DarkSide had targeted Colonial Pipeline, resulting in critical infrastructure being taken out of operation.
The Department of Justice today announced that it has seized 63.7 bitcoins currently valued at approximately US$2.3 million. These funds allegedly represent the proceeds of a May 8, ransom payment to individuals in a group known as DarkSide, which had targeted Colonial Pipeline, resulting in critical infrastructure being taken out of operation. The seizure warrant was authorized earlier today by the Honorable Laurel Beeler, U.S. Magistrate Judge for the Northern District of California.
“Following the money remains one of the most basic, yet powerful tools we have,” said Deputy Attorney General Lisa O. Monaco for the U.S. Department of Justice. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide.”
“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said FBI Deputy Director Paul Abbate. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”
“Cyber criminals are employing ever more elaborate schemes to convert technology into tools of digital extortion,” said Acting U.S. Attorney for the Northern District of California Stephanie Hinds. “We need to continue improving the cyber resiliency of our critical infrastructure across the nation, including in the Northern District of California. We will also continue developing advanced methods to improve our ability to track and recover digital ransom payments.”
On or about May 7, Colonial Pipeline was the victim of a highly publicized ransomware attack resulting in the company taking portions of its infrastructure out of operation. Colonial Pipeline reported to the FBI that its computer network was accessed by an organization named DarkSide and that it had received and paid a ransom demand for approximately 75 bitcoins.
As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes.
The Special Prosecutions Section and Asset Forfeiture Unit of the U.S. Attorney’s Office for the Northern District of California is handling the seizure, with significant assistance from the Department of Justice Criminal Division’s Money Laundering and Asset Recovery Section and Computer Crime and Intellectual Property Section, and the National Security Division’s Counterintelligence and Export Control Section. The Department components who worked on this seizure coordinated their efforts through the Department’s Ransomware and Digital Extortion Task Force, which was created to combat the growing number of ransomware and digital extortion attacks.
The Task Force prioritises the disruption, investigation, and prosecution of ransomware and digital extortion activity by tracking and dismantling the development and deployment of malware, identifying the cybercriminals responsible, and holding those individuals accountable for their crimes. The Task Force also strategically targets the ransomware criminal ecosystem as a whole and collaborates with domestic and foreign government agencies as well as private sector partners to combat this significant criminal threat.
In early May the largest pipeline system for refined oil products in the U.S, Colonial Pipeline, was a victim of a ransomware attack. The attack halted systems for its 550 miles of pipeline, causing fuel shortages in some areas of the East Coast and a rise in the national price of gasoline.
DarkSide, the Russian ransomware criminal group, was responsible for the attack, which crimped the supply of gasoline, diesel, and jet fuel. It was also reported that Colonial Pipeline paid the almost $5M in ransom to this criminal group. We have seen attacks like this before, such as with the WannaCry that happened in 2017 which hit 150 countries, but this attack was one of the largest of its kind in the US and we are now at a point, again, to rethink what measures need to be taken to prevent attacks against critical infrastructure.
Ransomware and targeted attacks are nothing new of course. According to IDC’s Key Findings: 2020 U.S. Managed Security Services (MSS)/Managed Detection and Response (MDR) Survey Results, data breaches, targeted attacks and malware are top concerns for respondents surveyed. Close to 25% of organizations have stated a per data breach cost of $10k –$20k, with more than a third experiencing more than 16 breaches within the past 1- 2 years. We know that these types of attacks can lead to massive impacts on business operations, reputation and produce hefty fines.
According to Mcafee’s latest security report, ransomware is one of the fastest growing areas for cybercrime. During the COVID-19 pandemic, ransomware attacks in general have increased 148% from the baseline levels reported in February 2020. The report also added that one of the most concerning trends in ransomware is the shift towards targets in the manufacturing industry. Local governments, airports, schools, and health care facilities that are all dependent on critical services have been victims of ransomware, stated in a blog about the the hack’s regulatory effects by IDC analyst Martha Vazquez.
As a result of these new key initiatives, service providers are positioned in an optimum position to assist organizations in tightening up their security practices:
- Sharing of threat Information. By creating a standard for the sharing of threat intelligence, service providers are able to collect more in-depth information around security events, detection, response, and investigative information, therefore creating consistency across the board. Service Providers can leverage this information in assisting clients in creating and developing incident response plans and incident notification procedures.
- Implementing new modernized technologies. Organizations are moving to the cloud faster than ever before. Service providers need to be prepared to help clients in investing in new technologies which include a Zero Trust architecture and adopting security best practices. Service providers can take the opportunity to guide the client in their security journey and act as a trusted advisor to help their clients to reach their optimum security goals.
- Enhancement to security software. MSSPs and other security providers are big targets to the cyber criminal groups that seek to infiltrate security providers to gain access to their clients. In addition to tightening their own DevSecOps methodologies, providers also need to keep track of the embedded software that they utilize to make sure that they are not conduits to enriching cyber criminals.
- Improvements in EDR systems. With the need for better detection and response mechanisms, companies are encouraged to move forward with implementing EDR solutions. From a service provider perspective, clients will need more help in managing detection and response (MDR) offerings. With the increase deployment of MDR and EDR, organizations are expected to service providers for further guidance as they start to also work on improving their incident response and remediation tactics.