a Protected Computer to Obtain Information [Title 18, U.S.C. Section 1030(a)(2)(C)], Intentional Damage to a Protected Computer [Title 18, U.S.C. Section 1030(a)(5)(A)], Extortion Involving Computers [Title 18, U.S.C. Section 1030(a)(7)], etc. However, it is still not clear how the FBI obtained the private key to the wallet account. As per an affidavit submitted in support of the application for a seizure warrant, para 34 purely mentions that the private key is in the possession of the FBI. There is no mention of whether it was obtained directly from the ransomware group or a third party.
Ransomware attacks have been on the rise especially after the Colonial Pipeline and JBS Foods cases. The White House National Security Council has advised companies to be on high alert and safeguard their networks. Data has never been more vulnerable with more ransomware groups emerging every day. Darkside is relatively new compared to older names like REvil and Avaddon, and they were able to cause disruptions of such magnitude. All companies must make sure that their servers and networks are completely protected to prevent such attacks in the future.