skip to Main Content

Ransomware Seizure: Blockchain Analysis Helps US Authorities Seize Over $2 Million in DarkSide Ransom Paid by Colonial Pipeline

Colonial Pipeline Ransomware Recovery

On June 7, 2021, the US Department of Justice announced that they had seized 63.69 BTC of the 75 BTC ransom Colonial Pipeline had paid to DarkSide. This ransom recovery is the first undertaken by the recently created DOJ Ransomware and Digital Extortion Task Force.

While the FBI was able to recover about 85% of the bitcoin paid to DarkSide, this only accounts for roughly half of the USD equivalent initially paid due to a fall in the price of bitcoin since the ransom payment. The remaining 11.3 BTC remained  in a different DarkSide or DarkSide affiliate  controlled address, depicted in the graphic below. Based on an analysis of the flow of funds and DarkSide’s operation as a Ransomware-as-a-Service (RaaS) model, the unseized funds could be held by DarkSide operators while the funds seized were those held by the RaaS affiliates that conducted the hack. It is common practice for ransomware operators to take a 15-30% cut of the ransom, leaving the RaaS affiliates (those that conduct the attack) with the remainder.

Colonial Pipeline and Brenntag Ransomware Payments
The 63.69 BTC funds recovered today appear to have been seized via direct access to the ransomware actor’s wallet, as indicated in the seizure warrant by referencing FBI’s control of the private key, and not through an Exchange which is more typical of asset recovery.

The Darkside operators consolidated the remainder of the Colonial Pipeline funds with multiple other ransom payments, including with that of global chemical distribution company Brenntag, which had been attacked just days earlier. This consolidation of 107.8 BTC of DarkSide funds were not seized by the DOJ as of yet, and  have been dormant since May 13.

According to the DarkSide Seizure Warrant, the Cyber Crimes Squad of the FBI’s San Francisco Field Division used blockchain analysis to determine the Colonial Pipeline ransom payment funds flow. In this warrant, the FBI also announced that they were in possession of the private key for the cryptocurrency address linked to 63.7 BTC directly tracible to the Colonial Pipeline ransom payment. These private keys were likely obtained as a result of the recent seizure of DarkSide servers on or around May 13, as reported by messages sent to affiliates of the DarkSide RaaS operation.

The seizure of cryptocurrency by direct, physical access to the wallet is not common.  In order to seize crypto, law enforcement must have access to the private key, or have access to an individual who can access the private key. This is why most crypto is seized either via an exchange, since exchanges hold the private keys, or after an arrest of an individual that has a wallet on them or amongst their belongings.

Colonial Pipeline Ransomware Attack

On May 7, 2021, Russia-based cybercrime group DarkSide attacked the Colonial Pipeline—part of the critical infrastructure sector of the United States. As part of the ransomware, DarkSide actors encrypted devices on the network and stole unencrypted files, threatening to release them to the public if the company failed to pay. According to blockchain analysis, the next day Colonial Pipeline paid the 75 BTC ransom, worth more than $4.2 million at the time. Following the attack, the White House issued an executive order on improving US cybersecurity against “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”

Brenntag Ransomware Attack

Four days after the Colonial Pipeline attack, global chemical distribution company Brenntag suffered a ransomware attack that targeted their North America division. On May 11 the company paid 78.5 BTC, worth roughly $4.4 million at the time, to the ransomware operators. Similar to the Colonial Pipeline attack, as part of this attack, DarkSide actors encrypted devices on the network and stole unencrypted files. However, unlike Colonial Pipeline, Brenntag funds have not yet been recovered.

What is Ransomware-as-a-Service?

DarkSide is a Ransomware-as-a-Service (RaaS) operation. In RaaS operation models the malware developers partner with third-party affiliates, or hackers, who are responsible for gaining access to a network, encrypting devices, and negotiating the ransom payment with the victim. As a result of this relatively new model, ransomware can now be easily used by bad actors who lack the technical capability to create the malware themselves but are more than willing and able to infiltrate a target.

Ransom payment are then split between the affiliate and the operator (developer). This split between ransomware operators and the affiliate who caused the infection, is often a telltale sign of Ransomware-as-a-Service models. In most RaaS models, this split is between 15-30% to the operator and 70-85% to the affiliate.

Combating Ransomware—What’s Next?

The rapid growth of ransomware-as-a-service operations like NetWalker and Darkside has become a lucrative business for threat actors. These recent attacks against critical infrastructure prove that ransomware doesn’t only impact individuals. This is why on June 3 the Justice Department released a Memorandum for All Federal Prosecutors announcing prosecutors must now report ransomware incidents in the same way they we report critical threats to our national security. In order to adequately counter ransomware, information sharing is key. In mid-June, RaaS operator REvil announced it had updated its ethos and their expected behavior for consideration in choosing ransomware victims, such as deeming schools and hospitals off-limits for attacks. This updated methodology was most likely an effort to lower the REvil profile so as not to become a priority target for US DOJ.

Blockchain analytics provides critical cryptocurrency intelligence needed to trace ransomware actors. Only by working together through groups like the Ransomware Task Force can cryptocurrency intelligence firms counter these transnational threat actors. It is crucial to not only trace ransomware proceeds to find and stop the operators, but also to harden systems and educate the public on how these compromises occur in order to properly mitigate disruption. Incident Response Firms have vast databases of ransom payments from their clients; identifying and tracking these funds can aid in building a full profile of the ransomware group.

Because ransomware actors use public blockchains for receiving payments, all transactions can be viewed on the chain, enabling law enforcement (or anyone) to trace the flow of funds. Utilizing a blockchain analytics tool like CipherTrace Inspector provides even additional intelligence to the trace and investigation, such as identifying when the funds have been deposited into an exchange. Once the funds reach a centralized exchange, law enforcement can stop the movement of funds by requesting that the exchange freeze the account and, if users had to undergo a KYC process, it could be possible to identify the individual behind the address.



Back To Top