U.S. recovers $2.3M in bitcoin paid
A sign warns consumers of the availability of gasoline at a RaceTrac gas station on May 11, 2021 in Smyrna, Georgia.
Elijah Nouvelage | AFP | Getty Images
WASHINGTON – U.S. law enforcement officials announced Monday they were able to get back $ 2.3 million in bitcoins paid to a cyber criminal group involved in the crippling ransomware attack on the Colonial Pipeline.
“Today we turned the tables at DarkSide,” said Lisa Monaco, Assistant Attorney General for the Justice Department, during a press conference, adding that the money was seized by court order.
FBI Deputy Director Paul Abbate, along with Monaco, stated that agents were able to identify a virtual wallet that the DarkSide hackers used to collect payments from the Colonial Pipeline.
“With the help of law enforcement agencies, sacrificial funds were confiscated from this wallet, preventing Dark Side actors from using it,” Abbate said.
The FBI declined to say exactly how it accessed the Bitcoin wallet, citing the need to protect the craft.
But Elvis Chan, the assistant special agent in charge, told reporters that even overseas cybercriminals like DarkSide typically use American infrastructure at some point in the course of a crime. When they do, it gives the FBI a legal window to reclaim the funds.
DarkSide operates as a “Ransomware as a Service” business model, which means that its hackers develop and commercialize ransomware hacking tools and sell them to other criminal “partners” who then carry out attacks.
It is still unclear who DarkSide’s partners were in the attack on the Colonial Pipeline.
U.S. Assistant Attorney General Lisa Monaco announces the recovery of millions of dollars worth of cryptocurrencies from the ransomware attacks during a press conference with FBI Assistant Director Paul Abbate and Acting U.S. Attorney for the Northern District of California Stephanie Hinds of Colonial Pipeline Co. announced to the Department of Justice in Washington, June 7, 2021.
Jonathan Ernst | Reuters
Last month, DarkSide launched a widespread ransomware attack on Colonial Pipeline. The cyberattack forced the company to shut down an American fuel pipeline approximately 5,500 miles long, causing fuel disruption on the east coast and gasoline shortages in the southeast.
Ransomware attacks involve malware that encrypts files on a device or network, causing the system to become inoperable. Criminals behind such cyber attacks usually demand a ransom in exchange for releasing data.
Colonial Pipeline paid the hackers nearly $ 5 million in ransom, a source familiar with the situation confirmed to CNBC. It wasn’t immediately clear when the transaction took place.
The FBI previously warned victims of ransomware attacks that paying a ransom could encourage further malicious activity.
The government has stopped banning ransomware payments altogether, fearing that it would have little impact on whether or not companies pay ransom and simply stop them from reporting attacks.
The public announcement was part of a broader effort to address longstanding reluctance by the private sector to publicly report cyberattacks and to involve the government in their responses.
“The message here today is that [if you report the attack], we will use all our tools to prosecute these criminal networks, “said Monaco.
Officials stressed the benefits of companies reporting cyber violations quickly to the FBI.
“Not only can victim reporting provide us with the information we need to have an immediate impact on actors in the real world … it can also prevent future harm,” Abbate said.
“The private sector also plays an equally important role, and we must continue to take cyber threats seriously and invest accordingly to strengthen our defenses,” said Joseph Blount, CEO of Colonial Pipeline, in a statement on Monday evening.
“As our investigation into this event continues, Colonial will continue to be transparent about sharing information and intelligence with the FBI and other federal agencies,” he said.
Following the DarkSide attack, President Joe Biden told reporters that the US currently has no information linking the group’s ransomware attack to the Russian government. However, the attack is said to have originated from a criminal organization in Russia.
“So far there is no evidence from our intelligence officers that Russia is involved, although there is evidence that the actor’s ransomware is in Russia. They have a certain responsibility to deal with it,” Biden said on May 10. He added that he discussed the situation with Russian President Vladimir Putin.
The two heads of state and government are due to meet in Geneva on June 16.
The Kremlin has denied that it launched cyberattacks against the US.
“The message from the president will be that responsible states do not harbor ransomware criminals and that responsible countries must act decisively against these ransomware networks,” said White House press secretary Jen Psaki before the summit.
The Biden government is also putting pressure on the private sector to strengthen its defenses against ransomware.
“All organizations need to recognize that no company is safe from ransomware attacks, regardless of size or location,” wrote Anne Neuberger, assistant national security advisor for cyber and new technologies, in a June 2 memo.
“To understand your risk, executives should immediately convene their leadership teams to discuss the ransomware threat and review the company’s security and business continuity plans to ensure you can continue operations or quickly recover,” she added added.
At the same time, the White House is looking at how cybersecurity protocols and banking laws can be modernized to respond to cryptocurrency and its growing role in financial crime, from ransomware to corruption.
The proliferation of cryptocurrencies in crimes such as ransomware attacks has also caught the attention of lawmakers on Capitol Hill.
“We have a high need for cash in our country, but we have not found out in the country or in the world how to trace cryptocurrencies,” Missouri GOP Sen. Roy Blunt said on NBC’s “Meet the Press” program on Sunday. . “
“You can’t trace the ransomware – ransom payment of choice now. And we have to do a better job here, ”he added.